Penetration Testing Process

• A penetration testing process is defined by successive steps and events performed by the penetration tester to find a path to the predefined objective.

• The process doesn't have a static workflow where after finishing a stage you move to the next one without going back. Rather, as shown in the diagram below, it's a free move area where you should be going back and forth between the different stages.

The goal of a penetration testing is not to get at the systems but to find all the ways to get there.

Penetration Testing Process

Stage	Description
Pre-Engagement	This stage involves discussing the scope and objectives and preparing all the necessary documents.
Information Gathering	This stage involves enumeration of all in-scope systems. It is considered the most essential, as all subsequent steps are built upon it.
Vulnerability Assessment	This stage involves identifying vulnerabilities based on the information gathered earlier.
Exploitation	This stage involves the explopitation of the identified vulnerabilities and it is where actual exploitation occurs, and initial access is gained.
Post-Exploitation	This stage comes after gaining initial access and focuses on privilege escalation.
Lateral Movement	This stage involves attempting to access other in-scope systems.
Proof-of-Concept	In this stage, a proof-of-concept is created, usually using screenshots or videos. Aditionally, an optional script to automate the exploitation process might also be provided as proof-of-concept.
Post-Engagement	This stage involves the documentation, presentation, and delivery of findings.