top of page


Blog Post 4 of 6

Much has been written about hacking, including overly dramatized depictions of hackers busily typing away and creating previously non-existent access into foreign satellites proclaiming… “I’m in!”.

Applause, amazement, and adulation follow.

Educated security professionals know that this is just a dramatization, however, it still causes us to wonder what really happens during a penetration testing engagement. Questions like:

  1. When you say you’re doing a pentest, what does penetration testing involve? I mean, what are you actually doing?

  2. And, how do I know that you know what you’re doing?

  3. Are you running special penetration testing tools that I should know about?

  4. Are you going to break something?

What Does Penetration Testing Involve? Testing is just one part of the Penetration Pathway. Let’s zoom out for a minute and talk about your goals. Your goals should have been established as part of the penetration test scoping process and then re-established as part of your rules of engagement. Additionally, your goals drive what is involved in your pentest.

Next, regardless of what you’re testing, a standard testing methodology should be followed. Whatever you choose, it should have some version of the Penetration Testing Execution Standard (PTES) which contains the following:

  • Pre-engagement Interactions

  • Intelligence Gathering

  • Threat Modeling

  • Vulnerability Analysis

  • Exploitation

  • Post Exploitation

  • Reporting

I’m not going to spend time going through these phases because there’s tons of information all over the net that covers the cyber kill chain. Google it :) But, you can download our methodology here.

What I want to highlight is, whatever the testers are doing needs to align with what you established in your SOW and your goals. That means, if you were expecting manual validation of findings, you need to set up controls with the test team that allows you to confirm the findings aren’t just regurgitated from a Nessus scan. If you were only interested in getting an annual scan and the testers are asking for authenticated access into one of your web applications… you may want to question their approach. This takes us to our next question...

If you want to clearly define your goals and the scope of your penetration test, download our scoping template.


How Do I Know You Know What You’re Doing? This is a recurring challenge businesses’ have when they do business with any new vendor. It’s especially disconcerting with penetration tests because the company is given so much access and visibility into your environment (or app or whatever). It’s like getting married before you’ve even dated… not such a good idea. Referrals are your best bet to confirm competency, however, you can find out a lot just by looking for the right signs. The fact is, you want more than just an adequate test. Lots of people can do those. What you really want is value-add from the relationship. It’s important that your vendor goes beyond standard testing to include the things listed below so that you can have peace of mind about your testing without the stress associated with unqualified and commoditized vendors:

  • Manual Validation

  • Tool Variation

  • Extensive Information Gathering

  • Report Enhancements

  • Risk Grouping

  • Vulnerability Table

  • Interim Risk Review