A practical, interactive security assessment checklist for penetration testers, security researchers, bug bounty hunters, and security engineers — covering 23 platforms with 1,000+ checks. It is a checklist you operate, not just docs you read.
Static, in-browser, and private: everything runs client-side with no login, no
backend, no database, and no telemetry. Your progress, notes, and findings live in
localStorage and never leave your machine.
Use it at checklist.m14r41.in.
The checklist spans 23 assessment platforms. Each has its own dashboard page, and the
all-platforms view lives at /checklist.
| Platform | What it covers |
|---|---|
| Web Application | Authentication, sessions, access control, injection, business logic, and configuration testing of modern web apps. |
| API | OWASP API Security Top 10 (2023): object- and function-level authorization, authentication, resource consumption, SSRF, and inventory management. REST & GraphQL. |
| Mobile | OWASP MASVS / Mobile Top 10: insecure storage, transport security, secrets, platform interaction, and reverse-engineering resilience (iOS & Android). |
| Thick Client | Local data storage, inter-process communication, traffic interception, DLL/binary protections, and privilege handling for desktop & native apps. |
| Secure Code Review | Source-level discovery: dangerous sinks, injection patterns, authn/authz flaws, secrets, and insecure dependencies across major languages. |
| Cloud | IAM, exposed storage, instance-metadata SSRF, logging, and common misconfigurations across AWS, Azure, and GCP. |
| DevSecOps | Security across the SDLC: SAST/DAST/SCA gates, secrets management, supply-chain controls, and policy-as-code. |
| Network | Infrastructure assessment: host discovery, service enumeration, exposed management interfaces, and transport hardening. |
| Wi-Fi | Wireless assessment: WPA2/WPA3 encryption and authentication, rogue/evil-twin APs, PMKID/handshake attacks, and client isolation. |
| Firewall | Perimeter testing: ruleset review, egress filtering, segmentation validation, and evasion of filtering controls. |
| Active Directory | Enumeration, Kerberos attacks (Kerberoasting, AS-REP), ACL abuse, delegation, lateral movement, and privilege escalation to domain dominance. |
| Infrastructure | Host and OS hardening, patch posture, exposed services, build review, and configuration baselines. |
| MCP Security | Model Context Protocol servers and tools: tool poisoning, prompt injection via tool output, authz scoping, and unsafe capability exposure. |
| LLM Security | OWASP LLM Top 10: prompt injection, insecure output handling, data leakage, excessive agency, and model DoS. |
| Threat Modeling | Asset and trust-boundary mapping, STRIDE/attack-tree analysis, abuse cases, and mitigation tracking. |
| Configuration Review | Hardening review against CIS-style baselines: services, permissions, logging, secrets handling, and default-credential exposure. |
| Containers & Kubernetes | Image hygiene, privileged containers and escapes, RBAC, network policies, secrets, and admission control. |
| CI/CD | Pipeline and supply-chain attacks: poisoned pipeline execution, secret exfiltration, runner compromise, dependency confusion, and artifact integrity. |
| IoT | Firmware extraction and analysis, hardware/UART/JTAG interfaces, insecure protocols, and cloud/companion-app integration. |
| Blockchain | Smart-contract and Web3 assessment: reentrancy, access control, oracle and arithmetic flaws, signature replay, and front-end risks. |
| Phishing | Social-engineering campaigns: pretext and infrastructure setup, payload and landing-page design, evasion, and reporting metrics. |
| OSINT | Open-source intelligence: domain and infrastructure footprinting, employee and credential exposure, code and document leakage, and exposed assets. |
| Forensics | Digital forensics and incident response: sound evidence acquisition, disk/memory/network analysis, timeline reconstruction, and chain of custody. |
- Hierarchical checklist — content is organised in four levels, Platform → Category → Technology → Check, so the tool works like a real assessment framework rather than a flat list. Expand/collapse categories and technologies, with item counts on every section and one-click Expand all / Collapse all.
- Global search — press ⌘K / Ctrl+K from any page to search across platforms, categories, technologies, checks, descriptions, tags, tools, and references. Selecting a result jumps to it, auto-expands the right sections, and highlights the item.
- Assessment progress tracking — overall completion plus per-platform and per-category progress, persisted in the browser.
- Per-finding status — mark each check Open, Closed, or N/A so you can review every Open finding at the end of an assessment.
- Per-check notes — record payloads, request IDs, and evidence against any check; notes persist in the browser and export with your report.
- Severity badges & filters — every check carries a severity (
critical→info); filter the view to focus on what matters first. - Export / import — export your assessment to Markdown, CSV, Excel (.xlsx), or JSON; re-import JSON to resume where you left off.
Built and maintained by m14r41 — GitHub · LinkedIn.
If this is useful, please star the repo on GitHub.
Bug reports and feedback are welcome via GitHub Issues. This is a personal project, though, so code contributions are not accepted — no pull requests, and no forks for redistribution (see the license).
Released under a Personal Use Only license — personal, non-commercial use only; no redistribution, resale, or SaaS/hosting. The checklist content references public standards (OWASP, etc.); those remain under their respective licenses.
Commercial use — including paid, subscription, or hosted/SaaS offerings — requires a separate commercial license. Contact the author at m14r41.in.