Pentest Methodology — Canonical Reference.
PTES, the craft notes on engagement sequencing, and the web-application methodology variants — consolidated into one navigable reference.
PTES — the seven phases
- Pre-engagement. Scope, rules of engagement, blackout windows, comms channel, deconfliction process, in-scope and out-of-scope assets in writing.
- Intelligence gathering. Passive OSINT first, then active recon. Hand off to vulnerability analysis only after the attack surface is mapped.
- Threat modeling. Identify the assets that matter to the client and the adversary types that target them. Reject scope items that don't move the needle.
- Vulnerability analysis. Map identified surface to known classes. Triage by impact × exploitability, not by scanner severity.
- Exploitation. Validate findings with the minimum proof of impact that survives the client's review. No client data exfiltrated beyond agreed limits.
- Post-exploitation. Persistence (if scoped), lateral movement, data discovery. Document every step in real time — you will not remember it Friday.
- Reporting. Executive summary first, technical detail second, reproduction steps third. Remediation guidance per finding, not a generic appendix.
Engagement archetype → method shape
- External black-box. Heavy on recon and OSINT. Spend 30–40% of budget there. Assume detection.
- Internal assumed-breach. Skip recon, start with credential plumbing and AD enumeration.
BloodHoundon day one. - Web-app grey-box. Walk every authenticated role end to end before probing for vulns. Business logic is the highest-value class.
- Red team / objective-based. Define detection budget upfront. Every tool choice trades stealth against time. Deconfliction call template must exist before kickoff.
Day-rhythm of a senior tester
- Morning. Re-read yesterday's notes. Pick the single most promising thread and pursue it for two hours before context-switching.
- Midday. Update the running findings log. A finding without a screenshot is a finding that will be argued.
- Afternoon. Tooling, automation, broad scans that need wall-clock time. Triage results as they land.
- End of day. Five-line status note to the engagement channel: what was done, what was found, what's blocked, what's next, when next status.
Rule of thumbIf the methodology says one thing and the target says another, the target wins. Tear up the plan and write it again. The methodology is a starting position, not a contract.
Related notes in this domain
- Featured Comprehensive Pentest Reference
- Featured Advanced Penetration Testing & Red Team
- Featured Recon & Discovery
- Featured Web Server — Attack & Defense
- Featured Active Directory Pentest
- Featured Internal Pivoting & Lateral Movement
- Reference Recon Tooling — Operator Reference
- Reference Operator Toolkits — Catalog & Reference
- Reference Automation vs. Manual Testing
- Background Social Engineering & Phishing
- Background Pentester Foundations & CTF Practice
From reference to evidence