A penetration test is not a scan. It is a structured process that mirrors how a real attacker works, from mapping your surface to proving a chain of weaknesses can reach real data.
Understanding that process matters whether you are buying a penetration test, preparing for one, or evaluating a report. It tells you what the tester should actually be doing at each stage, and what a thorough engagement looks like versus a checklist run.
This guide walks the full process, phase by phase, grounded in the recognized standards and mapped to how a modern, continuous test actually runs. It is the pillar for our deeper pieces on access models, cost, and how AI penetration testing works.
What CodeAnt AI solves here: CodeAnt AI runs this whole process continuously and code-aware, across your code, cloud, and external surface. Findings arrive with a working proof of concept, and you pay only for confirmed critical issues. It also one of those vendors offering 48-hour delivery.
What is a Penetration Testing Methodology?
A penetration testing methodology is the documented standard that defines how a test should be run, so results are repeatable, comprehensive, and comparable across engagements. Without one, two testers could look at the same system and cover completely different ground.
A methodology answers what gets tested, in what order, and to what depth. The process is the sequence a tester actually follows on the ground, and in practice the two line up closely.
The value is consistency. A defined methodology is also what auditors expect to see behind a SOC 2 or PCI report, since it proves the engagement covered the surface it claimed to.
The Penetration Testing Frameworks and Standards
Several open standards define how pentesting should be done, and a serious engagement follows one or blends several. These are worth knowing, because a report that references a recognized framework is easier to trust.
Framework | Focus | Best for |
|---|---|---|
Seven-phase end-to-end methodology | General penetration testing structure | |
Web application testing checklist | Web apps and APIs | |
Technical assessment guide, four stages | Compliance and government context | |
Operational security metrics | Measurable, repeatable scope | |
Adversary tactics and techniques | Mapping findings to real attacker behavior |
The differences are mostly emphasis and phase count. NIST describes four stages, PTES defines seven, and the commonly taught model uses five. The underlying work is the same, which is what the next section walks through.
The Phases of Penetration Testing
Here is the full lifecycle. Frameworks group and name these differently, but every methodology maps to the same seven-phase flow.
Phase 1. Planning and scoping
Everything starts with scope and authorization. This phase defines which systems are in scope, the rules of engagement, the testing windows, and the legal authorization that makes the test lawful.
It also sets the access model. A black box, white box, or gray box test is decided here, and that choice shapes every phase after it. Getting scope right is what keeps a test both safe and useful.
Phase 2. Reconnaissance

Reconnaissance builds the most complete picture possible of the target. The tester maps everything externally visible, including subdomains, IP ranges, exposed services, open ports, and leaked credentials sitting on the open internet, plus which threat actors are actively probing the target.
This is where many engagements go shallow and where depth pays off. The more surface you map, the more attack paths you can find, since development and staging environments and forgotten legacy hosts are often the weakest points.
Phase 3. Scanning and enumeration
With the surface mapped, the tester enumerates what is actually running and reachable. Service discovery identifies the software and versions behind each exposed port, and reachability analysis works out what can genuinely be touched from the outside.
The exposed surface is almost always larger than expected. This phase turns a list of hosts into a ranked set of candidate weaknesses worth trying to exploit.
Phase 4. Exploitation
This is where risk gets proven rather than guessed. The tester attempts to exploit the candidate weaknesses, confirming which are real and which are false positives that a scanner flagged but no attacker could use.
Exploitation is the line between a vulnerability list and a penetration test. A finding that ships with a working proof of concept, a curl command or script that demonstrates the issue, is worth far more than a severity score alone. Common targets here include IDOR and broken authorization, injection flaws, and authentication bypasses.
Phase 5. Post-exploitation and chaining
A single flaw is rarely the whole story. The most damaging breaches come from chaining individually minor issues into a path that reaches real data.
In this phase the tester chains vulnerabilities, threats, and root causes together into attack paths, moving laterally where possible to see how far an intrusion could go. Those chains map cleanly to MITRE ATT&CK techniques, which is how a set of findings becomes a story about business impact. This is exactly the chaining that AI penetration testing traces end to end.
