I do want this to be a somewhat realistic Pentest but I don't want exploits to be thrown at server / server's vulnerabilities being exploited (if any are found). This may be a task for later after considering what is found.
Related to #9 but is slightly different.
9 deals with what users can access. This is dealing with any problems apparent from what the users can access.
Examples
What can a user do with access to GitLab?
What can a user do with another user's VPN config / cert?
What can a user do if they can access X?
Are there any vulnerabilities with application X?
Can these be mitigated?
Is there a different application we can use?
Are there processes we can use to be more secure?
Deliverables
Organized notes of findings.
How can these findings be mitigated?
Any other notes that would be important in explaining your findings and how we can prevent these problems
IMPORTANT
I do want this to be a somewhat realistic Pentest but I don't want exploits to be thrown at server / server's vulnerabilities being exploited (if any are found). This may be a task for later after considering what is found.
Related to #9 but is slightly different.
9 deals with what users can access. This is dealing with any problems apparent from what the users can access.
Examples
Deliverables