Get explicit written permission from the device owner and any affected users before testing
Limit testing to devices and accounts you own or are authorized to assess
Define the scope, dates, methods, and stop conditions in writing
Use a separate test network or lab environment when possible
Review your router admin settings and connected-device list for inventory and access control
Change default router and device passwords to strong unique passwords
Enable WPA2/WPA3 encryption and disable WPS
Update router firmware and device software to the latest versions
Check for exposed services on your own devices using approved security tools
Run vulnerability scans only on authorized devices and within approved scope
Test for weak passwords only on accounts you are authorized to access
Audit IoT device settings, cloud links, and remote-access features you control
Remove unused devices, accounts, and services from your network
Segment your network with guest or VLAN isolation for testing
Log all actions taken during assessment
Stop immediately if you encounter data, devices, or systems outside the approved scope
Report findings to the owner and document remediation steps
Use certified penetration testing training and follow applicable laws and policies