Pentest Engagement Handbook

A tool-by-tool walkthrough of how I run an external network/web pentest by hand — the same workflow Arsenic automates.

This handbook is about the methodology and tooling of a pentest engagement, not the Arsenic CLI. Every step here is something you can run by hand with off-the-shelf tools. Arsenic just glues these steps together and keeps the output organized; this is my attempt to write down what it’s gluing together and why.

If you only want to drive Arsenic, the Arsenic docs cover that.

Who this is for

This started as the runbook I built for myself while studying for the OSCP. I kept hardening it into a repeatable process while running a pentest team, and this is where it landed. It assumes you can use a shell, read tool output, and that you have written authorization for every target you point these tools at.

How an engagement flows

A network/web engagement moves through five phases, and each one feeds the next. You turn a handful of in-scope roots into a full asset inventory, then a service map, then a list of likely weaknesses, then confirmed findings.

PhaseGoalPage
1. SetupScope, rules of engagement, workspace, toolboxEngagement Setup
2. DiscoveryTurn scope into a complete asset inventoryDiscovery
3. ReconMap services, web surface, and contentRecon
4. HuntingFind likely vulnerabilities at scaleVulnerability Hunting
5. ReportingCapture evidence and write it upEvidence & Reporting

The phases are a loop, not a line. Discovery surfaces new domains, which expand scope, which feeds discovery again. Recon turns up a forgotten admin panel that becomes a new lead. I’ve found it’s easiest to settle into the loop and keep re-running the cheap steps as scope grows.

The toolchain at a glance

Here’s the full set of tools the handbook uses, grouped by phase. Where a tool Arsenic originally shipped has since aged out, I’ve noted what I reach for now. The Toolbox Reference has the install commands and the full mapping.

  • Discovery: amass, subfinder, crt.sh, dnsx (replaces fast-resolv), nmap -sn, naabu
  • Recon: nmap, naabu, httpx, gowitness (replaces aquatone), ffuf, feroxbuster
  • Hunting: nuclei, searchsploit, nuclei/subzy for takeovers
  • Glue: jq, mlr (miller), anew, SecLists wordlists

Using these docs in Docsy

This folder is a self-contained Docsy content section. Drop it into your site under content/en/ (or wherever your docs live) and it renders as a top-level section. Page ordering comes from the weight front matter on each file, so you reorder by editing weights rather than renaming files.

One reminder before you start: everything here is for authorized testing only. Active scans — port scans, brute force, fuzzing, nuclei — generate traffic that’s trivially attributable to you and can knock fragile services over. Get scope, rate limits, and blackout windows in writing before you run any of it against a live target.


Engagement Setup

Scope, rules of engagement, a tracked workspace, and a working toolbox — everything before the first packet leaves your box.

Discovery

Turn a handful of in-scope roots into a complete, validated inventory of domains and live hosts.

Recon

Map every live host’s services, web surface, and content into a per-host picture you can attack.

Vulnerability Hunting

Turn your service and web inventory into a prioritized list of likely vulnerabilities, at scale.

Evidence & Reporting

Capture proof as you go, structure findings consistently, and turn a pile of scan output into a deliverable.

Toolbox Reference

Install commands for the full toolchain, plus a mapping from the tools Arsenic originally automated to what I use now.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)