Penetration Testing Process
A penetration testing process is defined by successive steps and events performed by the penetration tester to find a path to the predefined objective.
The process doesn't have a static workflow where after finishing a stage you move to the next one without going back. Rather, as shown in the diagram below, it's a free move area where you should be going back and forth between the different stages.
Stage | Description |
---|---|
Pre-Engagement | This stage involves discussing the scope and objectives and preparing all the necessary documents. |
Information Gathering | This stage involves enumeration of all in-scope systems. It is considered the most essential, as all subsequent steps are built upon it. |
Vulnerability Assessment | This stage involves identifying vulnerabilities based on the information gathered earlier. |
Exploitation | This stage involves the explopitation of the identified vulnerabilities and it is where actual exploitation occurs, and initial access is gained. |
Post-Exploitation | This stage comes after gaining initial access and focuses on privilege escalation. |
Lateral Movement | This stage involves attempting to access other in-scope systems. |
Proof-of-Concept | In this stage, a proof-of-concept is created, usually using screenshots or videos. Aditionally, an optional script to automate the exploitation process might also be provided as proof-of-concept. |
Post-Engagement | This stage involves the documentation, presentation, and delivery of findings. |
Last updated