Phase 6. Analysis and reporting
The findings are validated, prioritized, and documented. A strong report includes a working proof of concept for every finding, the root cause traced to the exact location where the access model allows, CVSS scoring, and a clear remediation path.
For regulated teams, this phase also produces the evidence auditors expect for SOC 2, ISO 27001, and HIPAA. Good reporting is what turns a test into action, so findings that cannot be reproduced are worth little.
Phase 7. Remediation and retest
The test is not finished when the report lands. The final phase confirms that fixes actually worked, by re-running the original exploit against the remediated system.
Retesting is what closes the loop. Whether it is included or billed separately changes the true cost of an engagement, which is one reason the pricing model matters as much as the process.
How the Access Model Shapes the Process
The seven phases stay the same, but what happens inside each one depends on how much the tester knows going in. That access dimension is its own decision.
Black box runs the process from the outside with no access. White box runs it with full source and configuration visibility, which turns reconnaissance and scanning into a code and cloud review. Gray box combines the two, using inside knowledge to attack from the outside. We break all three down in the black box vs white box vs gray box guide.
How Modern Penetration Testing Changed the Process
Phase 1
Passive Recon
Maps your full attack surface, subdomains, open ports, exposed configs, and known CVEs, without touching your systems.





Passive Recon
App Intelligence
500+ Agents
Attack Chains
Evidence
The classic process assumed a slow release cycle and a once-a-year test. Both assumptions are gone, and that has reshaped how the phases run.
Testing cadence moved from annual to quarterly, monthly, and per feature, because a team shipping weekly ships dozens of releases between two point-in-time tests. A vulnerability introduced today can sit exploitable for months, which no annual engagement can catch.
That pushed the process toward one continuous system that understands how code ships, what already exists in the codebase, and how the network, cloud, and external surface look, then runs the phases on every change. The continuous testing guide covers the mechanics, and the AI penetration testing deep-dive covers how automation runs recon, exploitation, and validation at machine speed.
Outcome-Based Pentesting, in Brief
There is one more shift worth naming, and it is about incentives rather than phases. The traditional model bills researcher hours upfront, whether or not the test finds anything critical, so it optimizes for a signed report on schedule.
Outcome-based testing charges for results instead, so you pay only for confirmed, critical, exploitable findings. That aligns the tester's incentive with going deep on every engagement, and we cover the economics in the penetration testing cost guide.
How CodeAnt Runs the Process
CodeAnt runs all seven phases as one continuous, code-aware system rather than a periodic engagement. Because it reads your code, cloud, and external surface together, reconnaissance and scanning start with context instead of guesswork, and exploitation targets the paths that actually reach data.
The output is evidence. Findings arrive with a working proof of concept and the code path behind them, chains map to real business impact, retests confirm the fix held, and you get audit-ready proof for SOC 2, ISO 27001, and HIPAA. Because the model is outcome-based, you pay only for the critical issues it proves. You can see the offensive side on the pentesting page or explore the vulnerability database behind it.
The Bottom Line on the Penetration Testing Process
A penetration test is a disciplined process, not a single scan. It moves from planning and reconnaissance through scanning, exploitation, and chaining, then lands on proof and a validated fix, and every recognized framework maps to that same flow.
What changed is the cadence and the incentive. The process now runs continuously instead of once a year, code-aware instead of blind, and outcome-based instead of billed by the hour, testing from the outside with knowledge of your code from the inside.
That is the model CodeAnt runs. It also one of those vendors offering 48-hour delivery. Ready to see the process against your own stack? Launch a free black box scan for one URL, then book a walkthrough to see continuous, code-aware testing end to end.
FAQs
What are the phases of penetration testing?
How many steps are in a penetration test?
What is the penetration testing execution standard (PTES)?
What is the difference between a penetration testing methodology and a process?
How long does a penetration test take?











