Penetration testing is the most publicly recognised specialisation in cybersecurity — and simultaneously one of the most misunderstood. The popular image, shaped by hacker-heist films and security conference talks, tends toward dramatic real-time exploitation, but the day-to-day reality of professional penetration testing is considerably more methodical, documentation-heavy, and legally circumscribed than the mythology suggests.
A penetration tester — also called an ethical hacker, pen tester, or offensive security consultant — is hired to attack systems, applications, and networks with the explicit authorisation of the owner, using the same techniques and tools that real-world attackers would use, for the purpose of identifying exploitable vulnerabilities before criminals find them. The output is not a compromised system but a detailed professional report that documents what was found, how it was exploited, what an attacker could have done with access, and exactly how to fix each issue.
The vulnerability finding is the means; the actionable remediation guidance is the product.
This article covers the complete penetration testing methodology from initial scoping through final report delivery, the major categories of penetration tests and how they differ, the tools used at each phase, the certification landscape (why OSCP matters and what alternatives exist), salary data by experience and certification level, and the legal and ethical framework that every practitioner must understand. Whether you are exploring this as a career or trying to understand what you are buying when you commission a pen test, the detail here will orient you.
"Penetration testing without a written authorisation is just hacking. The piece of paper is not bureaucracy — it is the thing that makes the whole profession legitimate. Never touch a system without it." — Georgia Weidman, author of 'Penetration Testing: A Hands-On Introduction to Hacking,' No Starch Press, 2023
Key Definitions
Statement of Work (SOW): A legally binding contract that defines the scope, timing, permitted activities, and deliverables of a penetration test engagement. Conducting testing outside the agreed scope constitutes unauthorised access, regardless of intent.
Rules of Engagement (ROE): Document specifying operational constraints for the engagement — which systems are in scope, which are explicitly out of scope, time windows when testing is permitted, emergency contacts if critical systems are accidentally disrupted, and escalation procedures.
Exploitation: The phase of penetration testing where identified vulnerabilities are actively used to gain unauthorised access to systems. In professional contexts, exploitation is used to demonstrate real-world risk and test the organisation's detection capabilities.
Privilege Escalation: After gaining initial access, the process of elevating privileges from a standard user account to an administrator or root account. Demonstrating privilege escalation is critical because most serious damage from a breach requires elevated privileges.
CVE (Common Vulnerabilities and Exposures): A standardised system for identifying and naming known software vulnerabilities. CVE numbers (e.g., CVE-2021-44228 for Log4Shell) allow security professionals to precisely reference specific vulnerabilities.
The Five-Phase Penetration Testing Methodology
Professional penetration testing follows a structured methodology that mirrors how sophisticated real-world attackers operate. Multiple frameworks describe this methodology — PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and NIST SP 800-115 are the most widely cited. In practice, the phases are consistent across frameworks even when terminology varies.
| Phase | What Happens | Primary Goals | Typical Time Allocation |
|---|---|---|---|
| 1. Reconnaissance | Passive and active information gathering about the target | Build target map, identify attack surface | 20-30% of engagement |
| 2. Scanning and Enumeration | Technical scanning of discovered assets for services and vulnerabilities | Identify open ports, software versions, known CVEs | 15-20% of engagement |
| 3. Exploitation | Attempt to compromise identified vulnerabilities | Gain initial access, demonstrate exploitability | 20-30% of engagement |
| 4. Post-Exploitation | Expand access within the compromised environment | Privilege escalation, lateral movement, data discovery | 15-20% of engagement |
| 5. Reporting | Document all findings with evidence and remediation guidance | Deliver actionable intelligence to the client | 20-30% of engagement |
Phase 1: Reconnaissance
Reconnaissance involves gathering intelligence about the target before attempting exploitation. This phase is divided into passive recon (gathering information without directly interacting with target systems) and active recon (interacting with target systems in ways that may appear in logs).
Passive reconnaissance techniques:
- OSINT (Open Source Intelligence): Searching LinkedIn for employee names and job titles, reviewing job postings for technology stack clues, checking Shodan.io for internet-facing assets, reviewing public GitHub repositories for leaked credentials or internal hostnames, looking up DNS records via certificate transparency logs (crt.sh)
- Reviewing public breach databases (HaveIBeenPwned, DeHashed) for previously leaked credentials associated with the target organisation's email domains
- Google dorking to find exposed login panels, configuration files, or directory listings
Active reconnaissance techniques:
- DNS enumeration using tools like dnsx and subfinder to discover subdomains and mail servers
- Port scanning with Nmap to identify live hosts and running services
- Service version detection to identify potentially vulnerable software versions
A thorough reconnaissance phase often reveals more immediately exploitable issues than active exploitation attempts. Misconfigurations, publicly exposed credentials, and forgotten internet-facing services are consistent top findings in professional pen test reports.
