What Happens During a Penetration Test: Day by Day

Q: What do pentesters do?

Penetration testers at Sherlock Forensics follow a structured methodology: they scope the engagement, perform reconnaissance to map the attack surface, systematically test every endpoint and input for vulnerabilities, exploit confirmed weaknesses to demonstrate real-world impact, write a detailed report with severity ratings and remediation steps, then conduct a debrief call to walk through findings. A standard engagement takes 8-12 business days and starts at $5,000 CAD.

Q: Will a pentest break my website?

Professional penetration testers are trained to test without causing disruption. At Sherlock Forensics, any potentially disruptive tests (such as denial-of-service testing or heavy brute-force attacks) are discussed and approved with the client before execution. In over 20 years of testing, we have never caused a production outage. If you are concerned, testing can be conducted against a staging environment or during off-peak hours.

Q: What tools do penetration testers use?

Professional penetration testers use a combination of commercial and open-source tools. Common tools include Burp Suite Professional for web application testing, Nmap for network scanning, sqlmap for SQL injection testing, Nuclei for vulnerability scanning, custom scripts for application-specific tests and manual testing techniques. At Sherlock Forensics, tools are selected based on the target technology stack and testing objectives. The tools are less important than the tester's experience interpreting results and chaining findings together.

Demystifying the Process

Most clients know they need a penetration test. Few know what actually happens once the engagement begins. This uncertainty creates anxiety: Will testers break something? How much access do they need? What should I expect in my inbox each day?

This article walks through a standard Sherlock Forensics penetration test engagement day by day. While every engagement varies based on scope and complexity, this timeline represents a typical 11-day external web application assessment.

Before Day 1: The Scoping Call

Before the clock starts, you have a scoping call. This usually takes 30-60 minutes and covers:

What is being tested: URLs, IP addresses, API endpoints, mobile apps, internal networks
What is off-limits: Production databases with real customer data, third-party services you do not own, specific IP ranges
Testing window: Business hours only, 24/7, specific dates
Communication: Who to contact if a critical vulnerability is found mid-test, preferred channels (email, Slack, phone)
Credentials: Whether to provide test accounts (gray-box) or test without any access (black-box)
Rules of engagement: Social engineering allowed? Denial-of-service testing? Physical access testing?

After the call, you sign an authorization document and the tester prepares their environment. Read more in our what to expect during a penetration test guide.

Days 1-2: Scoping and Reconnaissance

What the tester is doing: Mapping your attack surface. Identifying every way in.

The first two days are about understanding the target. The tester is not attacking yet. They are gathering intelligence, the same way a real attacker would before launching an attack.

Passive reconnaissance: The tester searches public sources for information about your organization. DNS records, WHOIS data, SSL certificate transparency logs, cached web pages, publicly exposed code repositories, job postings that reveal technology stack details and social media profiles of key staff.

Active reconnaissance: Port scanning to identify running services. Subdomain enumeration to find forgotten staging environments or admin panels. Technology fingerprinting to identify your web server, framework, CMS and JavaScript libraries. Directory brute-forcing to discover hidden endpoints, backup files and configuration files.

Application mapping: The tester crawls your application, maps every page, identifies every form, documents every API endpoint and understands the authentication and authorization model. They create a map of the entire attack surface.

What you experience: Very little. You may see slightly increased traffic in your server logs. The tester might send you a question or two about application functionality. Otherwise, this phase is invisible to you.

Days 3-5: Active Vulnerability Testing

What the tester is doing: Systematically testing every input, endpoint and function for vulnerabilities.

This is the most intensive phase. The tester works through the attack surface methodically, testing each component for common and uncommon vulnerabilities.

Authentication testing: Brute-force resistance, password policy enforcement, session management, multi-factor authentication bypass, account lockout mechanisms, password reset flows and credential storage.

Authorization testing: Access control checks on every endpoint. Can User A access User B's data? Can a regular user access admin functions? Are API endpoints enforcing the same permissions as the web interface?

Input validation: Every parameter tested for SQL injection, cross-site scripting, command injection, path traversal, server-side request forgery (SSRF) and template injection. This includes URL parameters, form fields, HTTP headers, cookies and file uploads.

Business logic testing: Can you skip steps in a multi-step process? Can you manipulate prices, quantities or discount codes? Can you access features outside your subscription tier? These are the vulnerabilities automated scanners always miss.

Configuration review: HTTP security headers, CORS policies, cookie attributes, TLS configuration, error handling (do errors reveal stack traces or file paths?) and information disclosure.

