You're wrapping up an engagement where you uploaded webshells and created test accounts. What must you do?
Short answer
Professional engagements end with full cleanup and an artifact inventory, so you don't leave new attack surface or muddy the client's environment. Leaving shells or accounts for the client to find is negligent and dangerous — a real attacker could reuse them. Keeping a backdoor 'for next time' is unethical and likely illegal. Deleting your own activity logs destroys the audit trail the client needs to validate the test and reconstruct what you did.
Everything you plant during a test — webshells, accounts, scheduled tasks, uploaded tools, config changes — is new attack surface. Leaving any of it behind makes the client less secure than before you arrived, the opposite of the engagement's purpose.
Why full cleanup plus an inventory is correct
Two things must happen at close-out. First, remove every artifact you created: shells, test accounts, scheduled tasks, dropped files, and any temporary configuration changes, restoring systems to their prior state. Second, hand the client a written inventory of everything you created, modified, or touched — ideally tracked live during the test so nothing is forgotten. The inventory lets the client independently verify cleanup, reconcile the changes against their own logs, and confirm nothing was missed. This is the disciplined close that distinguishes a professional from someone who just got in.
Why the other options are wrong
- Leave them for the client to find. This offloads your mess and your risk onto the client. A real attacker scanning the environment could discover and reuse your shell or account — you would have created a live foothold.
- Keep one backdoor for next time. Maintaining covert access after the engagement ends is unethical and, in most jurisdictions, unauthorized access — a crime. It also shatters the trust the whole relationship depends on.
- Delete your activity logs. Your logs are part of the deliverable: they let the client correlate your activity, validate findings, and separate your actions from any real attacker's. Destroying the audit trail looks like covering your tracks and undermines the test's credibility.
What an interviewer is probing
They want operational maturity: the understanding that a test isn't done when you get access — it's done when the environment is clean and accountable. Bonus signal: tracking artifacts continuously and providing an inventory the client can verify against their telemetry.
Likely follow-ups
- How do you track artifacts during the engagement so cleanup is reliable?
- What belongs in the change inventory you hand to the client?
- Why must you preserve, not delete, your own activity logs?