Skip to main content
QuantLab Logo

80-item PDF checklist · OWASP ASVS aligned

Do not sign that pentest SOW until you have answered these 80 questions.

An OWASP-aligned scoping checklist used by security leads at SOC 2 and PCI-regulated companies to avoid paying for a vulnerability scan disguised as a penetration test — with vendor qualification criteria, red flags, and drop-in SOW language.

80 items, 7 sections
30-minute working session
For CTOs & security leads

Free PDF download

Get the The Web App Pentest Checklist (OWASP-aligned).

One email, no spam, no list rentals. We send you the PDF and one short follow-up to make sure it landed. Unsubscribe in one click.

By downloading, you agree to receive a single follow-up email about this resource. We never share your email with third parties. See our privacy policy.

Why most web app pentests fail before they start

When a customer security questionnaire or a SOC 2 auditor asks for a recent web application penetration test, the first move is usually to email three vendors and ask for a quote. Two of the quotes will come back at wildly different price points. The third will be a slide deck full of certifications and zero detail on what the test will actually cover. Without a scoping framework, the cheapest quote tends to win, and the resulting report — if it is delivered at all — is a scanner output dressed up with a logo and a CVSS rollup. The customer security team that asked for the test rejects the report. The SOC 2 auditor flags the control as a partial implementation. The engineering team that owns remediation is left holding a stack of false positives.

That entire failure mode is preventable in 30 minutes of scoping work. This checklist is the working document our cybersecurity practice uses when we scope a web application penetration test. It is also the document we have given to dozens of security leads who ultimately hired someone else and just wanted to make sure they were buying the right thing. The point is to make the answer defensible, not to push you toward any specific vendor.

Inside the 80-item PDF

  • Section 1 — Pre-engagement discovery. 18 questions covering scope inventory (apps, APIs, subdomains, mobile clients), regulatory framework (PCI, HIPAA, SOC 2, FedRAMP, GDPR), environment guardrails, auth roles, and exploitation depth.
  • Section 2 — Methodology. 16 questions mapping OWASP ASVS level (1, 2, or 3), OWASP Top 10, OWASP API Top 10 coverage, black-box vs grey-box vs white-box engagement type, manual-vs-automated testing ratio, business logic flaw coverage, and MITRE ATT&CK mapping in the report.
  • Section 3 — Vendor qualification. 14 questions on tester credentials (OSCP, GWAPT, GPEN, CREST, OSWE), sample reports, retest scope, E&O insurance, references in your industry, and methodology documentation.
  • Section 4 — Deliverables and reporting. 12 questions covering executive summary, technical findings, remediation guidance, CVSS 3.1 scoring, business impact rating, customer-shareable report version, and the remediation retest window (typically 30 to 90 days).
  • Section 5 — Timeline and logistics. 6 questions on engagement length, kickoff prep, daily standup cadence, escalation paths, and communication channels.
  • Section 6 — Red flags cheat sheet. 8 vendor behaviors that should make you walk: refusal to share tester resumes, scanner-stack-only methodology, no retest in the SOW, exclusion of business logic testing, and several others.
  • Section 7 — Drop-in SOW language. 6 paragraphs you can paste into a vendor's statement of work to lock down scope, retest terms, deliverable ownership, and indemnification.

Who this is for

The checklist is built for four roles. First, CTOs and heads of engineering at SaaS companies whose first SOC 2 audit just landed on the calendar. Second, security leads at 25-to-500-person regulated companies (fintech, healthtech, companies handling PII) who need a defensible answer when a customer asks for a recent pentest report. Third, vCISOs and security consultants who run multiple companies and need a consistent scoping framework. Fourth, IT directors at companies handling payment data who have to navigate the PCI DSS pentest requirement for the first time.

If you have already run a pentest or two and just want a sanity check on the next SOW, the checklist is fast to skim — pull out Sections 2, 3, and 7 and cross-reference them against your current vendor proposal. If you have never bought a pentest before, work through it linearly with the engineering lead who owns the application under test. The cheat-sheet section also pairs well with the MITRE ATT&CK Maturity Worksheet if you are doing a broader security posture review.

