Penetration Testing Methodology: Steps, Frameworks & Complete Guide
A penetration testing methodology defines the structured steps a pentest follows from start to finish: planning, reconnaissance, vulnerability discovery, exploitation, and reporting. Without a methodology, testers miss critical issues and produce inconsistent results. This guide walks through each step of a penetration test, covers the most widely used frameworks (OWASP Testing Guide, PTES, OSSTMM, NIST SP 800-115), and shows how to apply them to web application and network testing engagements.
Whether you are learning what a penetration testing methodology is, building your own pentest methodology steps, or standardising a framework across your security team, this guide covers the complete process with practical examples at each phase.
What Is a Penetration Testing Methodology?
A penetration testing methodology is a structured, repeatable approach to identifying security vulnerabilities in systems, applications, and networks. It defines the order of operations, the techniques used at each stage, and the criteria for moving from one phase to the next. Without a methodology, testers risk duplicating effort, missing entire attack surfaces, or producing findings that lack the context needed for remediation.
Methodologies exist because security testing is inherently complex. A single web application might have hundreds of endpoints, each accepting multiple input types, connected to backend services with their own authentication mechanisms and trust boundaries. Infrastructure environments can span thousands of hosts across multiple network segments. Trying to test all of this without a systematic plan leads to incomplete coverage and inconsistent results between testers and engagements.
Professional methodologies also serve a communication purpose. When a client asks how you will conduct their assessment, referencing an established framework like PTES or the OWASP framework immediately establishes credibility and sets expectations. It tells the client that your approach is based on industry consensus, not personal preference. For consultancies managing multiple testers, a shared methodology ensures that every engagement meets the same quality bar regardless of who performs the work.
The 5 Steps of a Penetration Test
While different frameworks use slightly different terminology, virtually all penetration testing methodologies follow the same five-phase structure. Understanding each phase deeply is essential for delivering thorough, professional assessments. If you are new to the field and want to understand what to expect from a security assessment, this breakdown covers the full lifecycle from start to finish.
Phase 1: Planning and Scoping
Planning and scoping is the foundation of every successful engagement. This phase happens before any technical testing begins and determines the boundaries, objectives, and rules of the assessment. Poor scoping leads to scope creep, missed expectations, and disputes about deliverables. Getting this right upfront saves significant time and protects both the tester and the client.
During scoping, you define exactly what will be tested: specific IP ranges, domain names, application URLs, API endpoints, or cloud environments. You establish the testing window, any blackout periods, and escalation contacts in case something goes wrong. You also clarify the type of assessment: black-box (no prior knowledge), grey-box (partial access such as credentials or documentation), or white-box (full source code and architecture access). Each approach has trade-offs in terms of realism versus coverage, and the choice should align with the client's objectives.
Legal authorisation is non-negotiable. You must have a signed scope agreement or rules of engagement document before any testing begins. This document should explicitly list in-scope and out-of-scope assets, permitted testing techniques, data handling requirements, and any restrictions such as no denial-of-service testing or no social engineering. For teams managing multiple engagements simultaneously, engagement management tooling helps track scope, timelines, and authorisation documents in one place.
- Define objectives: What is the client trying to learn? Compliance validation, risk assessment, or specific threat simulation?
- Establish scope boundaries: List every in-scope asset by IP, hostname, URL, or environment identifier.
- Agree on testing type: Black-box, grey-box, or white-box, along with any provided credentials or documentation.
- Set rules of engagement: Testing hours, rate limits, prohibited techniques, and emergency contacts.
- Obtain written authorisation: Signed by someone with authority to approve testing against the target systems.
Phase 2: Reconnaissance
Reconnaissance, also called information gathering, is where you build a detailed map of the target environment. The goal is to understand the attack surface as thoroughly as possible before attempting to find vulnerabilities. The quality of your reconnaissance directly determines the quality of your findings. Testers who rush through this phase invariably miss critical assets and attack vectors.
Passive reconnaissance involves gathering information without directly interacting with the target. This includes DNS enumeration, WHOIS lookups, certificate transparency log analysis, search engine dorking, and reviewing publicly available code repositories, job postings, and social media profiles. Passive techniques are valuable because they leave no trace on the target's systems and can reveal a surprising amount of information about technology stacks, infrastructure providers, employee names, and internal naming conventions.
Active reconnaissance involves direct interaction with target systems. Port scanning with tools like Nmap reveals open services, while banner grabbing identifies software versions. Web application fingerprinting tools identify frameworks, content management systems, and server technologies. Directory brute-forcing uncovers hidden endpoints, admin panels, and backup files. For web applications, crawling the application while authenticated and unauthenticated maps out all accessible functionality.
