Penetration testing is the most publicly recognised specialisation in cybersecurity, and simultaneously one of the most misunderstood.

The popular image, shaped by hacker-heist films and security conference talks, tends toward dramatic real-time exploitation, but the day-to-day reality of professional penetration testing is considerably more methodical, documentation-heavy, and legally circumscribed than the mythology suggests.

A penetration tester, also called an ethical hacker, pen tester, or offensive security consultant, is hired to attack systems, applications, and networks with the explicit authorisation of the owner, using the same techniques and tools that real-world attackers would use, for the purpose of identifying exploitable vulnerabilities before criminals find them.

The output is not a compromised system but a detailed professional report that documents what was found, how it was exploited, what an attacker could have done with access, and exactly how to fix each issue. The vulnerability finding is the means; the actionable remediation guidance is the product.

This article covers the complete penetration testing methodology from initial scoping through final report delivery, the major categories of penetration tests and how they differ, the tools used at each phase, the certification landscape (why OSCP matters and what alternatives exist), salary data by experience and certification level, and the legal and ethical framework that every practitioner must understand.

Whether you are exploring this as a career or trying to understand what you are buying when you commission a pen test, the detail here will orient you.

"Penetration testing without a written authorisation is just hacking. The piece of paper is not bureaucracy, it is the thing that makes the whole profession legitimate. Never touch a system without it.", Georgia Weidman, author of 'Penetration Testing: A Hands-On Introduction to Hacking,' No Starch Press, 2023


Key Definitions

Statement of Work (SOW): A legally binding contract that defines the scope, timing, permitted activities, and deliverables of a penetration test engagement. Conducting testing outside the agreed scope constitutes unauthorised access, regardless of intent.

Rules of Engagement (ROE): Document specifying operational constraints for the engagement, which systems are in scope, which are explicitly out of scope, time windows when testing is permitted, emergency contacts if critical systems are accidentally disrupted, and escalation procedures.

Exploitation: The phase of penetration testing where identified vulnerabilities are actively used to gain unauthorised access to systems. In professional contexts, exploitation is used to demonstrate real-world risk and test the organisation's detection capabilities.

Privilege Escalation: After gaining initial access, the process of elevating privileges from a standard user account to an administrator or root account. Demonstrating privilege escalation is critical because most serious damage from a breach requires elevated privileges.

CVE (Common Vulnerabilities and Exposures): A standardised system for identifying and naming known software vulnerabilities. CVE numbers (e.g., CVE-2021-44228 for Log4Shell) allow security professionals to precisely reference specific vulnerabilities.


The Five-Phase Penetration Testing Methodology

Professional penetration testing follows a structured methodology that mirrors how sophisticated real-world attackers operate. Multiple frameworks describe this methodology, PTES (Penetration Testing Execution Standard), OWASP Testing Guide, and NIST SP 800-115 are the most widely cited.

In practice, the phases are consistent across frameworks even when terminology varies.

PhaseWhat HappensPrimary GoalsTypical Time Allocation
1. ReconnaissancePassive and active information gathering about the targetBuild target map, identify attack surface20-30% of engagement
2. Scanning and EnumerationTechnical scanning of discovered assets for services and vulnerabilitiesIdentify open ports, software versions, known CVEs15-20% of engagement
3. ExploitationAttempt to compromise identified vulnerabilitiesGain initial access, demonstrate exploitability20-30% of engagement
4. Post-ExploitationExpand access within the compromised environmentPrivilege escalation, lateral movement, data discovery15-20% of engagement
5. ReportingDocument all findings with evidence and remediation guidanceDeliver actionable intelligence to the client20-30% of engagement

Phase 1: Reconnaissance

Reconnaissance involves gathering intelligence about the target before attempting exploitation. This phase is divided into passive recon (gathering information without directly interacting with target systems) and active recon (interacting with target systems in ways that may appear in logs).

Passive reconnaissance techniques:

  • OSINT (Open Source Intelligence): Searching LinkedIn for employee names and job titles, reviewing job postings for technology stack clues, checking Shodan.io for internet-facing assets, reviewing public GitHub repositories for leaked credentials or internal hostnames, looking up DNS records via certificate transparency logs (crt.sh)
  • Reviewing public breach databases (HaveIBeenPwned, DeHashed) for previously leaked credentials associated with the target organisation's email domains
  • Google dorking to find exposed login panels, configuration files, or directory listings

Active reconnaissance techniques:

  • DNS enumeration using tools like dnsx and subfinder to discover subdomains and mail servers
  • Port scanning with Nmap to identify live hosts and running services
  • Service version detection to identify potentially vulnerable software versions

A thorough reconnaissance phase often reveals more immediately exploitable issues than active exploitation attempts. Misconfigurations, publicly exposed credentials, and forgotten internet-facing services are consistent top findings in professional pen test reports.