What you experience: Your application may behave slightly differently. You might see unusual data in test accounts. The tester may contact you to clarify whether a specific behavior is intentional or a vulnerability. If a critical vulnerability is found during this phase, most testers (including our team at Sherlock Forensics) will notify you immediately rather than waiting for the final report.

Days 6-8: Exploitation and Validation

What the tester is doing: Exploiting confirmed vulnerabilities to demonstrate real-world impact.

Identifying a potential vulnerability is step one. Proving it is exploitable and demonstrating the damage an attacker could cause is step two. This is what separates a penetration test from a vulnerability scan.

Exploitation: The tester exploits each confirmed vulnerability. An SQL injection is not just flagged as "SQL injection." The tester extracts sample data to show exactly what an attacker could access. A broken access control is not just noted as "IDOR." The tester demonstrates accessing another user's data, orders or files.

Chaining: Individual vulnerabilities are often low or medium severity on their own. But combined, they can be devastating. A medium-severity information disclosure that reveals an API key, combined with a low-severity CORS misconfiguration, might chain into a critical account takeover. Experienced testers look for these chains.

Evidence collection: Every finding is documented with screenshots, HTTP request/response pairs, timestamps and step-by-step reproduction instructions. This evidence makes findings undeniable and makes the report defensible for compliance auditors.

What you experience: You may receive an urgent notification if something critical is found. Otherwise, this phase is quiet from your perspective. The tester is documenting, not communicating.

Days 9-10: Report Writing

What the tester is doing: Translating technical findings into a structured, actionable report.

Report writing takes longer than most clients expect, and for good reason. A good report is not a list of findings. It is a document that tells a story, quantifies risk and provides a clear path to remediation.

Executive summary: A one-page overview for leadership. Overall risk level, number of findings by severity, the top three issues to fix immediately and a narrative of the most significant attack paths discovered.

Technical findings: Each vulnerability includes a title, CVSS score, severity rating, detailed description, exploitation evidence (screenshots, request/response data), business impact analysis and step-by-step remediation instructions that your development team can act on directly.

Remediation roadmap: Findings organized by priority. "Fix immediately" for critical and high-severity issues being actively exploitable. "Fix within 30 days" for medium-severity issues. "Fix within 90 days" for low-severity items and hardening recommendations.

We cover what to look for in a report (and red flags that indicate a bad one) in our pentest report red flags guide.

What you experience: Nothing yet. The tester is heads-down writing. You will receive the report before the debrief call.

Day 11: The Debrief

What the tester is doing: Walking you through every finding, answering questions and helping you prioritize.

The debrief call is one of the most valuable parts of the engagement. You receive the report 24-48 hours before the call so your team has time to review it. During the call:

The tester walks through each critical and high-severity finding with live demonstration where possible
Your development team can ask questions about remediation approaches
You discuss prioritization based on your specific business context and risk tolerance
The tester explains which findings are quick fixes and which require architectural changes
You agree on a timeline for remediation and optional retest

What you experience: A 60-90 minute call that turns the report into an action plan. This is where the investment pays off. Good testers do not just find problems. They help you understand them and fix them efficiently.

After the Engagement

The report is yours. Use it to prioritize development work, satisfy compliance requirements, demonstrate security posture to customers and investors and track remediation progress. Most Sherlock Forensics clients schedule a retest 30-60 days after remediation to verify that fixes were implemented correctly.

Ready to see what an attacker would find? Order a penetration test. Quick audits start at $1,500 CAD with results in 3-5 business days. Standard external assessments start at $5,000 CAD.

Frequently Asked Questions

What do pentesters do?

Penetration testers follow a structured methodology: scoping, reconnaissance, vulnerability discovery, exploitation, reporting and debrief. They systematically test every endpoint and input for security weaknesses, exploit confirmed vulnerabilities to demonstrate real-world impact and deliver a prioritized report with remediation guidance. At Sherlock Forensics, standard engagements start at $5,000 CAD.

Will a pentest break my website?

Professional testers are trained to test without causing disruption. Any potentially disruptive tests are discussed and approved with you before execution. At Sherlock Forensics, we have never caused a production outage in over 20 years of testing. If you are concerned, testing can target a staging environment or be scheduled during off-peak hours.

What tools do penetration testers use?

Common tools include Burp Suite Professional for web application testing, Nmap for network discovery, sqlmap for SQL injection, Nuclei for automated scanning and custom scripts tailored to the target. The tools matter less than the tester's ability to interpret results, identify business logic flaws and chain individual findings into significant attack paths. Read our best pentesting tools in 2026 guide for the full breakdown.