Penetration testing is one of the most robust security testing tools within any cybersecurity program. When implemented effectively, the four phases of penetration testing will help identify gaps in your IT security and bolster your cyberdefenses. Read on to learn more about the penetration testing phases.
What are the 4 Phases of Penetration Testing?
A phased approach to penetration testing ensures that gaps in security are promptly identified before they can become pressing cybersecurity risks. For the highest efficiency of security testing and assessment, the National Institute of Standards and Technology (NIST) recommends four phases of penetration testing:
- The first phase involves planning for the penetration test.
- The second phase involves data collection to identify potential vulnerabilities.
- The third phase involves identifying and characterizing security vulnerabilities.
- The fourth phase involves reporting findings from the penetration test.
Working with a penetration testing partner will help you optimize each phase of penetration testing and strengthen your overall security controls.
What is Penetration Testing?
Before diving into the phases of penetration testing, it is critical to define what penetration testing looks like at a high level and in practice. At a high level, penetration testing assesses the effectiveness of your cybersecurity against a cyber attack. It simulates a cyber attack to provide visibility into how your cyber defenses detect, respond to, and mitigate it in real-time.
In practice, penetration testing can be tailored to meet your specific security needs.
A more intensive penetration testing exercise often reveals more insights into security vulnerabilities than a less intensive one. Organizations can also choose to conduct penetration testing internally, externally, or as a hybrid exercise. The stages of testing may differ slightly, but the penetration testing phases remain the same regardless of the type of penetration test.
Phase #1 – Planning of Testing Exercises
The activities in the initial penetration testing phase focus on planning for the eventual simulated attack. Here, testers and the organization must align on what the penetration test will look like in practice. However, no actual testing takes place during the planning phase.
Although the testing specifics will vary for internal, external, or hybrid penetration tests, the planning phase of penetration testing typically involves:
- Rule identification – Any established rules are identified to determine the baseline for system security across assets to be tested, such as:
- Firewalls
- Networks
- Operating systems
 
- Testing approval – The organization’s management reviews the proposed process for penetration testing and documents its approval of testing exercises.
- Goal setting – The goals of each penetration test must be clearly defined and may vary based on: 
- Security risks
- Resource availability
 
Planning is critical to setting the pace of penetration testing and influencing its broader outcomes. A well-planned penetration testing exercise will help streamline vulnerability identification, remediation, and threat mitigation.
Request a Free Consultation
Phase #2 – Discovery of Vulnerabilities
The discovery phase of penetration testing comprises two stages. First, data is collected from the assets to be tested with the help of intelligence gathering techniques. In the second stage, these data are analyzed to generate actionable insights about potential vulnerabilities.
 
Stage 1 of Discovery: Intelligence Gathering
In the first stage of the discovery phase of penetration testing, data is collected from networks that may be prone to security threats. The tools used to gather intelligence are critical to the success of a pen testing campaign. The types of data collected include but are not limited to:
- Network ports and services running on hosts are identified using port scanners.
- Hostnames and their IP addresses may be identified via methods such as:
- Interrogating DNS servers to learn more about a host’s domain
- Using the WHOIS tool to query the Internet’s Network Information Center (InterNIC) for publicly available domain information
- Sniffing networks to differentiate host-specific network traffic (applies to internal penetration tests)
 
- Details about employees and their contact information are sourced from directories or web servers belonging to the organization being tested.
- System and device information are obtained by enumerating the:
- Network Basic Input/Output System (NetBIOS)
- Network Information System (NIS)
 
- Physical walkthroughs of facilities to identify vulnerabilities such as written passwords left lying around in common areas
Organizations and testers should strive to collect as much data as possible from all the different sources to provide a broad database for subsequent vulnerability analysis.
Stage 2 of Discovery: Vulnerability Analysis
In the second stage of the discovery phase of penetration testing, the data obtained from the first stage of discovery is analyzed for vulnerabilities. Vulnerability analysis typically uses:
- Vulnerability scanners – While scanning assets for vulnerabilities, scanners will automatically cross-reference potential vulnerabilities with vulnerability databases.
- Pen tester expertise – Human pen testers can also leverage their knowledge of vulnerabilities to analyze scanned hosts for potential vulnerabilities.
- Vulnerability databases – Pen testers can also conduct comprehensive vulnerability analyses with the help of vulnerability databases such as:
- Publicly accessible databases (e.g., the NIST’s National Vulnerability Database (NVD))
- Databases compiled and curated by the pen testers themselves or other pen testers
 
Although automatic pen testing via vulnerability scanners may be much faster than the manual testing conducted by human testers, it is not as effective at identifying newer or more advanced vulnerabilities. The discovery phase of penetration testing is critical to expanding your internal threat intelligence capabilities and can be leveraged to optimize threat and vulnerability management within your broader cybersecurity program.
Pen Testing Phase #3 – Conducting the Simulated Attack
The planning and discovery phases of penetration testing help lay the groundwork for the simulated attack, which occurs in the third penetration testing phase. The entire attack phase of penetration testing is focused on exploiting the vulnerabilities identified during discovery and implementing appropriate remediation strategies to address these vulnerabilities.
Successful implementation of the attack phase of penetration testing largely depends on the findings captured in the discovery phase, which then drive the four stages of the simulated attack. The four stages of the attack penetration testing phase include:
- Obtain system access – Based on the vulnerability analysis conducted in the discovery phase of penetration testing, a pen tester will attempt to gain access to the target system. When launching an attack to gain system access, it is best practice for pen testers to:
- Exploit multiple vulnerabilities when attacking a system
- Verify and report successfully exploited vulnerabilities
- Identify the minimum access level required for cybercriminals to breach a system
 
