How to use the checklist
The interactive checklist is built for the real assessment loop: scope, work through controls, record findings, and confirm nothing was skipped.
The loopβ
- Pick a platform. Choose Web Application, API, or Mobile. Each platform is organised into categories β technologies β checks. Expand and collapse categories and technologies to navigate; every section shows its item count, and Expand all / Collapse all are one click away.
- Jump with search. Press βK / Ctrl+K from any page to search every platform, category, technology, check, tool, and reference. Selecting a result jumps straight to it, expands the right sections, and highlights the item.
- Scope & recon first. Start with Information Gathering to map the stack, endpoints, and entry points. What you find tells you which technologies matter.
- Filter to your surface. Use the severity and status filters to focus. When
time is short, filter to
HighandCriticalfirst. - Work top to bottom. Expand a check to read what to verify and why, follow the references, then tick it when you've assessed the control (pass or finding).
- Take notes as you go. Each item has a notes field β record payloads, request IDs, and evidence. Notes are saved in your browser.
- Export your evidence. The Export button produces a Markdown summary of your progress and notes that you can paste into a report or attach to an engagement folder.
What "checked" meansβ
A checked item means you assessed this control β not necessarily that it passed. Use the notes field to record the outcome. The checklist tracks coverage; your notes track findings.
Privacyβ
There is no backend. Progress and notes live in your browser's localStorage and
are never transmitted. Clearing site data (or the Reset button) wipes them.
Severityβ
Each check carries a typical severity (critical β info) for the control it
covers. Treat it as a prioritisation hint, not a verdict β real severity depends on
the application's context and the exploitability you demonstrate.