What to Expect From a Penetration Test?

So you just decided to pull the trigger and purchase that shiny new penetration test you’ve had your eye on for a while. You got organizational buy-in, a check has been cut, and you’re ready to see the vulnerabilities on your network and make some meaningful changes. But what exactly comes next? How do we get from Point A of a signed contract to Point B of a penetration testing report in your hands? Let’s walk through some basics regarding the phases you can expect from a penetration test.

Project Initiation

With signed documents in hand, the first step to get started on an assessment is usually to schedule a kick off call or project initiation meeting. This meeting is designed to set the stage for the upcoming penetration testing engagement. The main topics reviewed here are the points of contact on both sides, the projected testing schedule, the Rules of Engagement (ROE) that will govern the testing team, and any remaining action items required prior to beginning testing. This call is a great time to ask questions of your penetration testing team and make sure the scope of the engagement is accurate. Additionally, you’ll likely have some homework in the form of action items. Takeaways could include gathering target information that’s still needed, creating accounts, confirming delivery presentation dates, and completing/signing the ROE.

Penetration Testing

Once the scope, schedule, and ROE have been confirmed, penetration testing can officially start. Based on the defined schedule, your testing team may go quiet until that start date, depending on if any follow-up is required. But when the day arrives, you can expect a “Start Test” notification via email or the project management portal, letting you know that testing is going to commence. At this point, there’s not much for you to do except sit back and watch, when it comes to a penetration test. You’ll want to be available for any issues that arise during testing and, additionally, be aware of any issues or alerts being generated in your network to let your testing team know.


At the end of the designated testing window (or before in some cases), you can expect to receive a “Stop Test” notification, letting you know that all active testing has been completed. One important note here. There may be some amount of manual follow-up required during the analysis, quality assurance, and documentation phases to confirm findings, gather more information, etc. So don’t change anything on the network or remove any testing allowances at this point. Meanwhile, your testing team should be turning the technical assessment into thorough documentation to explain the results of the testing. This will also include a couple rounds of quality assurance reviews to make sure everything included is up to par.


Finally, after everything above has been completed, you’ll receive the documentation produced from the penetration testing and be ready for the deliverable. This should all be planned in advance, but the deliverable is usually a 1 – 2 hour onsite meeting or remote presentation. Your assessment team will walk you through all of the documentation and findings, making sure they can answer any questions and you walk away with a thorough understanding of the results. Following this meeting, any necessary updates that are identified will be made to documentation and the process is complete. While this process isn’t incredibly complicated, it can help to know what to expect to take some of the mystery and stress away that comes with a new process.

Hopefully this basic overview of the phases to expect from a penetration test will help you better prepare for jumping into this process for the first time. If you want to talk more about having a penetration test conducted, contact us today!