Phase 2: Scanning and Enumeration
With a target map established from reconnaissance, the tester conducts more detailed technical scanning.
Vulnerability scanning: Automated tools (Nessus, OpenVAS, Qualys) scan identified services for known CVEs and misconfigurations. Automated scans produce false positives and require manual validation to separate genuine vulnerabilities from scanner noise. Verizon's 2023 Data Breach Investigations Report found that 74% of breaches involved exploiting known, patchable vulnerabilities — the same class of issues that automated scanners find.
Service enumeration: Deeply examining specific services — SMB shares, Active Directory configurations, web application technologies, database connectivity — to understand exactly what is exposed and how it can be accessed. Tools like enum4linux, crackmapexec, and ldapdomaindump are used for Windows environment enumeration.
Web application crawling: Spidering web applications using Burp Suite's crawler, or using ffuf for directory and parameter fuzzing, to map all pages, API endpoints, and application functionality.
Phase 3: Exploitation
Exploitation attempts to use discovered vulnerabilities to gain unauthorised access. This phase typically accounts for 20-30% of total engagement time. A well-enumerated vulnerability that is clearly exploitable may be documented without active exploitation if the risk of service disruption is high — professional pen testers do not recklessly crash production systems to prove a point.
Common exploitation techniques include:
- Using public exploits for known CVEs against unpatched software via Metasploit or custom scripts
- Password spraying and credential stuffing against authentication portals
- SQL injection against web applications
- Cross-site scripting (XSS) to demonstrate session hijacking
- Server-Side Request Forgery (SSRF) in web applications to access cloud metadata endpoints
- Exploiting Active Directory misconfigurations: Kerberoasting, AS-REP roasting, Pass-the-Hash, DCSync
Phase 4: Post-Exploitation
Once initial access is gained, post-exploitation demonstrates the real impact of a breach and is what distinguishes a professional engagement from a simple vulnerability scan.
- Privilege escalation: Elevating from standard user to administrator or root using techniques such as exploiting SUID binaries on Linux or unquoted service paths on Windows
- Lateral movement: Using the compromised system as a pivot point to access other systems in the network via pass-the-hash, pass-the-ticket, or credential relay attacks
- Data access demonstration: Identifying and documenting sensitive data accessible with gained privileges (without exfiltrating actual customer or employee data)
- Persistence documentation: Showing how an attacker could maintain persistent access through scheduled tasks, registry run keys, or reverse shell implants
- Detection gap analysis: Documenting which actions triggered alerts and which did not, providing blue team with actionable improvements
Phase 5: Reporting
The deliverable of a penetration test is not access — it is the report. A professional penetration test report contains the following sections:
Executive Summary: Non-technical overview of findings and business risk, written for leadership audiences who need to understand organisational exposure without technical detail. Should answer: what can an attacker do to the organisation, and how urgently does it need to be addressed.
Technical Findings: Each vulnerability documented with: description, evidence (screenshots and proof-of-concept reproduction steps), CVSS v3.1 severity score, business impact, and specific remediation steps. A finding that says 'apply patches' is not remediation guidance — a finding that says 'apply CVE-2023-XXXX patch on all Windows hosts running version 10.0.19041, or implement the workaround described in Microsoft Security Advisory KB5025885' is remediation guidance.
Methodology: Scope, testing type, tools used, and testing approach. Establishes the boundaries of what was and was not tested.
Appendices: Raw scan output, exploit chains, tool configuration details.
Report quality is the primary differentiator between good and poor pen testing firms. Writing ability is a non-negotiable professional skill.
Types of Penetration Tests Compared
| Type | Scope | Primary Tools | Typical Deliverable | Cost Range |
|---|---|---|---|---|
| External Network | Internet-facing perimeter | Nmap, Metasploit, Nessus | Findings report, perimeter risk rating | $5K-$25K |
| Internal Network | LAN/WAN, Active Directory | BloodHound, CrackMapExec, Impacket | AD attack path diagrams, internal risk report | $10K-$40K |
| Web Application | Web apps, APIs, mobile backends | Burp Suite Pro, OWASP ZAP, ffuf | OWASP-mapped findings, code-level remediation | $5K-$30K |
| Mobile Application | iOS/Android apps | MobSF, Frida, apktool | App security report, binary analysis findings | $8K-$25K |
| Social Engineering | Humans, email systems | GoPhish, custom pretexting | Click rate statistics, security awareness gap analysis | $3K-$15K |
| Red Team | Full kill chain simulation | Custom C2 (Cobalt Strike, Havoc), all of the above | Attack narrative, detection gap analysis | $30K-$150K+ |
External network penetration testing targets internet-facing infrastructure — public IP ranges, web servers, mail servers, VPN gateways. The tester simulates an attacker with no prior access to the organisation's environment.