Phase 2: Scanning and Enumeration

With a target map established from reconnaissance, the tester conducts more detailed technical scanning.

Vulnerability scanning: Automated tools (Nessus, OpenVAS, Qualys) scan identified services for known CVEs and misconfigurations. Automated scans produce false positives and require manual validation to separate genuine vulnerabilities from scanner noise.

Verizon's 2023 Data Breach Investigations Report found that 74% of breaches included the human element, errors, privilege misuse, social engineering, and stolen credentials, while exploitation of known, patchable vulnerabilities remains a common breach vector that automated scanners find.

Service enumeration: Deeply examining specific services, SMB shares, Active Directory configurations, web application technologies, database connectivity, to understand exactly what is exposed and how it can be accessed. Tools like enum4linux, crackmapexec, and ldapdomaindump are used for Windows environment enumeration.

Web application crawling: Spidering web applications using Burp Suite's crawler, or using ffuf for directory and parameter fuzzing, to map all pages, API endpoints, and application functionality.

Phase 3: Exploitation

Exploitation attempts to use discovered vulnerabilities to gain unauthorised access. This phase typically accounts for 20-30% of total engagement time.

A well-enumerated vulnerability that is clearly exploitable may be documented without active exploitation if the risk of service disruption is high, professional pen testers do not recklessly crash production systems to prove a point.

Common exploitation techniques include:

  • Using public exploits for known CVEs against unpatched software via Metasploit or custom scripts
  • Password spraying and credential stuffing against authentication portals
  • SQL injection against web applications
  • Cross-site scripting (XSS) to demonstrate session hijacking
  • Server-Side Request Forgery (SSRF) in web applications to access cloud metadata endpoints
  • Exploiting Active Directory misconfigurations: Kerberoasting, AS-REP roasting, Pass-the-Hash, DCSync

Phase 4: Post-Exploitation

Once initial access is gained, post-exploitation demonstrates the real impact of a breach and is what distinguishes a professional engagement from a simple vulnerability scan.

  • Privilege escalation: Elevating from standard user to administrator or root using techniques such as exploiting SUID binaries on Linux or unquoted service paths on Windows
  • Lateral movement: Using the compromised system as a pivot point to access other systems in the network via pass-the-hash, pass-the-ticket, or credential relay attacks
  • Data access demonstration: Identifying and documenting sensitive data accessible with gained privileges (without exfiltrating actual customer or employee data)
  • Persistence documentation: Showing how an attacker could maintain persistent access through scheduled tasks, registry run keys, or reverse shell implants
  • Detection gap analysis: Documenting which actions triggered alerts and which did not, providing blue team with actionable improvements

Phase 5: Reporting

The deliverable of a penetration test is not access, it is the report. A professional penetration test report contains the following sections:

Executive Summary: Non-technical overview of findings and business risk, written for leadership audiences who need to understand organisational exposure without technical detail. Should answer: what can an attacker do to the organisation, and how urgently does it need to be addressed.

Technical Findings: Each vulnerability documented with: description, evidence (screenshots and proof-of-concept reproduction steps), CVSS v3.1 severity score, business impact, and specific remediation steps.

A finding that says 'apply patches' is not remediation guidance, a finding that says 'apply CVE-2023-XXXX patch on all Windows hosts running version 10.0.19041, or implement the workaround described in Microsoft Security Advisory KB5025885' is remediation guidance.

Methodology: Scope, testing type, tools used, and testing approach. Establishes the boundaries of what was and was not tested.

Appendices: Raw scan output, exploit chains, tool configuration details.

Report quality is the primary differentiator between good and poor pen testing firms. Writing ability is a non-negotiable professional skill.


