An exciting discussion about penetration tests (pentests) and their aftermath recently took place on LinkedIn.
A post by Marlon Hübner, a self-proclaimed Cybersecurity Hero, described a situation in which a surveillance camera in the server room still had the pentester’s email address stored for forwarding images months after a pentest. These cameras were reportedly taken offline after a previous attack. The discovery led to criticism of the pentesters: they should have cleaned up after themselves and removed the email forwarding.

But is this expectation justified?
And what conclusions can be drawn from various responses, including my own Mastodon poll?

The LinkedIn Post: Many Open Questions

In the original post (LinkedIn), many questions remain unanswered from a security perspective:

  • Was the email address still reachable? Could the email address still receive images, or was it, as is common in our pentests, a functional address created solely for the pentest and automatically deactivated afterward?
  • How could the camera send emails in the first place? Why was an internal device capable of sending emails to external addresses? Wouldn’t webcam01, which usually only sends emails to admin@company.com, but suddenly sends emails to evilpentester@anothercompany.com, trigger alarms in a properly configured SIEM?
  • Contractual details: Was it agreed with the pentesters that artifacts should be deleted after the pentest?
  • Was the finding included in the report? Pentesters who receive images from the server room would usually document this as a critical issue in the pentest report. Was the client perhaps unclear about the severity of the finding?

These and other details are crucial to understanding the situation.
However, they raise more questions about the client’s security architecture and their follow-up to the pentest than about the pentesters’ work.

The Mastodon Poll: Different Perspectives

This discussion inspired me to conduct a poll on Mastodon. The question was:

“Should pentesters clean up after themselves, such as deleting accounts they created or removing email forwarding configurations?”

The responses from 22 participants were as follows:

  • 64%: Yes, they should absolutely clean up.
  • 14%: It depends…
  • 9%: No, their time should be spent finding security issues.
  • 14%: Decided case by case with the client.

The comments reveal that while the trend aligns with the sentiment on LinkedIn, expectations of pentesters are often unclear or highly individual. As a long-time pentester who has a different perspective, I decided to write this post.

Additionally, it would have been helpful to know whether the respondents were pentesters or clients. Rephrasing the question to something like, “What is your expectation, independent of contracts or prior discussions?” might also have provided more clarity.

What Does the Community Say?

The discussion surrounding the poll highlighted several key points:

1. Clear contractual agreements are essential.
As @bhhaskin and @fthy emphasized, it is crucial to clarify upfront whether cleanup tasks are part of the pentest service. Without such agreements, misunderstandings are inevitable. I fully support this statement, not just for pentests but in general.

2. Cleanup by pentesters involves risks.
In this discussion, I support the views of participants like @stemeerkat and @FritzAdalis that pentesters should not clean up.

In fact, from my perspective, the opposite is true: they must not clean up. Here’s why:

  • Traceability suffers: Artifacts such as logs or test accounts are invaluable for understanding vulnerabilities and attacks. The report must, of course, be well-written, but in my experience, it’s easier for a blue team to analyze the vulnerabilities using both artifacts and the report, rather than relying solely on written descriptions or screenshots (which might lack details like timestamps for logs).
  • Lack of system knowledge: Pentesters don’t have the same level of knowledge about the infrastructure as internal teams do—especially concerning availability or automation, which could lead to incomplete cleanup.

Let’s be honest: if systems were made completely clean after a pentest, even fewer clients would prioritize addressing the vulnerabilities, as the LinkedIn post suggests.

Artifacts could also serve as a training opportunity for the blue team. Testing how quickly they can detect and respond to an attack, as well as trace all compromises, can be part of the pentest’s goals.

3. Different types of pentests require different approaches.
As @codeofamor noted, the answer often depends on the type of pentest. For a web application, pentesters could work on temporary systems that are deleted afterward, eliminating the need for cleanup.
However, I disagree here as well: there are valid scenarios where conducting a web pentest on production systems is necessary. Building entire infrastructures for internal pentests, only to dismantle them later, is simply impractical.

My View: Responsibility and Security Go Hand in Hand

Pentests are not an all-inclusive service. They are a tool to identify and document vulnerabilities—not to leave systems “spotless” or make it easier for clients to live with unresolved issues.
Cleanup belongs in the hands of those who understand the infrastructure and the consequences of their actions (e.g., in terms of availability).

Another important point is that pentesters cannot be aware of all automation within a system. While this might not apply to the camera case, joining a new computer to an Active Directory could trigger critical automation that an external pentester wouldn’t know about and therefore cannot reverse.

Criticism of pentesters misses the point. The LinkedIn post directs attention away from the real issues:

  • If emails could be sent from a surveillance camera to external addresses, isn’t this a problem with network or firewall configurations or monitoring (e.g., SIEM)?
  • If pentest artifacts are still present months later, doesn’t this indicate that the recommendations in the pentest report were not addressed or prioritized?

A strong security culture is essential. Companies need to take pentests seriously, thoroughly review the reports, and prioritize actions. Critical vulnerabilities, such as compromised devices in the server room, should be resolved immediately—not months later.

Conclusion: Take Pentests Seriously—and Take Responsibility

The expectation that pentesters clean up everything after themselves is not only unrealistic but also dangerous.
Cleanup should be carried out by those who understand the systems and can ensure that no vulnerabilities remain.

Clients should view pentests as an opportunity to improve security and implement the recommendations carefully.
Clear communication, contractual agreements, and a strong security culture help avoid misunderstandings and misplaced blame.

At the end of the day, security is a shared responsibility—not a solo effort by the pentester.

PS. If a pentester involved in the LinkedIn case reads this post, feel free to reach out to me at bloginput@security-manufaktur.de. I’d be interested to know whether “cleanup” was part of the contract and whether the vulnerability was documented in the report.

PPS. I am fully aware that the LinkedIn post was likely a clumsy attempt at advertising pentest services. However, I want to address such misconceptions and evaluate the statements critically.

[UPDATE#1 2025-01-27: Spelling and wording improved; PS and PPS added]