Internal network penetration testing assumes network access (simulating a compromised insider, a phishing victim, or a breach of the perimeter) and tests how far an attacker can move through the internal environment. Active Directory attacks — BloodHound path analysis, Kerberoasting, DCSync — are the core of most internal engagements.
Web application penetration testing tests web applications against the OWASP Top 10 (injection, broken authentication, insecure direct object references, security misconfigurations, XSS, and others) and application-specific business logic flaws.
Red team operations are full adversarial simulation campaigns running over weeks or months, using a combination of all techniques above plus custom implants and evasive persistence mechanisms. Unlike standard pen tests, red team exercises are kept secret from most of the organisation's security team (only senior leadership is aware), making them a test of detection and response capabilities, not just defences.
Tools by Phase
| Phase | Category | Tool | Notes |
|---|---|---|---|
| Reconnaissance | OSINT | theHarvester | Emails, hostnames from search engines |
| Reconnaissance | Subdomain enum | Subfinder, Amass | Passive DNS and certificate enumeration |
| Reconnaissance | Shodan | Shodan CLI | Internet-facing device discovery |
| Scanning | Port scanning | Nmap | The universal port and service scanner |
| Scanning | Vulnerability scanner | Nessus, OpenVAS | CVE identification against live hosts |
| Scanning | Web crawling | Burp Suite Pro, ffuf | Directory fuzzing, parameter discovery |
| Exploitation | Exploit framework | Metasploit Framework | Automated exploit delivery and post-exploitation |
| Exploitation | Web exploitation | Burp Suite Pro, sqlmap | Web app attacks including SQLi, XSS, SSRF |
| Exploitation | Password attacks | Hashcat, John the Ripper | Offline hash cracking |
| Post-Exploitation | AD analysis | BloodHound, SharpHound | Active Directory attack path visualisation |
| Post-Exploitation | Lateral movement | CrackMapExec, Impacket | SMB enumeration, pass-the-hash, DCSync |
| Post-Exploitation | C2 frameworks | Cobalt Strike, Havoc, Sliver | Command and control for red team engagements |
| Reporting | Documentation | Dradis, Plextrac, Word/Markdown | Report generation and evidence management |
Certifications: OSCP vs CEH vs PNPT
| Certification | Issuer | Type | Cost | Difficulty | Industry Respect | Best For |
|---|---|---|---|---|---|---|
| OSCP (PEN-200) | Offensive Security | Hands-on lab + 24hr exam | ~$1,499 | High | Very high | Professional pen testers, job seekers |
| PNPT | TCM Security | Practical report-based exam | $400 | Medium-High | High (growing) | Beginners, career changers |
| eJPT | eLearnSecurity | Beginner practical | $200 | Low-Medium | Medium | Entry-level learners |
| CEH | EC-Council | Multiple choice | $950-$1,200 | Low-Medium | Low among practitioners | Government compliance |
| GPEN | SANS/GIAC | Multiple choice + practicum | $8,000+ (with course) | Medium | High | Enterprise, government |
| GWAPT | SANS/GIAC | Multiple choice + practicum | $8,000+ (with course) | Medium | High | Web app specialists |
| BSCP | PortSwigger | Lab-based | $449 | Medium-High | High (growing) | Web app testing specialists |
OSCP is the practical gold standard. The 24-hour exam requires compromising multiple machines in a lab environment and submitting a professional-quality report within another 24 hours. Employers treat OSCP as a meaningful signal of hands-on competency in a way that multiple-choice certifications cannot replicate. The PEN-200 course that accompanies the OSCP exam is also widely considered the best self-contained pen testing curriculum available.
PNPT (Practical Network Penetration Tester) from TCM Security is the most respected alternative to OSCP for candidates who want a practical, report-based examination without the cost and intensity of the OSCP. The TCM Security course materials are widely recommended as OSCP preparation.