Types of Penetration Tests Compared

TypeScopePrimary ToolsTypical DeliverableCost Range
External NetworkInternet-facing perimeterNmap, Metasploit, NessusFindings report, perimeter risk rating$5K-$25K
Internal NetworkLAN/WAN, Active DirectoryBloodHound, CrackMapExec, ImpacketAD attack path diagrams, internal risk report$10K-$40K
Web ApplicationWeb apps, APIs, mobile backendsBurp Suite Pro, OWASP ZAP, ffufOWASP-mapped findings, code-level remediation$5K-$30K
Mobile ApplicationiOS/Android appsMobSF, Frida, apktoolApp security report, binary analysis findings$8K-$25K
Social EngineeringHumans, email systemsGoPhish, custom pretextingClick rate statistics, security awareness gap analysis$3K-$15K
Red TeamFull kill chain simulationCustom C2 (Cobalt Strike, Havoc), all of the aboveAttack narrative, detection gap analysis$30K-$150K+

External network penetration testing targets internet-facing infrastructure, public IP ranges, web servers, mail servers, VPN gateways. The tester simulates an attacker with no prior access to the organisation's environment.

Internal network penetration testing assumes network access (simulating a compromised insider, a phishing victim, or a breach of the perimeter) and tests how far an attacker can move through the internal environment. Active Directory attacks, BloodHound path analysis, Kerberoasting, DCSync, are the core of most internal engagements.

Web application penetration testing tests web applications against the OWASP Top 10 (injection, broken authentication, insecure direct object references, security misconfigurations, XSS, and others) and application-specific business logic flaws.

Red team operations are full adversarial simulation campaigns running over weeks or months, using a combination of all techniques above plus custom implants and evasive persistence mechanisms.

Unlike standard pen tests, red team exercises are kept secret from most of the organisation's security team (only senior leadership is aware), making them a test of detection and response capabilities, not just defences.


Tools by Phase

PhaseCategoryToolNotes
ReconnaissanceOSINTtheHarvesterEmails, hostnames from search engines
ReconnaissanceSubdomain enumSubfinder, AmassPassive DNS and certificate enumeration
ReconnaissanceShodanShodan CLIInternet-facing device discovery
ScanningPort scanningNmapThe universal port and service scanner
ScanningVulnerability scannerNessus, OpenVASCVE identification against live hosts
ScanningWeb crawlingBurp Suite Pro, ffufDirectory fuzzing, parameter discovery
ExploitationExploit frameworkMetasploit FrameworkAutomated exploit delivery and post-exploitation
ExploitationWeb exploitationBurp Suite Pro, sqlmapWeb app attacks including SQLi, XSS, SSRF
ExploitationPassword attacksHashcat, John the RipperOffline hash cracking
Post-ExploitationAD analysisBloodHound, SharpHoundActive Directory attack path visualisation
Post-ExploitationLateral movementCrackMapExec, ImpacketSMB enumeration, pass-the-hash, DCSync
Post-ExploitationC2 frameworksCobalt Strike, Havoc, SliverCommand and control for red team engagements
ReportingDocumentationDradis, Plextrac, Word/MarkdownReport generation and evidence management

Certifications: OSCP vs CEH vs PNPT

CertificationIssuerTypeCostDifficultyIndustry RespectBest For
OSCP (PEN-200)Offensive SecurityHands-on lab + 24hr exam~$1,499HighVery highProfessional pen testers, job seekers
PNPTTCM SecurityPractical report-based exam$400Medium-HighHigh (growing)Beginners, career changers
eJPTeLearnSecurityBeginner practical$200Low-MediumMediumEntry-level learners
CEHEC-CouncilMultiple choice$950-$1,200Low-MediumLow among practitionersGovernment compliance
GPENSANS/GIACMultiple choice + practicum$8,000+ (with course)MediumHighEnterprise, government
GWAPTSANS/GIACMultiple choice + practicum$8,000+ (with course)MediumHighWeb app specialists
BSCPPortSwiggerLab-based$449Medium-HighHigh (growing)Web app testing specialists

OSCP is the practical gold standard. The 24-hour exam requires compromising multiple machines in a lab environment and submitting a professional-quality report within another 24 hours. Employers treat OSCP as a meaningful signal of hands-on competency in a way that multiple-choice certifications cannot replicate.

The PEN-200 course that accompanies the OSCP exam is also widely considered the best self-contained pen testing curriculum available.

PNPT (Practical Network Penetration Tester) from TCM Security is the most respected alternative to OSCP for candidates who want a practical, report-based examination without the cost and intensity of the OSCP. The TCM Security course materials are widely recommended as OSCP preparation.

CEH (Certified Ethical Hacker) from EC-Council is widely known but poorly regarded by professional pen testers because it is a multiple-choice credential that tests memorisation, not technical skill. Many experienced practitioners advise against it as a primary certification, though some government and compliance requirements list it.


