0Pricing
Security+ Academy · Lesson

Penetration Testing Phases: Recon to Reporting

Follow the pen test lifecycle: reconnaissance, scanning, exploitation, post-exploitation, and the final report that drives remediation.

The Penetration Testing Lifecycle

A structured penetration test follows a defined lifecycle that ensures thorough coverage, minimizes risk to production systems, and produces actionable results. The most widely adopted framework comes from the PTES (Penetration Testing Execution Standard) and aligns with the NIST approach. The phases are: Planning/Scoping, Reconnaissance, Scanning, Exploitation, Post-Exploitation, and Reporting. Each phase builds on the previous — you cannot exploit what you haven't discovered, and you cannot report what you haven't documented. Skipping or rushing phases leads to incomplete assessments and unreliable findings.

# Penetration testing phases:
# 1. Planning & Scoping    (Rules of Engagement)
# 2. Reconnaissance        (OSINT + passive recon)
# 3. Scanning/Enumeration  (active discovery)
# 4. Exploitation          (attacking vulnerabilities)
# 5. Post-Exploitation     (lateral movement, persistence)
# 6. Reporting             (findings + recommendations)

Phase 1: Planning and Scoping

The planning phase establishes the legal and operational foundation for the engagement. Key deliverables include: a signed Statement of Work (SOW) defining objectives and pricing; a Rules of Engagement (RoE) document specifying authorized targets, time windows, prohibited techniques, emergency contacts, and data handling requirements; and clear definition of success criteria (what constitutes achieving the objective). The scope must be precisely defined to prevent scope creep (accidentally testing unauthorized systems) and to ensure the assessment covers the most critical assets. All communication channels and escalation procedures are established before any technical work begins.

# Scoping questions to answer:
# - Which IP ranges/domains are in scope?
# - Are cloud environments (AWS/Azure/GCP) in scope?
# - Are physical attacks in scope?
# - Are employees fair game for phishing?
# - Are denial-of-service techniques permitted?
# - What notification procedures exist?
# - Who is the authorized point of contact?
# - What is the test window (dates/times)?
# - How will data be protected and destroyed after?

All lessons in this course

  1. Vulnerability Scanning vs Penetration Testing
  2. Common Scanning Tools: Nessus, OpenVAS, Nmap
  3. Penetration Testing Phases: Recon to Reporting
  4. CVSS Scoring and Vulnerability Prioritization
← Back to Security+ Academy