Are you trying to refine your penetration testing phases or methodology to get better results and happier clients?

Or are you looking to get into penetration testing?

Then you’ll love this article.

Because today, I’m going to show you the 7 penetration testing phases that I use to get amazing results every time.

Plus: I’m going to give you bonus resources to help you master each phase.

So right away:

What are the phases of penetration testing?

The 7 phases of penetration testing are: Pre-engagement actions, reconnaissance, threat modeling and vulnerability identification, exploitation, post-exploitation, reporting, and resolution and re-testing.

7 Phases of Penetration Testing


You may have heard different phases or use your own approach, I use these because I find them to be effective.

Now, let’s  look at each of those phases in closer detail and see how to master each.

1. The pre-engagement actions phase

This is one of the phases of pen testing that a lot of novices tend to overlook.

However, it is probably most important.

This pre-phase usually begins with defining the test’s scope.

The client outlines what they want tested and by what methods.

They may, for example, want a network wireless and wired test or they may only want social engineering tests.

Once you understand that,

Get the in-scope targets from the client.

Make sure you know which networks and addresses are in range and which are not.

Get explicit directions.

You don’t want to take down a critical system that’s not in range – that would be really bad.

Ok. Good Enough.

Now both parties should outline the expectations, legal implications, objectives and goals, and the like.

As the pen tester, you want to be sure this contract gives you freedom from liability.

After you have worked out an acceptable scope and the engagement’s objectives in the contract, make sure both party’s legal counsel reviews it.

It’s super important!

Make sure you are legally covered.

Once that’s complete, you are pretty much ready to head to phase 2.

2. The reconnaissance phase

After the scope is complete and the legal stuff is out of the way, it’s time to work on reconnaissance.

The idea of this phase is to gather as much info about the subject as you possibly can.

Some often want to:

Skip this and get straight to the fun part?

Not if you want to succeed.

It’s really important that you have a clear understanding of the client’s systems and operations before you begin exploiting.

Some people call this phase “foot-printing”.

Common reconnaissance methods include:

  • Search engine queries to gather data about the personnel, systems, or technologies of the client.
  • Domain name searches,  WHOIS lookups, and reverse DNS to get subdomains, people’s names, and data about the attack surface.
  • Social Engineering to find out positions, technologies, email addresses
  • Internet foot-printing looking for email addresses, social accounts, names, positions
  • Dumpster diving to find valuable data that may be used for attacks or social engineering
  • Tailgating to get physical access or pictures with hidden cameras

And these are only a few of the many things you may want to try during this phase.

Once you are satisfied that you have a good understanding of the target, you’re ready to move on to the next phase.


3. The threat modeling and vulnerability identification phase

Once you feel you have sufficient info about the client’s systems, you can start modeling the threats that the client would realistically face and identify vulnerabilities that will allow for those attacks.

It’s kind of a pre-attack phase in which you get everything ready.


All that data you gathered during reconnaissance will pay off.

You might start using scanning tools or port scanners to find open ports, live hosts, etc.

Or you may use a vulnerability scanner to find possible vulnerabilities on the network.

In short

You’re looking to get as many details about the systems as you can.

Are the systems up?

What OS are they?

…Is there a firewall? …Antivirus installed? …Intrusion detection? Is it easily avoided?

Pro Tip: Get as thorough of a network map as is possible up front. It will be invaluable as you progress in your test.


It’s time to start thinking like an attacker.

Think about the company’s assets and how they may be used.

Things like employee info:

Who works in what departments, what is their role, can the employee be exploited as a stepping stone in the attack?

Customer data (if it’s in scope) can also be a valuable target.

Who are there customers?

Do the customers of your client have any kind of access into their systems?

What kind of interactions does the customer have with them? (Think the Target Breach).

Technical data:

By now you should have a pretty good understanding of the networks.

You’d be thinking about things like:

The domain structure if it exists


Servers that could possibly be exploited.

Which computers would likely have the things you want – local admin credentials, admin credentials, etc.

Come up with a tentative plan of attack.

Nothing concrete.

Pen tests evolve. You’ll likely end up re-thinking as you run into obstacles.


If you put time and effort into this penetration testing phase, you’ll reap the rewards later.

