Do you still think all hackers are bad? Actually, many are on the good side: they are cybersecurity specialists who are responsible for protecting the information and systems we use every day. These “ethical hackers” help companies stay one step ahead of real attackers. One of the most important tools they use is pentesting, or penetration testing.
If you haven't read our article on what pentesting is, here's a brief summary: it's a controlled test that simulates a cyberattack to detect security flaws before someone with malicious intent exploits them.
These tests are not improvised. It all starts with a planning phase, where you define what you are going to evaluate and what objectives you want to achieve. Then, you gather information about the environment, identify assets (such as servers, networks, and applications), and analyze whether there are any weaknesses that could be exploited.
If flaws are detected, they are tested safely to see how serious they are and what impact they would have in the event of a real attack. Finally, a detailed report is prepared with the findings, recommendations for fixing them, and a suggestion for when to re-evaluate to verify that everything has been corrected.
What are the phases of pentesting or penetration testing?
Now that you know what pentesting is, we will explain step by step what pentesters do, what tools they use, and what techniques they apply to detect flaws and vulnerabilities in systems, networks, and applications.
1. Reconnaissance phase
Once you've figured out which part of the system you're going to test (like domains, IPs, or specific apps), the first thing you do in pentesting is reconnaissance. This phase is super important because you can't analyze or attack what you don't know. Doing good reconnaissance can make the difference between a successful test and one that misses important vulnerabilities.
There are two types of reconnaissance: passive and active. Passive reconnaissance involves gathering as much information as possible without directly interacting with the company's systems. For example, you can review public records such as DNS or WHOIS, explore subdomains, discover technologies used with tools such as Wappalyzer or BuiltWith, or perform OSINT searches on sources such as Shodan or Netlas. You can also find metadata or files with sensitive data (such as leaked usernames and passwords) using techniques such as Google Hacking or tools such as FOCA or GooFuzz.
Active reconnaissance, on the other hand, does involve interacting with the target systems. Here, tools such as Nmap or RustScan are used to scan ports, or Burp Suite to find hidden paths on websites. However, this phase requires much more care: generating traffic can trigger security alarms, and firewalls (such as WAFs) can block the pentester if they detect suspicious activity.
2. Vulnerability scanning phase
After reconnaissance has been carried out and a good map of the system has been obtained, it is time to look for specific vulnerabilities. In this phase, pentesters focus on thoroughly understanding how the systems are configured, what software versions are being used, and whether there is anything that could pose a security risk.
To do this, they don't do everything by hand (that would be completely crazy). They rely on tools such as Nmap, Nessus, Acunetix, WPScan, or SQLMap, which allow them to automate much of the process. These tools compare what they find with huge databases of known vulnerabilities, making it much faster to detect if something is out of date, misconfigured, or simply broken.
During the scan, many requests are sent to the system, which can generate a lot of traffic and raise the occasional alert in security systems (if they are properly configured, of course). Even so, it is worth it, because this is where flaws such as the following usually appear:
-
Design errors in the software that allow things to be done that should not be possible.
-
Old or unsupported versions that have known vulnerabilities but no patches.
-
Authentication issues, such as weak passwords or poor permission management.
-
Poorly implemented APIs that can expose sensitive data.
-
And options for uploading dangerous files, such as malware or malicious scripts.
Although these tools are extremely useful, they are not magical or infallible. Sometimes they show things that do not exist (false positives) or fail to detect real problems (false negatives). That is why it is essential for the pentester to be experienced, know how to interpret the results, and not blindly trust the scanner. In short: the tool helps, but it is the person using it who makes the difference.
Read more: Types of Pentesting: Which one is right for your business?
3. Exploitation phase
We have reached the most exciting part of pentesting: the exploitation phase. This is where cybersecurity specialists spring into action and test whether the vulnerabilities they have found can actually be exploited. In other words, it is no longer just a matter of detecting flaws, but of seeing how dangerous they could be in real life.
If a vulnerability is exploitable, its impact is assessed: is it easy to exploit? Does it require prior access? What kind of information could be leaked? Could it affect the availability, integrity, or confidentiality of the system? Depending on the case, the results can be serious: from gaining unauthorized access, stealing confidential data from employees or customers, to paralyzing servers or even taking complete control of the company's network. Yes, it sounds serious, and it is.
