How to Conduct a
Standard Penetration Text

A penetration test (AKA Pen Test) is a crucial part of ensuring your organization’s security. In a typical penetration test, a team simulates a cyber-attack against your critical systems (like your network or data center) to discover vulnerabilities that could be exploited in a real attack.


In this blog, we’ll break down the five stages of penetration testing into a simple checklist.

Step One: Goals and Scope

This is the planning stage where you identify which systems you will be testing and what methods should be used.

  • Create a list of the systems you will test.
  • Define which methods you will use to attempt to gain access to those systems.
  • Gather information (like domain names or mail servers) to use during the simulated attack.

In this stage, it may be beneficial to partner with a managed service provider like PCS to get an outside view of your systems and to prevent internal bias.

Step Two: Reconnaissance

In a real cyberattack, the bad actors will attempt to understand how the target systems respond to intrusions.
Here are the steps cybercriminals usually take that your team should emulate during a penetration test:.

  • Inspect application code. Usually, the entire code is inspected in a single pass.
  • Inspect the application code while it is running. This provides even greater detail into the performance of your systems.

In this stage, it may be beneficial to partner with a managed service provider like PCS to get an outside view of your systems and to prevent internal bias.

Step Three: Infiltrate

In this stage, bad actors use web application attacks like cross-site scripting to uncover vulnerabilities.
As your Pen Test Team copies these steps, they should then:

  • Attempt to escalate privileges.
  • Access and steal data.
  • Intercept traffic.

Bad actors will exploit any vulnerability they find in order to understand to what extent
they can penetrate your organization’s systems.

Step Four: Persist

Once cybercriminals have gained access to your systems, they will attempt to maintain access and establish a solid presence long enough to gain access to sensitive data. Cybercriminals (and your Pen Test Team) will attempt to:

  • Create advanced persistent threats (APTs).
  • Sabotage critical organization infrastructure.
  • Gain access to your company website and make changes.
  • Steal sensitive information (like social security numbers or private user data).
  • Steal intellectual property (like patents or trade secrets).

Step Five: Resolve

Your final step is to compile a report of the performance of your systems during the simulated attacks. This report will be used to strengthen your security and train your IT team. Make sure to:

  • Specify vulnerabilities that were exploited.
  • List sensitive data that was “lost” or stolen.
  • Specify the amount of time the threat remained undetected.

Get Help from Experts

Penetration tests are extensive undertakings. Not every in-house IT team has the resources to conduct one effectively. That’s where PCS steps in. Our highly-trained engineers can conduct penetration tests for you, bringing the added benefits of an outside perspective and helping you maintain compliance.

Save your IT team countless man-hours. Learn more by booking a discovery call with us today.