> series: business_owners_guide —— part: 07/10 —— topic: during_the_test —— status: engagement_active<span class="cursor-blink">_</span>_
Testing has begun. For many business owners, this is the most opaque part of the process — you have commissioned the test, prepared your team, and now someone is actively trying to break into your systems. But what exactly are they doing? How long does each phase take? What should you expect to hear from them during the engagement?
This article walks through the typical phases of a penetration test as they happen. The exact sequence and timing vary by engagement type and scope, but the general structure applies to most tests.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping CallThe first phase of any penetration test mirrors exactly what a real attacker would do: gather as much information as possible about the target before attempting any exploitation. The tester is building a map of your environment — what exists, what is exposed, and what might be vulnerable.
For an external test, this includes discovering IP addresses, subdomains, email addresses, technology stacks, and publicly available information about your organisation. For an internal test, it means scanning the network to identify hosts, services, and the structure of your Active Directory environment. For a web application test, the tester is mapping every page, form, API endpoint, and input field.
During this phase, you should not expect significant communication from the tester unless they discover something immediately concerning — such as a critical service exposed that should not be, or credentials visible in a public repository. Your IT team may notice scanning activity in their logs. This is expected and is why you briefed them during the preparation phase.
With a map of your environment in hand, the tester now systematically tests each discovered service, application, and component for vulnerabilities. This combines automated scanning with manual testing — the automated tools find the common issues quickly, and the tester's expertise finds the subtle issues that automated tools miss.
For web applications, this is where the tester is testing every input field for injection vulnerabilities, every authentication mechanism for bypass opportunities, every access control for privilege escalation, and every piece of business logic for flaws that could be exploited. For infrastructure, the tester is checking for misconfigurations, default credentials, unpatched software, weak encryption, and insecure protocols.
This phase is the most labour-intensive and typically accounts for the majority of the engagement time. The tester may contact you during this phase to ask clarifying questions — 'is this service intentionally exposed?', 'should this user role be able to access this function?', 'is this test data or real data?'. Responding promptly to these queries helps the tester use their time effectively.
When a vulnerability is identified, the tester attempts to exploit it — to prove that it is not merely a theoretical risk but a practical one. This is the phase that distinguishes a penetration test from a vulnerability scan. The tester is not just saying 'this might be vulnerable' — they are demonstrating 'I used this vulnerability to achieve this specific outcome'.
If the tester discovers a critical vulnerability during this phase — something that poses an immediate risk to your organisation, such as an actively exploitable remote code execution vulnerability on a public-facing server — they will notify you immediately rather than waiting for the final report. This is standard practice and is defined in your rules of engagement. Act on these notifications promptly.
Once active testing is complete, the tester moves into the reporting phase. They compile all findings, evidence, and analysis into a structured report that becomes the primary deliverable of the engagement. We cover the report in detail in Part 8 next week.
During this phase, the tester also performs cleanup — removing any test accounts they created, deleting files uploaded during testing, and reverting any configuration changes made during exploitation. A professional tester will document everything they changed and confirm that the environment has been returned to its pre-test state.
| Do | Do Not |
|---|---|
| Respond promptly to tester queries. Questions about scope, access, or system behaviour are time-sensitive — every hour the tester waits is an hour they are not testing. | Do not monitor the tester's every move. Trust the process. Constantly asking for updates disrupts the tester's flow and reduces the time available for actual testing. |
| Keep your IT team informed of progress. A brief daily update — 'testing is ongoing, no critical findings yet' — prevents anxiety. | Do not block the tester's IP addresses. If your SOC or MSP blocks the tester mid-engagement, testing time is wasted re-establishing access. |
| Act immediately on critical finding notifications. If the tester reports a critical vulnerability, begin remediation without waiting for the final report. | Do not make major infrastructure changes during the test. Deploying new systems, changing firewall rules, or migrating services during testing invalidates results and confuses the tester. |
| Ensure test accounts remain active throughout. If an account gets locked or a password expires, notify the tester and resolve it quickly. | Do not panic if the tester gains access. That is the purpose of the test. Finding vulnerabilities now is far better than an attacker finding them later. |
The test is complete and the report arrives. Next week, we walk you through understanding your penetration test report — how to read it, what the risk ratings mean, how to prioritise findings, and how to use the report as a tool for driving improvements rather than a document that gathers dust in a drawer.
Our engagements follow a structured, transparent methodology with clear communication at every phase. You will never be left wondering what is happening — we keep you informed, we notify you of critical findings immediately, and we deliver a report that speaks to your business, not just your IT team.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call