Salary by Experience and Certification Level

LevelCertificationIn-HouseConsulting FirmIndependent
Entry (0-2 yrs)Security+, eJPT$65K-$85K$70K-$90KNot typical yet
Junior (2-4 yrs)Security+, PNPT$85K-$110K$90K-$115K$800-$1,200/day
Mid (4-7 yrs)OSCP$110K-$145K$115K-$160K$1,200-$1,800/day
Senior (7-12 yrs)OSCP + GPEN/GWAPT$145K-$190K$155K-$220K$1,800-$2,500/day
Principal/DirectorMultiple practicals$180K-$250K+$200K-$300K+$2,500-$4,000/day

Notes: US market figures based on Glassdoor, Levels.fyi, and InfoSec salary surveys 2023-2024. Independent contractor figures represent effective day rates for booked consultants; actual annual earnings depend on utilisation rate.

OSCP is the single certification most consistently associated with salary step-changes. Multiple recruiters report that OSCP holders receive meaningfully higher starting offers than candidates without it, particularly at the junior-to-mid transition.


Bug Bounty as an Entry Path

Bug bounty programs provide a legally defined context for security research outside of direct client engagements and are an increasingly recognised path into professional penetration testing. Platforms including HackerOne, Bugcrowd, and Intigriti host programs for thousands of companies.

For entry-level candidates, bug bounty provides:

  • Real-world targets (compared to lab environments)
  • Legal authorisation under clearly defined scope
  • Portfolio evidence that employers find credible
  • Potential earnings ($200-$50,000 per valid vulnerability, depending on severity and program)

HackerOne's 2023 Hacker Report found that 27% of respondents earned more than $50,000 from bug bounty in the prior year, and 5% earned more than $350,000. These are not representative of the average beginner, but the figures illustrate the ceiling.

Getting started with bug bounty:

  1. Start with programs marked 'beginner-friendly' on HackerOne or Bugcrowd
  2. Focus on web application vulnerabilities: XSS, IDOR, information disclosure, open redirects
  3. Understand the Bugcrowd VRT (Vulnerability Rating Taxonomy) to calibrate severity expectations
  4. Document methodology for every target, even on unsuccessful attempts, the habit builds report-writing skill
  5. A single accepted report is more valuable on a resume than another certification

Day in the Life of a Penetration Tester

A professional pen tester's day varies significantly based on engagement phase and employment type, but a representative consulting firm workday during an active engagement looks like this:

Morning (9am-12pm): Review scope documentation and resume the previous day's enumeration work. Run BloodHound against the collected Active Directory data to visualise attack paths.

Document two new findings from the previous day's exploitation attempts, including CVSS scoring and reproduction steps. Brief client contact via email on testing progress.

Afternoon (12pm-5pm): Active exploitation attempts against the highest-priority attack paths identified in the morning's BloodHound review. Attempt privilege escalation from standard domain user to domain admin via Kerberoasting. Successfully crack a service account password hash offline using Hashcat.

Document the full attack chain with screenshots. Begin drafting the executive summary for the end-of-engagement report.

Late afternoon (5pm-6pm): Team debrief with senior consultant reviewing the day's findings. Note any out-of-scope systems that were accidentally touched and document in the engagement log. Update the client-facing progress tracker.

Report-writing days (typically the final 1-2 days of an engagement): 8+ hours of writing, screenshot editing, evidence packaging, and CVSS scoring. A 20-finding pen test report can take 15-25 hours to write to a professional standard.


Every penetration tester must understand the legal constraints on their work. The key principle is explicit written authorisation before touching any system. No exceptions.

In the United States, the Computer Fraud and Abuse Act (CFAA) criminalises unauthorised access to computer systems. Verbal permission is not authorisation under the CFAA. Working outside agreed scope on a contracted engagement can constitute a criminal offence even if the client later claims they did not object.

Several pen testers have faced CFAA charges for actions taken during authorised engagements that drifted outside the agreed scope, the legal boundaries are strict.

In the United Kingdom, the Computer Misuse Act 1990 (as amended) applies equivalent constraints. The EU's NIS2 Directive and national cybercrime laws in member states provide similar frameworks.

Cloud environments have additional complexity: obtaining authorisation from the client organisation is necessary but not sufficient. AWS, Azure, and GCP all have penetration testing policies. AWS permits most testing without advance notification but prohibits specific activities (DNS zone walking via Route 53, DDoS simulation).

