PenTesting Process

Created August 18, 2025 Last modified August 19, 2025 @ 12:19 AM

Penetration testing is a process through which an authorized, targeted attack is carried out against a client’s IT infrastructure in order to uncover potential vulnerabilities to help improve the security of the tested systems.

The scope of a pentest is always determined before any testing is done because the activities carried out during a pentest are generally illegal without the express, written permission of the client. And even then, attempting to break into systems in the client’s IT systems that are not specifically outlined within the scope of the agreement can still get you in trouble. So coordinating a pentest requires a lot of planning and organization ahead of time.

If a company uses 3rd party services in their IT infrastructure, additional permission may need to be obtained from those 3rd party vendors before attempting to break into those systems. Some companies, like Amazon Web Services, have policies in place that waive this requirement.

External vs. Internal

Penetration tests can be done externally, i.e., outside the client’s network, or they can be done internally, from within the client’s network. Clients sometimes want both.

Test Types

Pentests come in a few different primary types:

  • Blackbox tests are done with only very minimal information provided about the underlying IT infrastructure. For example, a set of IP addresses or domains.
  • Whitebox tests are done with extensive disclosure of the underlying IT infrastructure. They can include source code and administrator credentials.
  • Graybox tests are somewhere between blackbox and whitebox.

Less information = more effort and time.

Process

Pen testing generally follows established methodologies or frameworks, although the exact process can vary across organizations. In general, a pentest will go through some form of these stages:

  1. Planning - establishing the test scope with the client and getting everything in writing.
  2. Reconnaissance - gathering information about the targets to be tested
  3. Enumeration - scanning/identifying systems and services as potential entry points
  4. Vulnerability assessment - analyzing potential entry point, particularly looking for weaknesses that can be exploited
  5. Exploitation - attempting to break in using the vulnerabilities identified
  6. Post-Exploitation - run with it, assess the impact of the exploitation, escalate privileges as far as possible
  7. Reporting - documenting findings and making recommendations to rectify the identified vulnerabilities