Test all input fields for SQL injection - Check for Server-Side Template Injection (SSTI) - Test for command injection in file upload, API parameters - Check for LDAP injection in authentication - Test for XSS in all reflected and stored input points - Check for SSRF in URL input parameters, webhook