Engagement Setup
Scope, rules of engagement, a tracked workspace, and a working toolbox — everything before the first packet leaves your box.
This handbook is about the methodology and tooling of a pentest engagement, not the Arsenic CLI. Every step here is something you can run by hand with off-the-shelf tools. Arsenic just glues these steps together and keeps the output organized; this is my attempt to write down what it’s gluing together and why.
If you only want to drive Arsenic, the Arsenic docs cover that.
This started as the runbook I built for myself while studying for the OSCP. I kept hardening it into a repeatable process while running a pentest team, and this is where it landed. It assumes you can use a shell, read tool output, and that you have written authorization for every target you point these tools at.
A network/web engagement moves through five phases, and each one feeds the next. You turn a handful of in-scope roots into a full asset inventory, then a service map, then a list of likely weaknesses, then confirmed findings.
| Phase | Goal | Page |
|---|---|---|
| 1. Setup | Scope, rules of engagement, workspace, toolbox | Engagement Setup |
| 2. Discovery | Turn scope into a complete asset inventory | Discovery |
| 3. Recon | Map services, web surface, and content | Recon |
| 4. Hunting | Find likely vulnerabilities at scale | Vulnerability Hunting |
| 5. Reporting | Capture evidence and write it up | Evidence & Reporting |
The phases are a loop, not a line. Discovery surfaces new domains, which expand scope, which feeds discovery again. Recon turns up a forgotten admin panel that becomes a new lead. I’ve found it’s easiest to settle into the loop and keep re-running the cheap steps as scope grows.
Here’s the full set of tools the handbook uses, grouped by phase. Where a tool Arsenic originally shipped has since aged out, I’ve noted what I reach for now. The Toolbox Reference has the install commands and the full mapping.
amass, subfinder, crt.sh, dnsx (replaces fast-resolv), nmap -sn, naabunmap, naabu, httpx, gowitness (replaces aquatone), ffuf, feroxbusternuclei, searchsploit, nuclei/subzy for takeoversjq, mlr (miller), anew, SecLists wordlistsThis folder is a self-contained Docsy content section.
Drop it into your site under content/en/ (or wherever your docs live) and it
renders as a top-level section. Page ordering comes from the weight front
matter on each file, so you reorder by editing weights rather than renaming
files.
One reminder before you start: everything here is for authorized testing only. Active scans — port scans, brute force, fuzzing, nuclei — generate traffic that’s trivially attributable to you and can knock fragile services over. Get scope, rate limits, and blackout windows in writing before you run any of it against a live target.
Scope, rules of engagement, a tracked workspace, and a working toolbox — everything before the first packet leaves your box.
Turn a handful of in-scope roots into a complete, validated inventory of domains and live hosts.
Map every live host’s services, web surface, and content into a per-host picture you can attack.
Turn your service and web inventory into a prioritized list of likely vulnerabilities, at scale.
Capture proof as you go, structure findings consistently, and turn a pile of scan output into a deliverable.
Install commands for the full toolchain, plus a mapping from the tools Arsenic originally automated to what I use now.