Pentest Methodology & Recon · beginner · ~12 min

The phases of an engagement

Walk the full professional workflow from recon to retest and know what each phase produces.

Overview

Recon → enumeration → vulnerability discovery → exploitation → privilege escalation → post-exploitation → evidence → risk rating → reporting → remediation/retest. Iterative, evidence-driven.

Why it matters

A methodology makes tests thorough and repeatable, and keeps work inside scope. Each phase's output is the next phase's input — and the report's evidence. Ad-hoc poking misses things and can't be defended.

Core concepts

Recon vs enumeration. Discover assets, then interrogate them. Validate, don't just scan. Confirm findings by hand. Post-exploitation = impact, not damage. Evidence during, not after. Reproducible proof per finding. Loop. New access reopens earlier phases.

Lesson

A penetration test follows a repeatable workflow. Each phase feeds the next and produces evidence for the report.

The phases

  1. Reconnaissance — gather information about the target (passive, then active).
  2. Enumeration — interrogate discovered services for users, shares, versions, endpoints.
  3. Vulnerability discovery — identify weaknesses (manual analysis + scanners, validated by hand).
  4. Exploitation — prove a vulnerability is real, within scope, to gain access.
  5. Privilege escalation — go from limited to higher-privileged access.
  6. Post-exploitation — assess impact: what data/systems are now reachable? (No destruction.)
  7. Evidence collection — screenshots, request/response logs, timestamps — clean and reproducible.
  8. Risk rating — score each finding by likelihood × impact (often CVSS).
  9. Reporting — write it up for both executives and engineers.
  10. Remediation & retest — advise fixes, then verify they worked.

It's iterative, not linear

Findings in enumeration send you back to recon; a foothold opens a new internal network to re-scan. Good testers loop.

Evidence as you go

Collect proof during testing, not after — note every command, time, and result. The report is only as strong as the evidence behind it, and a finding you can't reproduce isn't a finding.

Summary

The engagement workflow runs recon → enumeration → discovery → exploitation → privesc → post-ex → evidence → rating → report → retest, looping as new access appears. Evidence is gathered throughout, because the report depends on it.

Practice with these exercises