Azure requires advance notification for certain testing activities. GCP has a similar framework. Violating cloud provider terms during a test can result in account suspension and provider cooperation with law enforcement.

Third-party infrastructure presents another boundary: if the in-scope application uses a third-party CDN, SaaS API, or shared hosting environment, testing those components requires authorisation from the third party, not just the client. This is frequently overlooked and is a source of legal exposure.

Bug bounty programmes provide a legally defined context for security research outside of direct client engagements, but programmes have strict scope limitations that must be respected. Exceeding the stated scope of a bug bounty programme has resulted in criminal referrals even when the researcher was acting in good faith.


Career Entry Paths

Most professional pen testers follow one of three entry paths:

Path 1: IT/Sysadmin to Security: 2-4 years in network administration, system administration, or help desk, followed by security certifications (Security+, PNPT, OSCP) and transition to a junior security role. Most common path and provides the strongest technical foundation.

Path 2: SOC Analyst to Pen Tester: 1-2 years as a Security Operations Center analyst provides defensive perspective that makes offensive work more effective and employable. Many employers prefer pen testers who understand what defenders see.

Path 3: Direct Entry via CTF/Bug Bounty: Candidates who build a visible portfolio through CTF competition results (hack the box rankings, CTFtime placements) and bug bounty reports can sometimes enter pen testing roles without prior professional security experience.

This path is competitive and requires exceptional self-directed learning output.


Sources & Further Reading

  1. PTES Technical Guidelines (Penetration Testing Execution Standard). pentest-standard.org
  2. OWASP Testing Guide v4.2 (2023). owasp.org/www-project-web-security-testing-guide
  3. NIST SP 800-115: Technical Guide to Information Security Testing and Assessment. csrc.nist.gov
  4. Georgia Weidman, 'Penetration Testing: A Hands-On Introduction to Hacking' (No Starch Press, 2nd Edition, 2023)
  5. Offensive Security OSCP Certification (PEN-200). offensive-security.com
  6. TCM Security PNPT Practical Network Penetration Tester. tcm-sec.com
  7. Computer Fraud and Abuse Act (18 U.S.C. 1030). law.cornell.edu
  8. UK Computer Misuse Act 1990. legislation.gov.uk
  9. AWS Penetration Testing Policy. aws.amazon.com/security/penetration-testing
  10. CVSS v3.1 Specification (Common Vulnerability Scoring System). first.org/cvss
  11. MITRE ATT&CK Enterprise Framework. attack.mitre.org
  12. PortSwigger Burp Suite Documentation. portswigger.net/burp/documentation
  13. HackerOne 2023 Hacker Report. hackerone.com/resources/hacker-report
  14. Verizon 2023 Data Breach Investigations Report. verizon.com/business/resources/reports/dbir
  15. Glassdoor and InfoSec salary surveys 2023-2024. glassdoor.com
  16. BloodHound/SharpHound Documentation. bloodhound.readthedocs.io

Frequently Asked Questions

What are the five phases of penetration testing?

Reconnaissance (information gathering), scanning and enumeration (identifying services and vulnerabilities), exploitation (gaining access), post-exploitation (privilege escalation and lateral movement), and reporting (documenting findings with remediation guidance). Reporting typically consumes 20-30% of total engagement time.

What is the difference between OSCP and CEH?

OSCP requires passing a 24-hour hands-on lab exam and submitting a professional report, testing real technical skill. CEH is a multiple-choice exam that tests memorisation. Employers and practitioners consistently rate OSCP as the more credible credential; many experienced pen testers advise against CEH as a primary certification.

How much does a penetration tester earn with OSCP?

In the US, OSCP holders at mid-level (4-7 years experience) earn \(110K-\)145K in-house or \(115K-\)160K at consulting firms. Senior pen testers with OSCP plus additional certifications earn \(145K-\)220K+. Independent contractors with OSCP typically charge \(1,200-\)2,500 per day.

Is penetration testing legal?

Only with written authorisation. A signed Statement of Work and Rules of Engagement are required before testing any system. Testing without written permission violates the US Computer Fraud and Abuse Act and equivalent laws in other countries, even if the system owner verbally consented or the tester had good intentions.

Can bug bounty hunting lead to a penetration testing career?

Yes. A HackerOne or Bugcrowd profile with accepted vulnerability reports is treated as credible portfolio evidence by pen testing employers. HackerOne reports that the median new user submits their first valid report within 30 days of active participation. Even low-severity finds documented with clear methodology strengthen a job application significantly.