Know Your Role(s)!
Too often, I've started a web application penetration test with one set of user credentials, a target application URL and it's off to the races. Not long after starting the test, it becomes apparent that I'll need at least one more set of credentials