CEH (Certified Ethical Hacker) from EC-Council is widely known but poorly regarded by professional pen testers because it is a multiple-choice credential that tests memorisation, not technical skill. Many experienced practitioners advise against it as a primary certification, though some government and compliance requirements list it.
Salary by Experience and Certification Level
| Level | Certification | In-House | Consulting Firm | Independent |
|---|---|---|---|---|
| Entry (0-2 yrs) | Security+, eJPT | $65K-$85K | $70K-$90K | Not typical yet |
| Junior (2-4 yrs) | Security+, PNPT | $85K-$110K | $90K-$115K | $800-$1,200/day |
| Mid (4-7 yrs) | OSCP | $110K-$145K | $115K-$160K | $1,200-$1,800/day |
| Senior (7-12 yrs) | OSCP + GPEN/GWAPT | $145K-$190K | $155K-$220K | $1,800-$2,500/day |
| Principal/Director | Multiple practicals | $180K-$250K+ | $200K-$300K+ | $2,500-$4,000/day |
Notes: US market figures based on Glassdoor, Levels.fyi, and InfoSec salary surveys 2023-2024. Independent contractor figures represent effective day rates for booked consultants; actual annual earnings depend on utilisation rate.
OSCP is the single certification most consistently associated with salary step-changes. Multiple recruiters report that OSCP holders receive meaningfully higher starting offers than candidates without it, particularly at the junior-to-mid transition.
Bug Bounty as an Entry Path
Bug bounty programs provide a legally defined context for security research outside of direct client engagements and are an increasingly recognised path into professional penetration testing. Platforms including HackerOne, Bugcrowd, and Intigriti host programs for thousands of companies.
For entry-level candidates, bug bounty provides:
- Real-world targets (compared to lab environments)
- Legal authorisation under clearly defined scope
- Portfolio evidence that employers find credible
- Potential earnings ($200-$50,000 per valid vulnerability, depending on severity and program)
HackerOne's 2023 Hacker Report found that 27% of respondents earned more than $50,000 from bug bounty in the prior year, and 5% earned more than $350,000. These are not representative of the average beginner, but the figures illustrate the ceiling.
Getting started with bug bounty:
- Start with programs marked 'beginner-friendly' on HackerOne or Bugcrowd
- Focus on web application vulnerabilities: XSS, IDOR, information disclosure, open redirects
- Understand the Bugcrowd VRT (Vulnerability Rating Taxonomy) to calibrate severity expectations
- Document methodology for every target, even on unsuccessful attempts — the habit builds report-writing skill
- A single accepted report is more valuable on a resume than another certification
Day in the Life of a Penetration Tester
A professional pen tester's day varies significantly based on engagement phase and employment type, but a representative consulting firm workday during an active engagement looks like this:
Morning (9am-12pm): Review scope documentation and resume the previous day's enumeration work. Run BloodHound against the collected Active Directory data to visualise attack paths. Document two new findings from the previous day's exploitation attempts, including CVSS scoring and reproduction steps. Brief client contact via email on testing progress.
Afternoon (12pm-5pm): Active exploitation attempts against the highest-priority attack paths identified in the morning's BloodHound review. Attempt privilege escalation from standard domain user to domain admin via Kerberoasting. Successfully crack a service account password hash offline using Hashcat. Document the full attack chain with screenshots. Begin drafting the executive summary for the end-of-engagement report.
Late afternoon (5pm-6pm): Team debrief with senior consultant reviewing the day's findings. Note any out-of-scope systems that were accidentally touched and document in the engagement log. Update the client-facing progress tracker.
Report-writing days (typically the final 1-2 days of an engagement): 8+ hours of writing, screenshot editing, evidence packaging, and CVSS scoring. A 20-finding pen test report can take 15-25 hours to write to a professional standard.
Legal and Ethical Framework
Every penetration tester must understand the legal constraints on their work. The key principle is explicit written authorisation before touching any system. No exceptions.
In the United States, the Computer Fraud and Abuse Act (CFAA) criminalises unauthorised access to computer systems. Verbal permission is not authorisation under the CFAA. Working outside agreed scope on a contracted engagement can constitute a criminal offence even if the client later claims they did not object. Several pen testers have faced CFAA charges for actions taken during authorised engagements that drifted outside the agreed scope — the legal boundaries are strict.
In the United Kingdom, the Computer Misuse Act 1990 (as amended) applies equivalent constraints. The EU's NIS2 Directive and national cybercrime laws in member states provide similar frameworks.
Cloud environments have additional complexity: obtaining authorisation from the client organisation is necessary but not sufficient. AWS, Azure, and GCP all have penetration testing policies. AWS permits most testing without advance notification but prohibits specific activities (DNS zone walking via Route 53, DDoS simulation).
