The phases of the pen test process can be described as follows.

  1. Planning: Most recognized pen test processes include a planning phase. Depending on the authority that promulgates the process, this phase might also include identifying the scope of the engagement, documenting logistical details, and other preliminary activities that need to occur before the commencement of the pen test.
  2. Reconnaissance: In the reconnaissance phase, the tester gathers information about the target organization and systems prior to the start of the pen test. This can include both passive information gathering, such as collecting publicly available information about the organization, and deliberate acts, such as scanning ports to detect possible vulnerabilities.
  3. Scanning: The scanning phase is generally a bit more in depth than the reconnaissance phase. This is where vulnerability assessment begins. Static and dynamic scanning tools evaluate how a target responds to intrusions.
  4. Gaining access: This phase is when the actual exploit begins, by applying the information gained by reconnaissance and scanning to begin to attack target systems.
  5. Maintaining access: In this phase, the pen testers install mechanisms allowing them to continue to access the system. This phase is also where pen testers reach deeper into the network by accessing other network systems.
  6. Covering tracks: This phase concentrates on obliterating evidence that proves an exploit occurred. It generally consists of two facets: avoiding real-time incident response efforts and avoiding post-exploit forensic liability.
  7. Analysis: In this phase, the pen tester gathers all the information collected, identifies root causes for any vulnerabilities detected, and develops recommendations for mitigation.
  8. Reporting: The reporting phase is where the information from testing and analysis are officially communicated to the stakeholders. Although reporting requirements can vary due to customer needs or statutory regulations, most pen test reports list:
  • Vulnerabilities detected.
  • Vulnerabilities exploited.
  • Sensitive data accessed.
  • How long the pen tester had access.
  • Suggestions and techniques to counteract vulnerabilities.