Pentesting Methodology

A penetration test is only as good as the approach behind it. This page explains how I structure engagements so they are realistic, repeatable and transparent — and so that you know exactly what to expect at each step.

Core Principles

Authorized and controlled — all work is scoped and approved in writing.
Risk-focused — emphasis on real-world impact, not just raw vulnerability counts.
Evidence-based — every finding is backed by clear proof-of-concept or reproduction steps.
Actionable — reports are written so your team actually knows what to do next.

Typical Engagement Phases

1. Scoping & Planning

Define assets, environments and user roles in scope
Agree objectives, constraints and success criteria
Set testing windows and communication channels
Document everything in SoW and Rules of Engagement

2. Reconnaissance

Map exposed services, endpoints and technologies
Identify entry points for authenticated and unauthenticated users
Review documentation and client-provided information
Highlight obvious misconfigurations or weak points early

3. Vulnerability Analysis

Combine manual analysis with trusted tooling
Look for misconfigurations, outdated components and insecure defaults
Assess attack surface from the perspective of different roles
Prioritise findings by likelihood and impact

4. Exploitation & Abuse of Logic

Attempt to exploit identified weaknesses where safe and agreed
Chain issues together to demonstrate realistic attack paths
Test business logic and workflow abuse, not just technical bugs
Avoid unnecessary disruption to production systems

5. Post-Exploitation & Impact

Assess how far an attacker could pivot or escalate access
Identify data exposure, privilege escalation and lateral movement opportunities
Document “what could have happened” in clear business terms
Respect boundaries agreed in scope at all times

6. Reporting & Retesting

Deliver structured report with executive summary and technical detail
Prioritised remediation plan with clear next steps
Optional walkthrough call to explain findings and answer questions
Retesting of critical issues where agreed

Methodology by Engagement Type

Web & API Testing

For web and API assessments, I follow an approach inspired by the OWASP Testing Guide and OWASP API Security Top 10, adapted to your specific architecture and risk profile.

Authentication and session management testing
Access control and multi-tenant isolation checks
Input validation, injection and deserialization tests
File upload, storage and data exposure testing
Abuse of business logic and workflow manipulation

Network & Infrastructure

Network tests simulate how an attacker would approach your exposed services or internal environment within the agreed ranges and constraints.

Host discovery, service enumeration and banner analysis
Weak protocols, default credentials and misconfigurations
Outdated software and publicly known vulnerabilities (CVEs)
Opportunities for lateral movement and privilege escalation

Social Engineering & Scenarios

For phishing and scenario-based work, the focus is on realism without causing harm.

Carefully designed, realistic pretexts aligned with your industry
Controlled phishing campaigns and simulated attacks
Measurement of response, reporting and escalation paths
Feedback to strengthen awareness and processes, not blame individuals

What You Get at the End

Executive summary for leadership and non-technical stakeholders.
Technical details of each finding with evidence and impact.
Risk ratings and prioritisation so you know what to fix first.
Remediation guidance your team can actually implement.
Optional retest to verify that key issues are fully resolved.

To see what this looks like in practice, you can review a sample report structure or book a pentest to discuss your environment.