What you will learn

You will learn how to distinguish a real pentest from a scan disguised as a pentest before you sign anything. You will learn which OWASP ASVS level matches your data sensitivity and your regulatory framework. You will learn how to negotiate retest terms into the SOW so a finding cannot be marked resolved without a vendor verification step. You will learn the tester credentials that actually predict quality (OSCP, GWAPT, OSWE) versus the ones that signal a firm has paid for marketing badges (vague "certified penetration tester" claims with no underlying credential).

On the reporting side, you will know what an executive summary should look like, how CVSS 3.1 scoring interacts with business impact, and what to ask for in a customer-shareable report version so your sales team can use it during enterprise procurement cycles. You will also learn the standard vendor patterns for inflating findings counts — and how to push back when a vendor delivers a 200-finding report where 180 of the findings are informational TLS configuration notes.

Finally, you will have drop-in SOW language. The six paragraphs in Section 7 cover scope lock, retest entitlement, deliverable ownership, communication cadence, insurance, and a kill-switch clause that lets you exit the engagement if the vendor materially deviates from the agreed methodology. Paste these into any vendor SOW. If they push back on Section 7 paragraph 2 (retest entitlement), you have learned something important about that vendor.

How this connects to our work

Our cybersecurity practice runs the same checklist on the inside of every engagement. When we scope a web application pentest, the questions in Section 1 are the first conversation we have with the customer. The deliverables in Section 4 — executive summary, technical findings, CVSS 3.1, customer-shareable version, remediation retest — are what we ship as the default. Sections 2 and 3 are the methodology and credentials standard our team operates under.

If your scope is broader than web app, our network penetration testing service covers the network layer, and our Active Directory pentest service handles identity and privilege escalation testing. For organizations that want a complete posture review rather than a single engagement, our MITRE ATT&CK assessment maps your defenses to the 14 ATT&CK Enterprise tactics — see also the full penetration testing service overview.

Read more about QUANT LAB USA or browse pentest pricing ranges if you want to anchor expectations before scoping. Our cybersecurity blog posts are indexed at the blog — start with the methodology breakdowns if this is your first pentest.

Frequently asked questions

Who is the Web App Pentest Checklist for?

CTOs, heads of engineering, security leads, vCISOs, and SaaS founders scoping a web application penetration test for SOC 2, PCI DSS, HIPAA, FedRAMP, or a customer security questionnaire. Also useful for IT directors at regulated companies who have never bought a pentest before.

What does OWASP-aligned mean in this checklist?

The methodology section maps to OWASP ASVS levels 1, 2, and 3 plus the OWASP Top 10 and OWASP API Top 10. It walks through which ASVS level you need based on your data sensitivity and which coverage gates a vendor should commit to in the SOW.

How is this different from running a vulnerability scan?

A scan finds what an off-the-shelf scanner already knows about. A real pentest combines automated tooling with manual testing of business logic, authentication, authorization, session management, and chained vulnerabilities. The checklist carves out a scanner-vs-pentest gate so vendors cannot price a scan and call it a pentest.

Can I share this checklist with my security vendor?

Yes — and we recommend it. Several SOW language paragraphs are written to be dropped directly into a vendor contract. Sharing the discovery questions signals you have done your homework, which usually produces a sharper proposal.

Does QUANT LAB do pentests, or is this an independent checklist?

QUANT LAB performs web app, network, and Active Directory pentests under our cybersecurity practice. The checklist is methodology-agnostic — the questions and SOW language work with any vendor.

Related resources & reading

MITRE ATT&CK Maturity Worksheet

For broader posture coverage beyond the web app layer.

Penetration Testing

The full QUANT LAB pentest service overview.

Network Pentest

For scope beyond a single web application.

Active Directory Pentest

Identity and privilege escalation testing for AD environments.

Want a second set of eyes on a pentest SOW you already received?

Reply to the confirmation email with the vendor SOW attached and we will mark it up against the checklist — free. Or book a 20-minute scoping call directly. Read pentest pricing to anchor expectations first.