The output of this phase should be a comprehensive asset inventory: every host, service, application, and potential entry point documented with version information where available. This inventory becomes the input for the vulnerability discovery phase.
Phase 3: Vulnerability Discovery
With a thorough understanding of the target environment, the next phase focuses on identifying security weaknesses. This combines automated scanning with manual testing techniques. Relying solely on automated scanners produces noisy, false-positive-laden results. Relying solely on manual testing misses the breadth that scanners provide. The most effective approach uses automation for coverage and manual testing for depth.
Automated vulnerability scanners like Nessus, OpenVAS, or Qualys compare discovered services against databases of known vulnerabilities. They check for missing patches, default configurations, and common misconfigurations. For web applications, tools like Burp Suite's scanner and OWASP ZAP test for injection flaws, cross-site scripting, and other common web vulnerabilities. These tools are invaluable for catching low-hanging fruit quickly, but they cannot understand business logic, complex authentication flows, or chained vulnerabilities.
Manual testing is where experienced testers add the most value. This involves analysing application logic for flaws that automated tools cannot detect: insecure direct object references, privilege escalation paths, race conditions, and business logic bypasses. Manual testing also involves validating scanner findings to eliminate false positives and determining the true impact of each vulnerability. Understanding CVSS scoring helps you assess and communicate the severity of each finding accurately.
During this phase, document every finding with enough detail to reproduce it: the affected asset, the exact steps to trigger the vulnerability, the request and response data, and any prerequisites. This documentation is critical for both the exploitation phase and the final report.
Phase 4: Exploitation
Exploitation is the phase that distinguishes a penetration test from a vulnerability assessment. While a vulnerability assessment stops at identification, a penetration test goes further by attempting to exploit discovered weaknesses to demonstrate real-world impact. The purpose is not to cause damage but to prove that a vulnerability is exploitable and to show the client what an attacker could achieve.
Not every vulnerability needs to be exploited. The decision depends on the engagement scope, the client's risk tolerance, and the potential impact. Exploiting a SQL injection to extract a single record proves the point without dumping the entire database. Demonstrating privilege escalation by accessing one admin function is sufficient without modifying production data. The goal is proof of concept, not maximum destruction. For a deeper discussion of how exploitation depth varies by engagement type, see our guide on red team vs penetration testing.
Exploitation often involves chaining multiple lower-severity findings into a high-impact attack path. A server-side request forgery (SSRF) vulnerability alone might be rated medium severity, but if it can be used to access internal metadata services and retrieve cloud credentials, the chain becomes critical. An information disclosure vulnerability that reveals internal IP addresses might enable network pivoting through a separate vulnerability. Identifying and demonstrating these chains is one of the most valuable skills a penetration tester can develop.
Post-exploitation activities, when in scope, include lateral movement to other systems, persistence mechanisms, data exfiltration demonstration, and privilege escalation within the compromised environment. Every action during exploitation must be carefully logged with timestamps, commands executed, and results obtained. This log serves as evidence for the report and helps the client understand the full attack narrative.
Phase 5: Reporting and Remediation
The report is the primary deliverable of a penetration test. No matter how thorough your testing, the engagement is only as valuable as the report that communicates the results. A well-structured report serves multiple audiences: executives need a risk summary, developers need technical details for remediation, and compliance teams need evidence of testing coverage. For a detailed breakdown of report structure, see our guide on how to write a pentest report.
Each finding should include a clear title, severity rating with CVSS scoring, a description of the vulnerability and its impact, detailed reproduction steps, evidence (screenshots, request/response pairs, command output), and specific remediation guidance. Generic advice like "apply security patches" is unhelpful. Effective remediation guidance tells the development team exactly what to change and why.
The executive summary should present findings in business terms: what could an attacker achieve, what is the risk to the organisation, and what should be prioritised. Visual elements like severity distribution charts, risk heat maps, and attack path diagrams help non-technical stakeholders understand the results quickly. Using a report template ensures consistency across engagements and reduces the time spent on formatting.
Remediation support extends beyond delivering the report. Professional engagements typically include a debrief call to walk through findings, answer questions, and help the client prioritise fixes. Many consultancies also offer retest windows where they verify that critical and high-severity findings have been properly remediated. Tracking remediation progress through findings management tools gives both the tester and the client visibility into what has been fixed and what remains outstanding.
Penetration Testing Framework Methodology: OWASP, PTES, OSSTMM, and NIST
Several established frameworks provide detailed guidance on how to structure and execute penetration tests. Each has a different focus and level of detail. Most experienced testers draw from multiple frameworks depending on the engagement type and client requirements.
