Credential handover for pentests
capture, scope, and rotate test credentials on the engagement record

Captured as the session cookie value plus the cookie name and the domain it is bound to. SecPortal injects the cookie into authenticated scans for the agreed role tier and the manual testers reuse the same record so the session under test is consistent across automated and manual coverage.

Stored as the raw token plus the header name (Authorization, X-Auth-Token, or a custom header) and the issuer. Bearer tokens age fast, so the vault entry carries an expiry the engagement lead can read without opening the token. When a token expires mid-test the rotation lands on the same record rather than in a new chat thread.

Stored as username and password against the realm. Basic auth survives in legacy admin panels, internal services, and proxy gateways. The vault entry encrypts both fields at rest and the authenticated scanner injects the Base64 header at run time so the credential never leaves the encrypted boundary.

Captured as the username, password, the login URL, and the form selectors the scanner needs to walk the login flow. The flow is described in the vault entry, the scanner replays the login on each authenticated scan, and the manual testers reuse the same script so the application is exercised in the same way both ways.

Captured as the key value, the placement (header, query string, or body), and the role tier the key authorises. API keys often carry broader access than cookies, so the scope tier on the vault entry is the gate the engagement lead reads when deciding what the scanner is allowed to exercise.

Stored as the certificate, the private key, and the chain. Mutual TLS is common on financial and OT/ICS estates and the credential set is more sensitive than a password. The vault entry holds the certificate material against the engagement and rotation at close revokes the issued certificate alongside expiring the private key the firm holds.

The tester wakes up on day one of an authenticated test and the credentials have not arrived. They land in a Slack DM at 09:30, the test starts at 10:00, and a week later the next reviewer cannot find the message. Capturing the handover on the engagement record means the credential request and delivery sit in one place rather than a thread that scrolls away.

The client hands over the CFO is account because it has the right permissions. The test triggers a security alert at 02:00, the on-call security engineer thinks the CFO is compromised, and the scope conversation has to restart against a real incident. Scoped test accounts at intake prevent the entire failure mode.

The credentials get pasted into a personal password manager so the tester can paste them back later. The next person on the engagement cannot read the manager. The retest six months later starts with a fresh credential ask. The vault on the engagement record is the shared store the team and the client both reference.

The engagement closes, the report ships, and the test account stays alive. Six months later the credential is still in someone is screenshot folder and still authorises the application. Rotation as part of the close-out is the only reliable defence and recording the rotation against the engagement is the only reliable proof.

A bearer token issued for one test gets reused on the next test because nobody rotated it. The activity log on the application cannot distinguish the two engagements and the audit trail blurs. One credential, one engagement, one rotation at close keeps the trail clean.

A handover that says "use this account" with no role tier, no environment, and no expiry leaves every other field as a guess. Scoping the credential at intake means the engagement lead, the tester, and the client agree what the credential authorises before it gets used rather than after the test runs.

Owns the credential handover protocol on the engagement. Confirms the authentication model and role tiers in the rules of engagement, names the client owner of the handover, and records sign-off on rotation at close. Reads the vault entries via role-based access; never personally holds raw credentials outside the vault.

A named contact on the client side who is responsible for issuing the test accounts, capturing them in the vault, confirming the rotation at close, and confirming the disposal of any test certificates. Captured on the engagement so the firm can demonstrate, at audit time, that the handover had a named counterparty rather than an inbox.

The tester who runs the authenticated test. Reads the vault entries through role-based access, references them in evidence captures, and flags credential issues (expiry mid-test, rotation needed, role tier insufficient) on the engagement rather than chasing the original handover thread.

The peer reviewer or engagement lead reviewing the deliverable. Confirms the role tiers tested match the credentials issued, that the windows on the vault entries align with the testing window in the report, and that the rotation evidence at close has been captured on the engagement.

Credential handover takes the output of pentest client onboarding and feeds the depth pass run by web application testing and API security testing. The credential history rolls forward into pentest evidence management and into retesting months later. When a tester rotates off mid-engagement, credential handover is one of the artefacts the wider tester rotation and handover workflow transfers cleanly so the access surface does not linger past the rotation date.

Credential handover is one phase inside pentest project management. The engagement lead schedules the handover before authenticated testing begins, confirms scope and expiry on the vault entries, and tracks rotation at close alongside scope, evidence, and findings on the same record.

Credentials are encrypted in the vault, scoped per role tier, gated by role-based access, and rotated at close. When an auditor asks how authentication data was handled during the test, the answer is on the engagement rather than in someone is memory.

Rotation at close is a step on the engagement, not a follow-up nobody owns. The client owner confirms the rotation, test accounts are disabled, and the vault entries become read-only audit history rather than live credentials drifting into next quarter.