- Escalate privileges – If the first stage of the attack phase is successful (with user-level access obtained), a pen tester then attempts to gain higher-level administrator access. If privileges are successfully escalated during a penetration test, the NIST recommends that the pen testers:
- Conduct additional testing to identify the risk levels faced by target assets
- Expand testing to other assets that may be potentially compromised
 
- Gain additional system access – Further testing and analysis are conducted in the third stage of the attack pen testing phase to determine the possibilities of:
- Exploiting more vulnerabilities across the target assets
- Accessing more sensitive areas of IT environments
 
- Expand pen testing – The final stage of the attack phase of pen testing involves installing additional sets of tools to aid further testing of target assets.
In practice, the third and fourth phases of pen testing—discovery and attack—may be conducted simultaneously across different target assets in an organization’s IT infrastructure. Some assets may be severely compromised compared to others, requiring further pen testing and, in some cases, optimized vulnerability testing for obscure vulnerabilities.

Pen Testing Phase #4 – Reporting
The final phase of pen testing involves reporting the vulnerabilities identified during the pen testing exercise to guide vulnerability remediation. Reporting is not necessarily final, as it occurs during each phase and is critical to the success of pen testing exercises.
In general, reporting within a pen testing exercise will involve:
- Documenting an assessment plan – An assessment plan is developed during the planning phase of pen testing and is based on:
- Rules of engagement (ROE) agreed upon by the pen tester and the organization being tested
- Scope of contracted penetration testing services
 
- Reporting vulnerability testing and analysis – All penetration testing activities and corresponding results from the discovery and attack phases should be logged and recorded, ensuring:
- Proper storage of testing logs and vulnerability reports
- Oversight of reporting activities by organization management
- Submission of reports to designated authority within the organization management
 
- Post-testing write ups – At the end of a pen testing exercise, the NIST recommends that pen testers compile a report of:
- Vulnerabilities identified during pen testing
- Risk ratings derived from risk assessments
- Vulnerability and gap remediation recommendations
 
For the entire pen testing exercise to be effective, it is critical that all essential activities across the phases of pen testing are correctly documented. Your organization’s designated IT security team must collaborate with pen testers to streamline pen testing from start to finish. Management oversight of pen testing is also essential in supporting resourcing and will help guide the direction of pen testing exercises.
Types of Penetration Testing</b></h2>
The vast majority of pen tests enact all the activities detailed in the four phases above, but there are variations based on the subject matter being tested and the approach followed. There are several different kinds of pen tests, along with compliance considerations, that may impact the phases or steps your organization and its pen testing partners utilize.
<b>External Penetration Testing</b></h3>
When pen testing is conducted externally, pen testers have no prior knowledge of the cybersecurity infrastructure they are testing. External pen testing is also referred to as black hat testing, meaning that testers can evaluate your cyber defenses from the perspective of a cybercriminal attempting a system breach. Stages of an external pen test include:
- Reconnaissance – Testers will search the Internet for publicly available data that they can leverage to breach an organization’s IT systems.
- Enumeration – Testers will scan assets for possible access points (e.g., external hosts).
- Evasion – Testers will attempt to avoid the first line of cyber defenses, such as:
- Firewalls
- Access controls
 
- Attacks – Testers will launch attacks in two phases:
- Initial attacks attempt to elicit responses from front-line applications.
- Vulnerability attacks attempt to access sensitive data environments on internal servers.
 
- Discovery – Testers search for additional access points, including:
- Wireless access points
- Internal server portals
 
Since external pen tests are conducted from a point of ignorance, they provide visibility into baseline security and inform threat and vulnerability management across your IT infrastructure.
</span>
Internal Penetration Testing</b></b></h3>
Unlike external pen tests, internal pen tests are conducted with an insider perspective, hence the term “white box testing.” Testers are typically provided with privileged information about the organization’s cybersecurity, which guides vulnerability testing efforts.
Depending on the specific goals of the pen, the tester may start out with basic user privileges, which may then be escalated to conduct extensive testing on specific systems. As such, the planning phase may be partially or completely subsumed into contract negotiation, and the discovery phase may be more minimal than in truly external tests.
Internal pen testing is also critical to identifying system-level vulnerabilities such as:
- Gaps in access control measures
- Poor system configurations
To optimize overall ROI with pen testing, it helps to define the desired security outcomes of an internal pen test. The effectiveness of internal pen testing depends on how much information and direction the testers receive.
Hybrid Penetration Testing</b></b></h3></h3>
style=”font-weight: 400;”>Hybrid penetration tests leverage the strategies of internal and external pen testing to conduct “grey box testing.” Hybrid pen testing also generates deeper insight into security gaps and is typically used for long-term pen testing efforts. In terms of phases, hybrid tests may follow the four-phase approach detailed above, or a more complex six- or seven-step approach, depending on the combination of external and internal focuses.
tyle=”font-weight:
400;”>
Penetration Testing and Compliance
Beyond identifying cybersecurity vulnerabilities, penetration testing is a compliance requirement for regulatory standards such as the PCI DSS, HIPAA, and HITRUST CSF. The four phases of pen testing recommended by the NIST can help maximize the effectiveness of external, internal, or hybrid pen testing—for NIST-specific tests (e.g.., NIST CSF, SP 800-171, etc.), or for other assessments following NIST’s general direction (e.g., HIPAA, PCI DSS, etc.).
Maximize Your Penetration Testing ROI
Contact RSI Security today to learn more about optimizing your penetration testing ROI!</span>
Speak with a Cybersecurity Expert today
