Steps in a Penetration Test [The 7-Step Process]

What are the steps in a penetration test?

1. Scoping and planning
2. Reconnaissance and information gathering
3. Vulnerability identification
4. Exploitation and testing
5. Post-exploitation and lateral movement
6. Report writing and documentation
7. Debrief and remediation support

Each step serves a specific purpose in the testing methodology. Skipping any step compromises the quality and completeness of the assessment. Here is what happens at each stage.

Step 1: Scoping and Planning

Every penetration test begins with a scoping conversation. This is where you and the testing team define exactly what will be tested, how it will be tested and when testing will occur. The scope determines the cost, timeline and methodology for the entire engagement.

During scoping, the testing team identifies targets (applications, domains, IP ranges, APIs), agrees on testing boundaries (what is explicitly off-limits), establishes communication protocols (who to contact if a critical vulnerability is found during testing) and sets the testing window.

The scoping phase produces a signed Statement of Work and Rules of Engagement document. This document authorizes the testing and protects both parties. At Sherlock Forensics, we walk clients through what to expect so there are no surprises.

Step 2: Reconnaissance and Information Gathering

Reconnaissance is the intelligence-gathering phase. The tester collects information about your targets before attempting any exploitation. This mirrors what a real attacker would do: research the target before attacking.

Passive reconnaissance includes reviewing publicly available information such as DNS records, WHOIS data, technology fingerprinting, publicly accessible files (robots.txt, sitemap.xml), social media profiles and job postings that reveal your technology stack.

Active reconnaissance involves directly interacting with the target: port scanning, service enumeration, application mapping and identifying entry points. The tester builds a complete map of your attack surface, documenting every endpoint, service and potential entry point.

Step 3: Vulnerability Identification

With the reconnaissance data in hand, the tester systematically probes the target for vulnerabilities. This phase combines automated scanning with manual testing techniques.

Automated tools scan for known vulnerabilities, outdated software versions, misconfigurations and common security issues. The tester then performs manual testing that automated tools cannot replicate: testing business logic, examining authentication flows, checking access controls and looking for application-specific weaknesses.

Every potential vulnerability is documented and categorized. The tester distinguishes between confirmed vulnerabilities, suspected vulnerabilities that require exploitation to verify and false positives from automated scanning tools.

Step 4: Exploitation and Testing

Exploitation is what separates a penetration test from a vulnerability scan. The tester takes the identified vulnerabilities and attempts to exploit them to demonstrate real-world impact.

Finding an SQL injection vulnerability is informative. Demonstrating that the SQL injection allows downloading the entire customer database makes the risk tangible and undeniable. Exploitation proves that vulnerabilities are not theoretical. They are exploitable weaknesses that an attacker would use.

Professional testers exploit carefully. The goal is to demonstrate impact without causing damage. They document every exploitation step with screenshots, request/response data and proof-of-concept evidence. This documentation is essential for the report and for your development team to understand and reproduce the issue.

Step 5: Post-Exploitation and Lateral Movement

After gaining initial access through exploitation, the tester determines what an attacker could accomplish. This phase answers the question: "Now that I am in, how far can I go?"

Post-exploitation activities include escalating privileges from a regular user to an administrator, moving laterally to access other systems or databases, accessing sensitive data that should be protected, establishing persistence mechanisms that would survive a system restart and mapping the internal network from the compromised position.

This step is critical because it reveals the true blast radius of a vulnerability. A single exploitable weakness in a web application might provide access to internal databases, backend services and infrastructure that the client did not realize was connected.

Step 6: Report Writing and Documentation

The report is the primary deliverable of a penetration test. A quality report transforms raw testing data into actionable intelligence that your team can use to improve security.

Every Sherlock Forensics report includes:

• Executive summary: A plain-language overview of overall risk, key findings and recommended priorities. Written for business leaders and board members.
• Methodology: What was tested, how testing was conducted and what tools were used.
• Findings: Each vulnerability documented with title, severity rating (Critical, High, Medium, Low), technical description, proof-of-concept evidence and step-by-step remediation instructions.
• Risk matrix: Visual summary showing findings plotted by severity and exploitability.
• Remediation roadmap: Prioritized list organized as "fix immediately," "fix within 30 days" and "fix within 90 days."

Report writing typically takes 2 to 3 business days. Rushing this phase compromises quality. A well-written report is the difference between a useful security investment and a document that collects dust.

Step 7: Debrief and Remediation Support

The final step is a debrief call where the testing team walks through findings with your technical and business stakeholders. This is an interactive session where you can ask questions, request clarification and discuss remediation priorities.

The debrief typically covers the most critical findings first, explains the business impact of each vulnerability, discusses remediation approaches and trade-offs and establishes a timeline for fixes. At Sherlock Forensics, we include ongoing remediation support where your development team can ask follow-up questions as they work through fixes.

Most engagements also include a retest window. After your team addresses the critical findings, the tester returns to verify that the fixes were implemented correctly and the vulnerabilities are resolved. This verification step ensures that remediation efforts actually reduced risk rather than introducing new issues.

Getting Started

If you are ready to understand where your vulnerabilities are, order a penetration test from Sherlock Forensics. Quick audits start at $1,500 CAD with results in 3 to 5 business days. Standard engagements start at $3,000 CAD with full OWASP Top 10 coverage.

People Also Ask

How long does each step take?

Scoping takes 1 to 2 days. Reconnaissance takes 1 to 2 days. Vulnerability identification and exploitation together take 3 to 8 days depending on scope. Post-exploitation takes 1 to 2 days. Report writing takes 2 to 3 days. The debrief is typically a 30 to 60 minute call. Total engagement duration ranges from 5 to 15 business days for most projects.

What tools do pentesters use?

Professional pentesters use a combination of commercial and open-source tools including Burp Suite Professional for web application testing, nmap for network discovery, Metasploit for exploitation, Nuclei for automated scanning, custom scripts for specific test cases and manual browser-based testing for business logic flaws. The specific toolset varies based on the target environment.

What happens after a pentest?

After a pentest, you receive a detailed report and a debrief call with the testing team. Your development team uses the report to fix vulnerabilities, starting with critical and high severity findings. Most firms offer a retest window to verify critical fixes were implemented correctly. Sherlock Forensics includes remediation support and retesting with every engagement.