Penetration Testing Methodology: Scoping Through Reporting

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Penetration testing is structured adversarial assessment. It is not hacking around until you find something interesting — it follows a defined methodology with clear phases, rules of engagement, and deliverables. The methodology is what separates a professional pentest from aimless vulnerability scanning.

Scoping and Rules of Engagement

Every engagement starts with scoping. Define the target environment (IP ranges, domains, applications), the testing type (black box, gray box, white box), and the boundaries. What systems are off-limits? Is social engineering in scope? Can you test during business hours or only after?

The Rules of Engagement (RoE) document is a legal necessity. It specifies what you are authorized to do, the testing window, emergency contacts, and the process for reporting critical findings immediately rather than waiting for the final report. Get this signed before touching a single system.

Define success criteria upfront. Is the goal to find as many vulnerabilities as possible, or to simulate a specific threat actor targeting crown jewels? This determines your approach, time allocation, and reporting focus.

Reconnaissance

Passive recon happens before you send a single packet to the target. OSINT sources include DNS records, WHOIS data, certificate transparency logs, job postings (which reveal technology stacks), code repositories, and paste sites. Tools like Amass, Subfinder, and theHarvester automate subdomain and email discovery.

Active recon involves direct interaction: port scanning with Nmap, service enumeration, directory brute-forcing web applications, and banner grabbing. Structure your scans — start broad (top 1000 ports across all hosts), then go deep (full port scans on interesting hosts, UDP scans on common services).

Document everything. Your recon notes become the foundation for the attack plan and the appendix of your report.

Exploitation and Post-Exploitation

Exploitation is where recon findings translate into demonstrated impact. Prioritize attack paths that chain multiple lower-severity findings into high-impact outcomes. A single medium-risk vulnerability might not impress anyone, but chaining it with two other findings to reach domain admin tells a compelling story.

Post-exploitation demonstrates business impact. If you get a shell on a web server, show what an attacker could access from there. Pivot to internal networks, access sensitive databases, extract credentials, move laterally. Document the path from initial access to the objective.

Maintain operational security appropriate to the engagement type. If the client wants to test their detection capabilities, avoid triggering obvious alerts. If detection testing is not in scope, efficiency matters more than stealth.

Reporting

The report is the deliverable. Everything else is just how you got there. A pentest report needs to serve two audiences: technical staff who will fix the findings, and executives who will fund the remediation.

Structure each finding with: description, affected systems, severity rating (use CVSS for consistency), evidence (screenshots, command output, request/response pairs), business impact explanation, and specific remediation steps. Generic advice like “keep systems patched” is not helpful — tell them exactly what to patch and how.

Include an executive summary that explains the overall risk posture in business terms. How many findings, what severity distribution, what is the worst-case scenario from the findings, and what should be fixed first.

Next Steps

• Test your pentesting knowledge with the skills assessment
• Browse offensive security topics in the skills library
• Plan your certification path with the certificate roadmap — OSCP, PNPT, and GPEN are the standard pentest certifications

Related Guides in This Series

• Binary Exploitation: From Buffer Overflows to Modern Techniques — HADESS | 2026
• Low-Level Exploitation: Kernel, Driver, and Firmware Attacks — HADESS | 2026
• OWASP ZAP: Web Application Security Testing — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.