The OWASP Testing Guide is the most comprehensive resource for web application penetration testing. It provides detailed test cases organised by vulnerability category, including input validation, authentication, session management, error handling, and cryptography. Each test case includes a description of the vulnerability, how to test for it, and tools that can assist. The guide maps directly to the OWASP Top 10 but goes far deeper, covering over 90 individual test cases. It is the de facto standard for web application security testing worldwide.
PTES defines a complete penetration testing engagement from pre-engagement interactions through reporting. It covers seven sections: pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. PTES is particularly strong on pre-engagement scoping and post-exploitation activities, making it well-suited for comprehensive network and infrastructure assessments.
OSSTMM takes a metrics-driven approach to security testing. It defines attack surface measurements and provides a framework for quantifying security rather than simply listing vulnerabilities. OSSTMM covers five channels: human security, physical security, wireless communications, telecommunications, and data networks. It is particularly useful for organisations that need to measure security posture quantitatively over time.
The National Institute of Standards and Technology's technical guide to information security testing provides a government-aligned methodology. It covers review techniques (documentation, log, ruleset review), target identification and analysis, target vulnerability validation, and security assessment planning. While less prescriptive than PTES or OWASP, it is often referenced in compliance contexts. Organisations following the NIST framework will find this publication aligns naturally with their existing processes.
Web Application Testing Methodology
Web application testing requires a methodology tailored to the unique characteristics of modern web technologies. The OWASP Top 10 provides a risk-based starting point, but a thorough web application assessment covers significantly more ground. Each testing area requires different techniques, tools, and expertise.
Authentication testing examines how the application verifies user identity. This includes testing login mechanisms for brute-force resistance, credential stuffing protections, multi-factor authentication bypass, and password policy enforcement. Password reset flows are a frequent source of vulnerabilities, including predictable tokens, missing expiration, and account enumeration through differential responses. Session management testing verifies that session tokens are generated with sufficient entropy, transmitted securely, invalidated on logout and timeout, and resistant to fixation attacks.
Authorisation testing is where many of the highest-severity findings emerge. This involves testing every function and data access point to verify that access controls are enforced server-side, not just in the user interface. Insecure direct object references (IDOR), missing function-level access controls, and privilege escalation between roles are among the most common and impactful findings in web application assessments. Testing requires at least two user accounts with different privilege levels to systematically compare what each role can access.
Input validation testing covers the full range of injection attacks: SQL injection, cross-site scripting (reflected, stored, and DOM-based), server-side template injection, XML external entity injection, command injection, and LDAP injection. Each input point in the application, including URL parameters, POST body fields, HTTP headers, cookies, and file upload functionality, must be tested with payloads appropriate to the backend technology.
Business logic testing is the area where automated tools fail most completely. This involves understanding the intended workflow of the application and testing for ways to subvert it: skipping steps in multi-stage processes, manipulating quantities or prices, accessing functionality out of sequence, and exploiting race conditions in concurrent operations. Business logic flaws are application-specific and require creative thinking about how the application's features could be abused.
Network and Infrastructure Penetration Testing Methodology
Infrastructure penetration testing targets the underlying network, servers, and services that support applications. The methodology differs from web application testing in scope, tools, and attack patterns, though there is significant overlap where web services run on infrastructure targets.
Network scanning and service enumeration form the foundation of infrastructure testing. Comprehensive port scanning identifies all listening services, while version detection and banner grabbing determine the exact software running on each port. UDP scanning, often overlooked because it is slower, can reveal services like SNMP, DNS, and TFTP that provide valuable footholds. Service enumeration goes deeper than port scanning, extracting information like SMB shares, NFS exports, SNMP community strings, and DNS zone transfer data.
Vulnerability identification for infrastructure targets relies heavily on comparing discovered service versions against known vulnerability databases. Missing security patches are a primary finding category, but misconfigurations are equally important: default credentials on management interfaces, unnecessary services exposed to untrusted networks, weak SNMP community strings, and permissive file share permissions. For a deeper look at how to compare scanning tools, see our penetration testing tools comparison.
Privilege escalation is a critical phase in infrastructure testing. After gaining initial access to a system, the tester attempts to elevate privileges to administrator or root level. On Linux systems, this involves checking for SUID binaries, writable cron jobs, kernel exploits, misconfigured sudo rules, and credentials stored in configuration files or history. On Windows systems, common escalation paths include unquoted service paths, weak service permissions, token impersonation, registry autorun entries, and missing patches for local privilege escalation vulnerabilities.
Active Directory environments require specialised testing methodology. Testers enumerate domain users, groups, and group policies to understand the trust relationships and permission structures. Kerberoasting attacks target service accounts with weak passwords. AS-REP roasting targets accounts without pre-authentication required. Pass-the-hash, pass-the-ticket, and other credential relay techniques allow lateral movement without knowing plaintext passwords. The goal is typically to demonstrate a path from an initial foothold to domain administrator access, illustrating the real-world risk of each vulnerability in the chain.
