What Most Penetration Tests Get Wrong

The security industry has a penetration testing problem. Too many “pentests” are little more than automated vulnerability scanner runs with a PDF report stapled on. They find the same OWASP Top 10 issues every time, miss the logic flaws that actually matter, and leave clients no clearer on their real risk.

We built our engagement methodology around one principle: we test what attackers actually do, not what scanners can find.

Phase 1: Scoping and Rules of Engagement

Before touching a single system, we establish:

  • Target scope: IP ranges, domains, applications — what is explicitly in and out of scope
  • Test type: Black-box (zero knowledge), grey-box (partial knowledge), white-box (full knowledge)
  • Rules of engagement: What actions are prohibited (data exfiltration, DoS, destructive testing)
  • Emergency contacts: Who to call if we accidentally trigger an incident response
  • Success criteria: What does a successful engagement look like? Domain admin? PII access? Lateral movement?

This phase typically takes 2-3 days of back-and-forth. Clients who want to skip it should look elsewhere — a pentest without proper scoping is liability, not security.

Phase 2: Passive and Active Reconnaissance

We spend more time in recon than most firms. Attackers are patient; your pentest should be too.

Passive OSINT

- Shodan/Censys for internet-exposed services
- Certificate transparency logs (crt.sh) for subdomain enumeration
- LinkedIn for org chart and technology stack intelligence
- Historical DNS (SecurityTrails, VirusTotal passive DNS)
- GitHub for leaked credentials, API keys, infrastructure hints
- Job postings for technology stack inference

Active Reconnaissance

- Subdomain brute-force (ffuf, amass, subfinder)
- Port scanning (nmap with service/version detection)
- Web crawling and directory enumeration
- Technology fingerprinting (Wappalyzer, whatweb)
- Email address harvesting and validation

Phase 3: Vulnerability Analysis

We combine automated scanning with manual analysis. Automated scanners find known CVEs; manual analysis finds logic flaws, misconfigurations, and chained vulnerabilities that scanners cannot reason about.

Common high-value findings from manual analysis that scanners miss:

  • IDOR (Insecure Direct Object Reference) — access other users' data by changing an ID parameter
  • Business logic flaws — price manipulation, workflow bypass, privilege escalation through application logic
  • Authentication bypass through JWT algorithm confusion, OAuth state parameter manipulation
  • Second-order SQL injection — injected payload stored and executed later
  • Race conditions in financial operations

Phase 4: Exploitation and Post-Exploitation

We exploit vulnerabilities in a controlled manner, documenting every step with timestamps, screenshots, and commands. Our analysts adhere strictly to the rules of engagement — no lateral movement outside scope, no data exfiltration, no destructive actions.

Post-exploitation focuses on:

  • Privilege escalation (local and domain)
  • Lateral movement techniques (Pass-the-Hash, Kerberoasting, RBCD)
  • Persistence mechanisms (scheduled tasks, registry autoruns, WMI subscriptions)
  • Data discovery — where is sensitive data, and could we access it?

Phase 5: Reporting

Every finding gets:

  • CVSS v3.1 severity score
  • Business impact description (not just technical impact)
  • Step-by-step reproduction instructions with evidence
  • Specific remediation guidance (not “patch your software”)
  • Validation criteria — how to confirm the fix worked

We produce two reports: an executive summary (2-3 pages, zero technical jargon, board-ready) and a full technical report. Both are included at no additional cost.

Phase 6: Re-Test

We include a free re-test for all critical and high findings within 90 days. Remediation without verification is wishful thinking.

Types of Engagements We Run

We offer the full spectrum of offensive security engagements:

  • External penetration test — internet-facing perimeter, web apps, APIs, VPN, email
  • Internal network penetration test — assumes attacker has LAN access
  • Web application assessment — OWASP WSTG-aligned, manual-first methodology
  • API security assessment — REST, GraphQL, SOAP, authentication logic
  • Cloud configuration review — AWS, Azure, GCP misconfigurations and IAM analysis
  • Active Directory assessment — domain privilege escalation paths, misconfigurations
  • Red team operation — full adversary simulation, multi-vector, long-duration
  • Social engineering campaign — phishing, vishing, physical premises testing
  • Purple team exercise — combined red and blue team with real-time knowledge sharing

Contact us to discuss scope and timeline for your engagement.