7 Steps and Phases of Penetration Testing
Our internal pentest checklist includes the following 7 phases of penetration testing:
- Information Gathering
- Discovery and Scanning
- Vulnerability Assessment
- Final Analysis and Review
- Utilize the Testing Results
1. Information Gathering
The first of the seven stages of penetration testing is information gathering. The organization being tested will provide the penetration tester with general information about in-scope targets.
The reconnaissance stage is crucial to thorough security testing because penetration testers can identify additional information that may have been overlooked, unknown, or not provided. This step is especially helpful in internal and/or external network penetration testing, however, we don’t typically perform this reconnaissance in web application, mobile application, or API penetration testing.
3. Discovery and Scanning
The information gathered is used to perform discovery activities to determine things like ports and services that were available for targeted hosts, or subdomains, available for web applications.
4. Vulnerability Assessment
A vulnerability assessment is conducted in order to gain initial knowledge and identify any potential security weaknesses that could allow an outside attacker to gain access to the environment or technology being tested. A vulnerability assessment is never a replacement for a penetration test, though.
This is where the action happens!
After interpreting the results from the vulnerability assessment, our expert penetration testers will use manual techniques, human intuition, and their backgrounds to validate, attack, and exploit those vulnerabilities.
6. Final Analysis and Review
This comprehensive report includes narratives of where we started the testing, how we found vulnerabilities, and how we exploited them. It also includes the scope of the security testing, testing methodologies, findings, and recommendations for corrections.
Where applicable, it will also state the penetration tester’s opinion of whether or not your penetration test adheres to applicable framework requirements.
7. Utilize the Testing Results
The last of the seven stages of penetration testing is so important. The organization being tested must actually use the findings from the security testing to risk rank vulnerabilities, analyze the potential impact of vulnerabilities found, determine remediation strategies, and inform decision-making moving forward.