That's why pentesters don't improvise. They follow methodologies known as OWASP, which offer clear guidelines on how to identify, exploit, and mitigate security flaws. Each system has its own weaknesses, so attacks vary depending on what is being evaluated. Some examples of what is usually tested:
-
Active Directory: They look for flaws in how permissions, authentications, or shared resources are managed, with the idea of escalating privileges and seeing if they could gain control of the entire network.
-
Web servers: Here, attacks such as SQL injections, XSS, remote command execution (RCE), or access control errors may appear.
-
CMS (such as WordPress or Drupal): In addition to their own flaws, plugins can be a huge hole if they are poorly designed or out of date.
-
FTP servers and databases: They attack to see if there are weak credentials, misconfigurations, or vulnerabilities that allow access to sensitive information.
-
Mail servers: They evaluate how well protected they are against phishing, identity theft, weak passwords, and whether two-factor authentication is used.
And something super important: everything is documented. Every attempt, every technique used, whether it worked or not, is recorded. Why? Because this not only helps maintain transparency, but also allows others on the team to replicate tests, improve processes, and work in a more coordinated manner.
4. Post-exploitation phase
When pentesters manage to exploit a vulnerability and enter the system, the work does not end there... in fact, that is when the real work begins. In this phase, called post-exploitation, that access is used to move within the system, explore what else can be found, and see how far a real attacker could go if they managed to enter.
Once inside, it is common to discover hidden services, unmapped routes, or assets that were not visible from the outside. That is why it is key to continue gathering information from the inside, now with direct access. This can include internal servers, shared folders, databases, IoT devices, or poorly protected resources that were not visible from the outside.
They also seek something essential: maintaining access. Pentesters try to establish “persistence” in the system, that is, leave a backdoor, a scheduled task, or a covert connection so they can return later without having to exploit the same flaw again. All this, of course, without being detected.
And if they still don't have full access, the next step is to move laterally across the network, taking advantage of found credentials or internal vulnerabilities. They may even try to escalate privileges to gain more control, such as moving from a regular user to an administrator.
All of this helps to measure the real impact of the breach: how deep an attacker can go and how serious it would be if this actually happened. In the end, the goal is clear: to understand the scope of the problem and propose solutions that close all the doors that have been found open.
5. Reporting and mitigation phase
After all the analysis, scans, and tests, it's time to close the pentesting cycle with a very important part: the final report. This is where all the security flaws that were found are laid out, prioritized according to their severity, and solutions are proposed to correct them and strengthen the security of the system.
This report is not just a “technical summary.” It is the tool that will help the company understand how exposed it is and what it can do about it. Therefore, it is essential that it be well structured and designed for its intended audience. Talking to a technical team is not the same as talking to management.
Normally, two types of reports are prepared: a more technical one, for cybersecurity teams, detailing all the vulnerabilities found, how they were detected, how to reproduce them, and what to do to fix them step by step. And another more executive one, designed for decision-makers who do not necessarily have a technical background. This summarizes the risks, the impact on the business, and the key actions that should be prioritized.
In addition, vulnerabilities are classified by risk level so that the company knows where to start. And beyond specific fixes, general best practices are also often included to prevent future problems. Because yes, fixing current flaws is important, but preventing future ones is even more so.
Read more: FinalRecon Web Recognition Tool for Ethical Hackers
Conclusion
Performing pentesting in a company is not just a good idea, it is a necessity. Detecting vulnerabilities before attackers do can mean the difference between a scare and a serious security breach. As you have seen throughout the five phases, pentesting allows you to test the security of systems, networks, and applications using the same techniques that a cybercriminal would use... but in a controlled environment without real risks.
A good pentest is not just about finding flaws, but understanding the impact they could have. Not investing in cybersecurity can cost you much more in the long run: data loss, service outages, leaks of sensitive information, or damage to your company's reputation.
In addition, everything discovered in the test is documented in a clear and actionable report. This report not only helps to correct what is wrong, but also serves as a roadmap for strengthening security in the future. In short, it improves your security posture and prepares you for whatever may come.
And if all this sounds too complicated, don't worry. At TecnetOne, we have a team of ethical hackers certified in HTB (Hack The Box) and ISO 27001, ready to help you. We offer pentesting services tailored to the needs of each company, with professional methodologies, detailed reports, and personalized advice so you can make smart decisions and protect your most valuable assets. Your security starts with a test. Ready to put it to the test?
