Penetration Tester Guide
Objective​
Execute penetration testing with consistent evidence quality, fast reporting, and effective vulnerability lifecycle tracking in Conviso Platform.
Main responsibilities​
- Identify and validate exploitable vulnerabilities.
- Register clear technical evidence and reproduction steps.
- Keep findings updated during retest cycles.
- Ensure vulnerabilities are correctly tracked until closure.
Follow-up routine​
- Review active pentest scopes and priorities.
- Register new validated findings with complete evidence.
- Retest previously reported vulnerabilities.
- Update statuses according to retest results.
- Flag blocked items that require engineering or management escalation.
- Check duplicate findings and merge where needed.
- Verify fix confirmation in new scan cycles.
- Publish a concise testing progress summary.
Core workflows in Conviso​
- CLI-based scan workflow: New CLI
- Vulnerability lifecycle management: Vulnerabilities
- Scope and target management: Projects
- Validation tracking and execution evidence: Requirements
- Burp extension workflow: Burp Integration
Defect tracker integration​
Integrate Conviso Platform with your issue management tool using Defect/Bug Tracking integrations to synchronize and manage vulnerabilities in your team workflow.
Automation with CLI and API​
Use New CLI and API to automate data collection, execute standardized commands during testing cycles, and integrate results with team workflows.
Management and collaboration tool​
- Notifications for finding updates, retest status, and team interaction: Notifications Center
Recommended KPIs​
- Findings validated per cycle.
- Retest closure rate.
- Reopen rate after retest.
- Average time from finding submission to triage.
Playbooks​
Vulnerability fixed by development team​
- Reproduce original scenario.
- Confirm whether the vulnerability is still exploitable.
- Update finding status and evidence in Conviso.
- Document retest outcome and residual risk if applicable.
High-impact finding during active pentest​
- Confirm exploitability and impact.
- Register complete evidence immediately.
- Escalate to responsible owner and security leadership.
- Track mitigation/fix and schedule retest.
Contribute to the Docs
Found something outdated or missing? Help us improve the documentation with a quick suggestion or edit.
How to contributeResources
By exploring our content, you'll find resources that will enhance your understanding of the importance of a Security Application Program.
Conviso Blog: Explore our blog, which offers a collection of articles and posts covering a wide range of AppSec topics. The content on the blog is primarily in English.
Conviso's YouTube Channel: Access a wealth of informative videos covering various topics related to AppSec. Please note that the content is primarily in Portuguese.