Azure requires advance notification for certain testing activities. GCP has a similar framework. Violating cloud provider terms during a test can result in account suspension and provider cooperation with law enforcement.
Third-party infrastructure presents another boundary: if the in-scope application uses a third-party CDN, SaaS API, or shared hosting environment, testing those components requires authorisation from the third party, not just the client. This is frequently overlooked and is a source of legal exposure.
Bug bounty programmes provide a legally defined context for security research outside of direct client engagements, but programmes have strict scope limitations that must be respected. Exceeding the stated scope of a bug bounty programme has resulted in criminal referrals even when the researcher was acting in good faith.
Career Entry Paths
Most professional pen testers follow one of three entry paths:
Path 1: IT/Sysadmin to Security: 2-4 years in network administration, system administration, or help desk, followed by security certifications (Security+, PNPT, OSCP) and transition to a junior security role. Most common path and provides the strongest technical foundation.
Path 2: SOC Analyst to Pen Tester: 1-2 years as a Security Operations Center analyst provides defensive perspective that makes offensive work more effective and employable. Many employers prefer pen testers who understand what defenders see.
Path 3: Direct Entry via CTF/Bug Bounty: Candidates who build a visible portfolio through CTF competition results (hack the box rankings, CTFtime placements) and bug bounty reports can sometimes enter pen testing roles without prior professional security experience. This path is competitive and requires exceptional self-directed learning output.
References
- PTES Technical Guidelines (Penetration Testing Execution Standard). pentest-standard.org
- OWASP Testing Guide v4.2 (2023). owasp.org/www-project-web-security-testing-guide
- NIST SP 800-115: Technical Guide to Information Security Testing and Assessment. csrc.nist.gov
- Georgia Weidman, 'Penetration Testing: A Hands-On Introduction to Hacking' (No Starch Press, 2nd Edition, 2023)
- Offensive Security OSCP Certification (PEN-200). offensive-security.com
- TCM Security PNPT Practical Network Penetration Tester. tcm-sec.com
- Computer Fraud and Abuse Act (18 U.S.C. 1030). law.cornell.edu
- UK Computer Misuse Act 1990. legislation.gov.uk
- AWS Penetration Testing Policy. aws.amazon.com/security/penetration-testing
- CVSS v3.1 Specification (Common Vulnerability Scoring System). first.org/cvss
- MITRE ATT&CK Enterprise Framework. attack.mitre.org
- PortSwigger Burp Suite Documentation. portswigger.net/burp/documentation
- HackerOne 2023 Hacker Report. hackerone.com/resources/hacker-report
- Verizon 2023 Data Breach Investigations Report. verizon.com/business/resources/reports/dbir
- Glassdoor and InfoSec salary surveys 2023-2024. glassdoor.com
- BloodHound/SharpHound Documentation. bloodhound.readthedocs.io
Frequently Asked Questions
What are the five phases of penetration testing?
Reconnaissance (information gathering), scanning and enumeration (identifying services and vulnerabilities), exploitation (gaining access), post-exploitation (privilege escalation and lateral movement), and reporting (documenting findings with remediation guidance). Reporting typically consumes 20-30% of total engagement time.
What is the difference between OSCP and CEH?
OSCP requires passing a 24-hour hands-on lab exam and submitting a professional report, testing real technical skill. CEH is a multiple-choice exam that tests memorisation. Employers and practitioners consistently rate OSCP as the more credible credential; many experienced pen testers advise against CEH as a primary certification.
How much does a penetration tester earn with OSCP?
In the US, OSCP holders at mid-level (4-7 years experience) earn \(110K-\)145K in-house or \(115K-\)160K at consulting firms. Senior pen testers with OSCP plus additional certifications earn \(145K-\)220K+. Independent contractors with OSCP typically charge \(1,200-\)2,500 per day.
Is penetration testing legal?
Only with written authorisation. A signed Statement of Work and Rules of Engagement are required before testing any system. Testing without written permission violates the US Computer Fraud and Abuse Act and equivalent laws in other countries, even if the system owner verbally consented or the tester had good intentions.
Can bug bounty hunting lead to a penetration testing career?
Yes. A HackerOne or Bugcrowd profile with accepted vulnerability reports is treated as credible portfolio evidence by pen testing employers. HackerOne reports that the median new user submits their first valid report within 30 days of active participation. Even low-severity finds documented with clear methodology strengthen a job application significantly.