🔒 Free 30-min exposure review for startups — book yours →
← All posts

What actually happens during a penetration test

BugsLifepenetration testingprocess

“Penetration test” sounds dramatic, and a lot of the mystery around it comes from not knowing what’s actually happening on the other end once you sign off. It’s not a black box, and it’s not just someone running a scanner against your login page overnight. Here’s what a proper engagement actually looks like, phase by phase.

Phase 1: Scope and rules of engagement

Before anyone touches your systems, we agree on exactly what’s being tested and how. This isn’t a formality — it protects you and it makes the test worth paying for.

This phase covers:

  • What’s in scope — specific applications, APIs, environments, IP ranges, mobile apps, or cloud infrastructure
  • What’s explicitly out of scope — production databases you don’t want touched, third-party systems you don’t own, anything that could cause an outage if handled carelessly
  • Testing windows — whether we test during business hours or off-peak, and how we handle anything that looks like it could impact uptime
  • Rules of engagement — how we handle sensitive data if we find it, escalation paths if something looks like an active incident, and who your point of contact is

Good scoping is what separates a useful pentest from a risky one. It’s also where we set expectations on timeline — most engagements can kick off within days of this being signed off.

Phase 2: Manual testing

This is the actual work, and it’s the part most people misunderstand. Automated scanners have a role — they’re fast at flagging known, low-hanging issues — but they miss almost everything that matters: business logic flaws, broken access control, chained vulnerabilities that only become dangerous combined, authentication bypasses specific to how your application is built.

A real test is manual, attacker-minded work:

  • Testers manually explore the application or infrastructure the way a real attacker would — mapping how it’s built, where trust boundaries are, and where assumptions might be wrong
  • Vulnerabilities are safely, carefully exploited to confirm they’re real and to understand actual impact — not just flagged because a tool said so
  • Every step is done within the rules of engagement agreed in phase one, so nothing surprises you mid-test

This is also usually when you’ll hear from us first — critical findings get flagged as soon as they’re confirmed, often within the first 48 hours, so you’re never sitting on a serious issue for weeks without knowing.

Phase 3: Reporting

A pentest is only as useful as the report that comes out of it. A good report isn’t a raw dump of scanner output — it’s prioritized, evidenced, and written so your engineers can act on it without needing a security background to parse it.

That means:

  • An executive summary a non-technical stakeholder can read in a couple of minutes
  • Findings ranked by real-world severity and exploitability, not just a generic CVSS score
  • Clear reproduction steps and evidence for every finding
  • Concrete remediation guidance — not just “fix this,” but how

This is also the document you’ll hand to a customer’s security team or an auditor if you need to prove you test your own security — see our post on why a pentest report matters before your first enterprise deal if that’s the situation you’re in.

Phase 4: Retest

Fixing findings is only half the job — confirming the fix actually works is what closes the loop. Once you’ve remediated what was found, we retest the specific issues to confirm they’re resolved, and that the fix didn’t introduce something new. This retest is included, not billed separately, because a report full of “fixed” claims nobody verified isn’t worth much.

What we need from you

Engagements move fastest when a few things are ready upfront: a technical point of contact, access or credentials appropriate to the scope (test accounts, API keys, a staging environment if relevant), and a heads-up to any third parties who might see unusual traffic during the testing window. That’s genuinely most of it — we handle the rest.

Ready to see it in practice

If this is your first pentest, or you’re overdue for one, take a look at our full range of services to see how we scope engagements for different stacks and team sizes, or get in touch and tell us what you’re working with — we’ll walk you through timeline and scope before anything is signed.

Want a hand? Book a pentest →