Update 2-4-3-Pentest.md

Author: julio-cfa

current-version/2-Process/2-4-Operation/2-4-3-Pentest.md

@@ -4,32 +4,35 @@ A penetration test, or pen test, is a simulated attack on systems and applicatio
 
 While penetration testers use automated tools for scanning and information gathering, most testing is conducted manually. Manual testing is crucial for detecting vulnerabilities related to business logic and other issues that automated scans might miss.
 
-### Approaches
+### Methodologies and Checklists
 
 A penetration test can be approached in three ways: black-box, gray-box, or white-box.
 
 - **Black-box:** Testers have no prior information about the application, except possibly an IP address or domain.
 - **Gray-box:** Testers are given additional information, such as credentials for test accounts. This approach balances cost and effectiveness, providing deeper insights without the high expense of white-box testing. It should be the preferred approach most of the time.
 - **White-box:** Testers have full access to all available information, including the application's source code.
 
-### Methodologies and Checklists
+Regardless of the approach, penetration testers will generally follow publicly-available and/or internal checklists and testing guides. The most popular ones are:
 
 - [OWASP Web Security Testing Guide (WSTG)](https://owasp.org/www-project-web-security-testing-guide/) -  a comprehensive guide to testing the security of web applications and web services.
 - [OWASP Mobile Application Security Testing Guide (MASTG)](https://mas.owasp.org/MASTG/) - similar to the OWASP WSTG, it is a comprehensive guide to testing mobile applications.
 - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - ranks the top 10 most common and impactful webb application security vulnerabilities.
-- [OWASP Top 10 API]
+- [OWASP Top 10 API](https://owasp.org/API-Security/editions/2023/en/0x11-t10/) - 10 most common security risks and vulnerabilities for APIs.
 - [OWASP Mobile Top 10](https://owasp.org/www-project-mobile-top-10/) - a list containing the most common and impactful mobile application security vulnerabilities.
 
 ### Process Overview
 
-#### Planning
-Planning is crucial in the penetration testing process. A well-planned test maximizes results and minimizes potential failures. Key elements include:
+#### Assembling the team
+The composition of the penetration testing team is very important. It can either consist of internal cybersecurity professionals who understand the organization's systems and policies intimately or an external team hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
+
+#### Defining a scope
+After assembling the penetration testing team, the organization must meticulously define the scope of the test. This step is critical to avoid deviations from the planned objectives or unintended testing of additional assets and endpoints. Scope definition also entails selecting the appropriate penetration testing approach: black-box, gray-box, or white-box.
+
+#### Dates and deadlines
+As part of the scope, dates for the testing must be selected
 
-1. **Assembling the team:** the composition of the penetration testing team is very important. It can either consist of internal cybersecurity professionals who understand the organization's systems and policies intimately or an external team hired for their specialized skills and objectivity, which can bring fresh perspectives and expertise in identifying vulnerabilities that internal teams might overlook.
-2. Defining a scope:
-3. Defining an approach:
-4. Requirements:
-5. Dates and deadlines:
+#### Requirements
+Once the scope and dates are defined, the penetration testing team will inform the organization of requirements - e.g., testing credentials, application documentation, source-code access, and so forth. It is imperative that the organization provide the penetration testing 
 
 #### Execution