Pen testing can be divided into multiple phases that explain what is going on during the test.
Each methodology, testing company, and standards organization often creates their own.
The most common are the 3, 5, and 7 phase approaches.
In addition to the variety of numbers there is also a variety in terminology, what one standard calls a phase another may use stage or step instead.
Pen testing stages
Pen testing stages are divided at a minimum into 3: pre-test, testing, post-test.
From there each can be further subdivided, but the minimum covers a complete testing cycle.
Ignoring the pre-test yields improper discovery, which is not a good thing from the contractual standpoint.
The post-test phase is important for clients as this is where they receive their report or for internal team testing, it is the lessons learned phase.
While many focus on the test itself, these non-testing phases are important to ensuring the test goes smoothly and outputs useful information.
3 Phase Approach
The Three phase approach is the most simple.
As mentioned it is the pre-test, test, and post-test.
This approach is best used by non-technical parties to simplify the process.
Often used by managers, legal, and sales teams, it is a great way to understand the penetration testing process without getting bogged down by details.
5 Phase Approach
The 5 phase approach expands the 3 phase by adding additional steps to the middle “Testing” stage.
Here it goes into reconnaissance, testing, and exploitation/pivoting. These phases break up what the tester is doing in more detail and better used by technical people not involved in the test.
Reconnaissance is the part where the tester is doing passive and active discovery.
Testing consists of vulnerability scanning, confirmation, manual attacks, and more active actions. The last is
Exploitation, where the tester uses all findings to then attempt to gain even more access than what was obtained in the previous stage. The pre- and post- test phases are still the same here.
7 Phase Approach
The 7 phase approach breaks down everything into more digestible parts.
This approach is taken by testers and the technical staff involved in the test. This model was created by the Pen Testing Execution Standard (PTES) and really takes a dive into the technical testing steps.
They are:
- Pre-Engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Exploitation
- Post-Exploitation
- Reporting
Exploitation and Post Exploitation Phase
This phase can be a scary one for a client but these are also important to understand findings in context and their true impact.
Exploitation is designed to see what findings actually work and if vulnerabilities can be chained together for a greater impact (another article link fits).
Post-exploitation focuses on pivoting to attack other machines or exfiltration potentials. These both allow for a truer understanding of the cybersecurity posture.
Post Testing Phase(s)
Post-testing is the reporting and retest phase.
The idea is to help clients understand how to best understand what was found in both technical detail and high-level executive summaries.
The retest is a great way to ensure that the team fixes everything that was found within a short period after report delivery, usually 60-90 days.
This allows for companies to feel secure knowing that outstanding findings were fixed.