For anyone who's experienced with Metasploit will know that there's a risk of crashing the target system. That's because systems vulnerabilities are not planned — they are neither documented nor supported. It is very important not to disrupt your client's day-to-day operations when testing their production systems.
Only use exploit modules with a reliability ranking of “Great” and above on production systems.
Communicate with IT operations. Depends on the penetration test policies, it may be a good idea to talk to the application owners to ensure they're aware, buy into the process, and alert you if anything has gone awry.
Test during maintenance windows. It is recommended not testing systems that are being serviced since this will make troubleshooting more difficult.
Use the Audit Report (in Metasploit Express or Pro) to analyse situations.
Throw the kitchen sink at test systems. Test only “Great” and above exploit modules on production systems. But throw everything you got on the test systems; malicious attacker does not care about the stability of the target system.
Shared by Emil Tan, Skipper & Co-Founder of Div0.