Penetration Tester Guide
Objective
Execute penetration testing with consistent evidence quality, fast reporting, and effective vulnerability lifecycle tracking in Conviso Platform.
Main responsibilities
- Identify and validate exploitable vulnerabilities.
- Register clear technical evidence and reproduction steps.
- Keep findings updated during retest cycles.
- Ensure vulnerabilities are correctly tracked until closure.
Follow-up routine
- Review active pentest scopes and priorities.
- Register new validated findings with complete evidence.
- Retest previously reported vulnerabilities.
- Update statuses according to retest results.
- Flag blocked items that require engineering or management escalation.
- Check duplicate findings and merge where needed.
- Verify fix confirmation in new scan cycles.
- Publish a concise testing progress summary.
Core workflows in Conviso
- CLI-based scan workflow: New CLI
- Access the vulnerability queue: Vulnerabilities
- Understand lifecycle and statuses: Workflow Status
- Follow validation and retest flow: Process
- Scope and target management: Projects
- Project execution flow: Process
- Project status model: Workflow Status
- Validation tracking and execution evidence: Requirements
- Burp extension workflow: Burp Integration
Defect tracker integration
Integrate Conviso Platform with your issue management tool using Defect/Bug Tracking integrations to synchronize and manage vulnerabilities in your team workflow.
Automation with CLI and API
Use New CLI and API to automate data collection, execute standardized commands during testing cycles, and integrate results with team workflows.
Management and collaboration tool
- Notifications for finding updates, retest status, and team interaction: Notifications Center
Recommended KPIs
- Findings validated per cycle.
- Retest closure rate.
- Reopen rate after retest.
- Average time from finding submission to triage.
Playbooks
Vulnerability fixed by development team
- Reproduce original scenario.
- Confirm whether the vulnerability is still exploitable.
- Update finding status and evidence in Conviso.
- Document retest outcome and residual risk if applicable.
High-impact finding during active pentest
- Confirm exploitability and impact.
- Register complete evidence immediately.
- Escalate to responsible owner and security leadership.
- Track mitigation/fix and schedule retest.
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.