359 pages | 731 code examples | 37+ compliance frameworks
The entire playbook is available to read right here on GitHub in Markdown format. No paywall, no signup.
| File | Description |
|---|---|
pentest_playbook_complete.md |
Full playbook — all phases + all appendices in one file |
appendix_k_compliance.md |
Standalone compliance appendix (37+ frameworks) |
Start reading: pentest_playbook_complete.md
Want a clean, printable PDF with terminal-accurate code blocks and professional formatting?
A comprehensive, practical penetration testing field guide written for people who are learning — and people who test professionally and need a structured reference. It covers every phase of a real engagement from environment setup through to final report delivery, with every command explained, not just listed.
Legal Notice: Everything in this playbook is for use in authorised penetration testing only. Running these techniques against systems you do not own, or do not have explicit written permission to test, is a criminal offence in most jurisdictions. Always operate under a signed scope document.
| Phase | Topic |
|---|---|
| Phase 0 | Terminal basics, safety, scope, and intent |
| Phase 1 | Environment setup — Kali, workspace, Burp Suite |
| Phase 2 | Reconnaissance — DNS, OSINT, subdomain enumeration |
| Phase 3 | Scanning and enumeration — Nmap, service fingerprinting |
| Phase 4 | Enumeration depth — web apps, APIs, auth testing |
| Phase 5 | Exploitation — SQLi, XSS, SSRF, RCE, auth bypass |
| Phase 6 | Post-exploitation and privilege escalation |
| Phase 7 | Reporting — professional findings, CVSS, remediation |
| Phase 8 | Cleanup and closure |
| Appendix | Topic |
|---|---|
| A | Tool installation guide |
| B | Wordlists reference |
| C | Common ports reference |
| D | Active Directory pentesting |
| E | Burp Suite complete workflow |
| F | Per-phase engagement checklists |
| G | Worked example report |
| H | Evasion and IDS/IPS awareness |
| I | File inclusion and XXE vulnerabilities |
| J | Career guide and next steps |
| K | Global compliance frameworks (37+ frameworks) |
The playbook maps findings to 37+ global regulatory frameworks so you can report correctly for any client context:
Americas: HIPAA, PCI DSS, FedRAMP, CMMC, NIST SP 800-53/FISMA, SOC 2, HITRUST, GLBA/SOX, SEC Cyber Rules, CCPA/CPRA, Brazil LGPD
Europe: GDPR, DORA, NIS2, EU Cyber Resilience Act, EU AI Act
UK: Cyber Essentials, CHECK/ITHC, NCSC CAF
Asia-Pacific: Australia Essential Eight, SOCI Act, Cyber Security Act 2024, Singapore MAS TRM, Singapore Cybersecurity Act, PDPA, South Korea PIPA/ISMS-P
Middle East and South Asia: Saudi NCA ECC/CCC, SAMA CSF, NDMO PDPL, India CERT-In, RBI, SEBI CSCRF, IRDAI, DPDP Act
International: ISO/IEC 27001, OWASP ASVS/WSTG, CIS Controls v8, SWIFT CSP/CSCF v2025
Industry-specific: TISAX (automotive), ISO/SAE 21434 + UNR 155 (connected vehicles), Japan METI/IPA, FSA, APPI, NISC
Each framework section includes: who it applies to, explicit penetration testing requirements, pre-engagement checklist, breach notification timelines, and exact reporting language to cite in findings.
Testing methodology follows and cross-references:
- OWASP Web Security Testing Guide (WSTG) v4.2
- OWASP Application Security Verification Standard (ASVS) v4.0
- NIST SP 800-115
- PTES (Penetration Testing Execution Standard)
- OWASP Top 10 (2021)
- MITRE ATT&CK
For learning: Start at Phase 0. Every section explains why before how.
For active engagements: Jump to the relevant phase. Use the checklists at the end of each phase as your pre/post confirmation.
For reporting: Open Appendix K, find your client's regulatory context, follow the pre-engagement checklist, then use the reporting language section to cite findings correctly.
For compliance mapping: The Framework Overview Map in K.1 cross-references client type to applicable frameworks in one table. K.33 has every breach notification deadline across all 37+ frameworks in a single reference table.
Pull requests welcome for:
- New framework coverage (Appendix K)
- Updated tool syntax (tools change frequently)
- Additional worked examples
- Corrections to CVE references or framework citations
Please include a source reference for any regulatory or framework additions.
Matt McKee LinkedIn
This playbook is released for educational and professional use. You may use, adapt, and redistribute with attribution. You may not sell it as a standalone product without permission.
Last updated: March 2026. Regulatory content reflects framework status as of early 2026 — always verify current requirements at source before relying on compliance guidance for live engagements.