Skip to main content
Awareness SecurityAwareness Security
Book a PentestNO
10 min read

What Happens During a Penetration Test? From Booking to Report

You have decided to conduct a penetration test. You have prepared the test environment and test credentials, defined the scope and signed authorisation. But what actually happens from this point until you have a finished report in hand? In this article, we take you through the entire process step by step.

At Awareness Security, we follow a structured process with four checkpoints — what we call the Human-in-Control process. Each checkpoint ensures you have full visibility and control over what happens with your systems.

The first phase is authorisation and onboarding — Gate 0. This is everything we covered in the article about preparation. Scope is defined, authorisation is signed digitally, and the testing window is approved. No testing starts before this is in place. You get access to a portal where you can follow status throughout the engagement.

Once authorisation is in place, the technical part begins with reconnaissance. Testers map the application's attack surface — which pages, features, API endpoints and technologies are exposed. AI-assisted scanning helps identify obvious entry points and potential weaknesses quickly. All this analysis runs locally on our infrastructure — no data is sent to external providers.

Based on reconnaissance, an attack plan is prepared — Gate 1. This plan describes which testing techniques will be used, which areas are prioritised, and any risks associated with the testing. You get to see the plan and the security analyst reviews and approves it before active testing begins. No attacks are executed without the plan being approved.

Why is this important? Because penetration testing involves active manipulation of your application. We will attempt to bypass authentication, escalate privileges, inject malicious input, and test the limits of what the application allows. The attack plan ensures this is done in a controlled manner within the agreed scope.

Then the actual testing begins. Security experts work systematically through the attack plan. They test for OWASP Top 10 vulnerabilities such as broken access control, injection and security misconfiguration. They try to find business logic flaws — can a user order goods at a negative price? Can someone view other users' data by changing an ID in the URL? Can a regular user access admin functions?

Testing is a combination of automated tools and manual creativity. AI models are good at systematic testing — they check hundreds of parameters for known vulnerability patterns. But the most serious vulnerabilities are found by humans. Business logic flaws, complex access control issues and context-specific weaknesses require human understanding.

Throughout the process, testers document everything they find. Each finding is described with what the vulnerability is, how it was discovered, what risk it poses, and how it can be exploited. Screenshots and technical details are included so your developers can reproduce and understand the issue.

When testing is complete, all findings are validated — Gate 2. This is a critical step that separates professional penetration testing from automated scanning. Security experts review each finding manually to eliminate false positives. A finding that looks serious in an automated report may turn out to be harmless in context — or vice versa. Validation ensures you only receive reports of genuine vulnerabilities.

Each vulnerability is assigned a severity rating: critical, high, medium or low. The assessment considers how easily the vulnerability can be exploited, what the consequence is if it is exploited, and how exposed it is. An SQL injection on the login page is critical. A missing security header is low.

Then comes delivery — Gate 3. The report is written and quality-assured by humans, not generated by AI. A typical report contains an executive summary that explains the most important findings in non-technical language — this is for management and decision-makers. Then comes a technical detail section for each finding with description, risk assessment, reproduction steps and concrete remediation recommendations.

The report also includes an overview of what was tested and what was not tested, the methodology used, and a prioritised action plan. The most critical vulnerabilities should be remediated first, and the report gives you a clear roadmap.

Many providers stop here, but it is after the report that the real work begins. We recommend prioritising findings based on severity and feasibility. Critical and high findings should be remediated immediately. Medium findings should be planned into the next sprint or development cycle. Low findings can be addressed over time.

Retesting is an important part of the process. After developers have remediated the vulnerabilities, it should be verified that the fix actually works and has not introduced new problems. Agree with the provider whether retesting is included in the price or costs extra.

The entire process — from start to delivered report — typically takes 2-4 weeks for a standard web application. The actual testing usually accounts for 1-2 weeks, while report writing, validation and quality assurance take an additional few days.

A good penetration test gives you more than a list of vulnerabilities. It gives you insight into your application's actual security level, concrete actions you can prioritise, documentation you can use for compliance purposes, and confidence that the most critical weaknesses have been identified.

Want to know more about how the process works with us? Get in touch for a no-obligation conversation — we will guide you through the entire journey.

Back to blog