4. The exploitation phase

If you’ve completed all of the steps leading to this one, you are on the road to a successful penetration testing engagement.


Don’t relax now

There’s still a lot to do.

Pro Tip: With all of the possible vulnerabilities you have found by now, you should have plenty of possible entry points to pick from. That’s why those phases are so important.

The time has come:

You can begin exploiting those opportunities to gain access to systems.

Dependent upon the scope, you’ll want to see just how far you can get.

Can you get a shell going on the computer?

Can you get credentials off of it?

Can you use it to pivot to another computer or server?

Or you may try creating an admin account.

That’s kind of the goal of this phase – to gain as high of administrator access as possible.

Don’t get me wrong

There may be other goals and a ton of damage can still be done even without admin rights.

Once you’ve fully exploited the information systems or your engagement time has run out, it’s time to go to the phase that the client is expecting.

5. The post-exploitation phase

After you have completely exploited the systems or reached the end of the testing time, you’ll want to document the methods that you used.

I like to keep this documented as I go to make this phase easier.

I keep a list of devices that I access and the associated vulnerabilities, ports, personnel, etc.


As I work through exploitations, I keep notes and screenshots – especially of the attacks that worked.

My Tip: I like to keep a “chronology” as I go while performing pen tests. I document everything I do, the time I did it, and for how long it ran (if a scan or something similar). In the timeline, I also add the name of the corresponding screenshot. That way, when I’m ready to work on the report, everything is right there.

While you do this, you’ll want to be thinking about the value of the compromised assets.

Was it just a secretary’s computer that has little access to the network, or was it a critical server?

What was the value of any data you were able to exfiltrate?

Did you get credit card numbers? Or just a marketing email list (although still potentially valuable and usable by an attacker).


Think about the vulnerabilities you used and how they can be fixed.

Note these as you go too.

The other big thing that needs to be done in this phase is cleanup.

Remove any scripts and files that you may have planted and used.

If you changed settings on devices, revert them back to what they were. (Again. This is why your notes and screenshots as you go are important).

Remove any accounts that you may have created during your exploiting.

Now, it’s time for the report.

Bonus: Post-Exploitation Resources

Article: OWASP Risk Rating Methodology

6. The reporting phase

While maybe not the most enjoyable of the penetration testing phases, reporting is probably the most important phase.


Because it’s here that you tell your client their systems’ weaknesses and give them suggestions to resolve those weaknesses.

You should tell the client exactly what the exploits where that you used to compromise their systems as well as exactly what steps should be taken to remediate them.

The whole point in this penetration testing engagement was to  make their systems more secure, right?

So don’t hold anything back.

To make things totally clear for the client, I like to:

Weight each exploit or weakness using a metric based on their risk level – Low, moderate, high, or extreme.

This weight is based on how easy it was to exploit and how much damage it could cause.

Then, I always add a suggested remediation timeline.

Critical items are in the 1 – 3 month timeline and non-critical findings are in the 3 – 6 month bracket.

I like to make it very easy for the client to see what they need to address, what is most critical, and just how critical it is.

I do this because I have another phase after this that not every penetration tester performs.

7. The resolution & re-testing phase

Not all penetration testers do this phase.

I do.

After a pen test when I’ve given the client my full findings and recommendations list, I usually give them a space of time to resolve the issues.

Then, if they want, I’ll re-test the items they fixed and verify the vulnerability no longer exists.

Similarly, sometimes clients want the penetration tester to assist in resolving the issue.

It’s not the most common, but I’ve had a few request assistance.


So those are the 7 phases of a penetration test that I use to get amazing results and happy clients every time.

What phases do you use? Or do you have resources to add?

Please share in the comments below.


Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF
Get the Exclusive Bonus
Privacy Checklists and My Favorite Resources

Get Instant Access! 
Your information will never be shared

Reasons to Subscribe to the CyberX Email List:


 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 


Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free. 

Would the SMB Cybersecurity Plan Be Helpful?

Do you want a proven plan for security for your SMB? How about a logical plan for reducing the risk of breaches?
Pivot To Infosec Virtual Summit - Are you wanting to pivot to infose?
Check Out Free Event