Lateral movement demonstrates how an attacker can traverse the network after compromising a single host. This involves using harvested credentials, exploiting trust relationships between systems, and leveraging network access to reach previously unreachable segments. Documenting the complete attack path from initial access through lateral movement to the final objective is essential for showing clients the cumulative impact of individually lower-severity findings.
Tools Mapped to Methodology Phases
Effective testers select tools based on the methodology phase, not personal preference. Each phase has purpose-built tools that maximise efficiency. Understanding how tools compare helps you build a toolkit that covers every phase without redundancy.
Nmap for port scanning and service detection. Amass and Subfinder for subdomain enumeration. Shodan and Censys for passive infrastructure discovery. theHarvester for email and subdomain gathering. Google dorking and certificate transparency logs for passive information gathering. Wappalyzer for web technology fingerprinting.
Burp Suite Professional for web application scanning and manual testing. Nessus or OpenVAS for infrastructure vulnerability scanning. Nikto for web server misconfiguration checks. SQLmap for automated SQL injection detection and exploitation. Nuclei for template-based vulnerability scanning across large target sets.
Metasploit Framework for exploit development and delivery. Cobalt Strike or Sliver for command and control during post-exploitation. Impacket for Active Directory attacks and credential relay. CrackMapExec for lateral movement and credential testing across network segments. Custom scripts for application-specific exploitation.
Dedicated platforms for structuring findings, calculating severity scores, and generating client-ready reports. Screenshots and screen recordings for evidence. Markdown or structured templates for consistent formatting. Using AI-powered reports can significantly reduce the time spent writing finding descriptions and remediation guidance while maintaining professional quality.
From Findings to Remediation
Methodology does not end when the report is delivered. The true value of a penetration test is realised only when findings are remediated and the organisation's security posture actually improves. A strong methodology includes processes for tracking findings through their entire lifecycle: identification, reporting, remediation, and verification.
Each finding should be assigned a clear owner on the client side, a target remediation date based on severity, and a status that is updated as work progresses. Critical and high-severity findings typically require remediation within 30 days, while medium and low findings may have longer timelines. The key is that every finding has a plan, not just a report entry. For consultancies managing findings across many clients, automating findings management eliminates the manual tracking overhead and ensures nothing falls through the cracks.
Retesting is the final step in the methodology cycle. After the client has implemented fixes, the tester verifies that each finding has been properly remediated and that the fix has not introduced new issues. Retesting should use the same techniques and tools as the original test to ensure consistency. The retest results are documented in a supplementary report or an updated version of the original report, showing the before-and-after status of each finding.
Over time, tracking findings and remediation outcomes across multiple engagements reveals patterns. If a client consistently has injection vulnerabilities, it suggests a systemic issue with input validation practices in their development process. If default credentials appear repeatedly, it points to gaps in their deployment procedures. These patterns are valuable insights that go beyond individual findings and help clients address root causes rather than just symptoms. Performing regular assessments as part of a broader vulnerability assessment programme ensures that improvements are sustained and new risks are identified as the environment evolves.
Bringing It All Together
A penetration testing methodology is not a constraint on creativity. It is a framework that ensures thoroughness while giving testers the freedom to apply their expertise where it matters most. The five phases of planning, reconnaissance, vulnerability discovery, exploitation, and reporting provide a logical progression that maximises coverage and produces actionable results.
The best testers internalise their methodology to the point where it becomes second nature. They know when to follow the standard process and when to deviate based on what they discover during an engagement. They understand that methodology serves the client's objectives, not the other way around. And they recognise that the quality of their reporting and remediation guidance is just as important as the technical depth of their testing.
Whether you are building a methodology for the first time or refining an existing one, start with a proven framework and adapt it to your specific context. Use the OWASP Testing Guide for web applications, PTES for comprehensive engagements, and NIST SP 800-115 when compliance alignment is required. Layer in your own experience, lessons learned from past engagements, and feedback from clients to create a methodology that delivers consistent, high-quality results.
For teams looking to operationalise their methodology, having the right platform makes a significant difference. From engagement management and scoping through findings management and AI-powered reporting, the right tools turn methodology from a document into a workflow. Building a strong incident response plan alongside regular penetration testing creates a comprehensive security programme that both prevents and prepares for real-world attacks.
Turn your pentest methodology into a repeatable workflow
SecPortal gives your team a structured platform from scoping through remediation. Built-in scanning covers reconnaissance and vulnerability discovery. Log findings with auto-calculated CVSS scores, generate professional reports with AI, and deliver results through a branded client portal. Every engagement follows the same methodology automatically.
Free tier available. No credit card required.