Walk me through the phases of a penetration test from kickoff to delivery.
Short answer
A pentest moves through pre-engagement (scope and rules of engagement), reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Each phase feeds the next, and reporting is where the value is actually delivered to the client.
A penetration test is not "run a scanner and exploit whatever pops." It is a structured engagement with phases that each build on the last. Frameworks like the PTES (Penetration Testing Execution Standard) and the OSSTMM formalize this, and most interviewers want to hear that structure.
The phases
- Pre-engagement / scoping. Before any packets fly, you agree on what's in scope, the rules of engagement, timing, emergency contacts, and authorization. This is the legal and practical foundation — without written authorization, you are just committing a crime.
- Reconnaissance. Gather information about the target, passively (OSINT, DNS, certificate transparency) and then actively (probing live hosts). The goal is to build a map of the attack surface.
- Scanning and enumeration. Identify live hosts, open ports, running services, and versions. Enumeration goes deeper — usernames, shares, endpoints, software stacks — turning a list of services into a list of candidate weaknesses.
- Exploitation. Attempt to gain access by leveraging the vulnerabilities you found. This is the phase people picture, but it is often the shortest.
- Post-exploitation. Once inside, determine the impact: escalate privileges, pivot to other systems, access sensitive data, and establish persistence (if in scope). This answers the question the client actually cares about — "how bad is it?"
- Reporting. Document findings, evidence, business impact, and remediation guidance. This is the deliverable. A brilliant exploit chain is worthless if the report can't drive a fix.
What interviewers look for
They want to see that you treat reporting and scoping as first-class phases, not afterthoughts, and that you understand post-exploitation is where you demonstrate real business risk rather than just "I got a shell."
Likely follow-ups
- Why is post-exploitation a distinct phase from exploitation?
- What happens during pre-engagement that protects both you and the client?
- How does the methodology differ for a black-box versus white-box test?