What are the phases of penetration testing? - CYBRI
Cybri LogoCreated with Sketch.

What are the phases of penetration testing?

IN

|

BY Konstantine Zuckerman

Pen testing can be divided into multiple phases that explain what is going on during the test.

Each methodology, testing company, and standards organization often creates their own.

The most common are the 3, 5, and 7 phase approaches.

In addition to the variety of numbers there is also a variety in terminology, what one standard calls a phase another may use stage or step instead.

Pen testing stages

Pen testing stages are divided at a minimum into 3: pre-test, testing, post-test.

From there each can be further subdivided, but the minimum covers a complete testing cycle.

Ignoring the pre-test yields improper discovery, which is not a good thing from the contractual standpoint.

The post-test phase is important for clients as this is where they receive their report or for internal team testing, it is the lessons learned phase.

While many focus on the test itself, these non-testing phases are important to ensuring the test goes smoothly and outputs useful information.

3 Phase Approach

The Three phase approach is the most simple.

As mentioned it is the pre-test, test, and post-test.

This approach is best used by non-technical parties to simplify the process.

Often used by managers, legal, and sales teams, it is a great way to understand the penetration testing process without getting bogged down by details.

5 Phase Approach

The 5 phase approach expands the 3 phase by adding additional steps to the middle “Testing” stage.

Here it goes into reconnaissance, testing, and exploitation/pivoting. These phases break up what the tester is doing in more detail and better used by technical people not involved in the test.

Reconnaissance is the part where the tester is doing passive and active discovery.

Testing consists of vulnerability scanning, confirmation, manual attacks, and more active actions. The last is

Exploitation, where the tester uses all findings to then attempt to gain even more access than what was obtained in the previous stage. The pre- and post- test phases are still the same here.

7 Phase Approach

The 7 phase approach breaks down everything into more digestible parts.

This approach is taken by testers and the technical staff involved in the test. This model was created by the Pen Testing Execution Standard (PTES) and really takes a dive into the technical testing steps.

They are:

  1. Pre-Engagement Interactions
  2. Intelligence Gathering
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post-Exploitation
  7. Reporting

Exploitation and Post Exploitation Phase

This phase can be a scary one for a client but these are also important to understand findings in context and their true impact. 

Exploitation is designed to see what findings actually work and if vulnerabilities can be chained together for a greater impact (another article link fits).

Post-exploitation focuses on pivoting to attack other machines or exfiltration potentials. These both allow for a truer understanding of the cybersecurity posture.

Post Testing Phase(s)

Post-testing is the reporting and retest phase.

The idea is to help clients understand how to best understand what was found in both technical detail and high-level executive summaries.

The retest is a great way to ensure that the team fixes everything that was found within a short period after report delivery, usually 60-90 days.

This allows for companies to feel secure knowing that outstanding findings were fixed.

Discuss your project now

Request A Demo

Related Content

Previous
Next

Schedule a personalized demo with CYBRI.

Don't wait, reputation damages & data breaches could be costly.

Tell us a little about your company so we can ensure your demo is as relevant as possible. We’ll take the scheduling from there!
Michael B.
Michael B.Managing Partner, Barasch & McGarry
Read More
I am an attorney who represents thousands of people in the 9/11 community. CYBRI helped my company resolve several cybersecurity issues. I definitely recommend working with CYBRI.
Tim O.
Tim O.CEO at Cylera
Read More
I’m using CYBRI and have been very impressed with the experience and quality of the experts and CYBRI’s customer service. It has been a super seamless process that I’m happy and pleased with – I recommend CYBRI to all businesses.
Sergio V.
Sergio V.CTO at HealthCare.com
Read More
I hired CYBRI to help my company with various cybersecurity services, specifically HIPAA and CCPA. I have been satisfied with the quality of work performed by the cybersecurity expert. The customer service is excellent. I would recommend CYBRI for all of your cybersecurity needs.
L.D. Salmanson
L.D. SalmansonCEO at Cherre.com
Read More
We worked with CYBRI on assessing vulnerabilities and understanding the risks of our client-facing web assets. We are satisfied with the results and the professionalism of the Red Team members. Highly recommend CYBRI to all businesses.
Marco Huslmann
Marco HuslmannCTO MyPostcard
Read More
CYBRI is a great solution that helps streamline the penetration testing process. I strongly recommend them and will work with them again.
Alex Rothberg
Alex RothbergCTO IntusCare
Read More
I highly recommend CBYRI to businesses that need penetration testing to ensure their business infrastructure is secure.
John Tambuting
John TambutingCTO Pangea.app
Read More
I am confident CYBRI is the right penetration testing choice if you are looking to build a secure business environment.
Previous
Next

Discuss your Project







    Michael B.
    Michael B.Managing Partner, Barasch & McGarry
    Read More
    I am an attorney who represents thousands of people in the 9/11 community. CYBRI helped my company resolve several cybersecurity issues. I definitely recommend working with CYBRI.
    Tim O.
    Tim O.CEO at Cylera
    Read More
    I’m using CYBRI and have been very impressed with the experience and quality of the experts and CYBRI’s customer service. It has been a super seamless process that I’m happy and pleased with – I recommend CYBRI to all businesses.
    Sergio V.
    Sergio V.CTO at HealthCare.com
    Read More
    I hired CYBRI to help my company with various cybersecurity services, specifically HIPAA and CCPA. I have been satisfied with the quality of work performed by the cybersecurity expert. The customer service is excellent. I would recommend CYBRI for all of your cybersecurity needs.
    L.D. Salmanson
    L.D. SalmansonCEO at Cherre.com
    Read More
    We worked with CYBRI on assessing vulnerabilities and understanding the risks of our client-facing web assets. We are satisfied with the results and the professionalism of the Red Team members. Highly recommend CYBRI to all businesses.
    Marco Huslmann
    Marco HuslmannCTO MyPostcard
    Read More
    CYBRI is a great solution that helps streamline the penetration testing process. I strongly recommend them and will work with them again.
    Alex Rothberg
    Alex RothbergCTO IntusCare
    Read More
    I highly recommend CBYRI to businesses that need penetration testing to ensure their business infrastructure is secure.
    John Tambuting
    John TambutingCTO Pangea.app
    Read More
    I am confident CYBRI is the right penetration testing choice if you are looking to build a secure business environment.
    Previous
    Next

    Find mission-critical vulnerabilities before hackers do.

    CYBRI’s manual pen tests are performed by U.S.-based highly certified Red Team experts.

    We help businesses detect & remediate catastrophic vulnerabilities in applications, cloud, and networks.

    Contact Us