In this document you'll find a short description of each phase, to
Before any technical activities begin, it's critical to establish a clear and mutual understanding with the client. This phase lays the foundation for a successful and legally sound penetration test. It ensures that expectations are aligned, the scope is well-defined, and all required authorizations are in place.
It consists of specifying the scope, the actions to be developed and other issues in order to successfully carry out a penetration test. Rules of engadgement, scheduled time for each work.
Target analysis involves gathering and examining information about the organization's assets through OSINT sources, direct inspection, and contextual evaluation. This includes identifying and characterizing potential targets, taking into account their role within business processes and their overall value to the organization. Additionally, this phase assesses both internal and external contexts to identify potential avenues for attack, evaluates existing protective measures, and determines relevant threat actors and their capabilities. The outcome is a clear understanding of which attack scenarios are most likely and should be prioritized in later phases.
The process of discovering flaws in information systems that can be exploited by an attacker. These can range from poor configuration to insecure design, and therefore must be identified using different techniques. These vulnerabilities must be verified to determine which ones can be used in the next phase.
It involves the execution of mechanisms to gain access to a system or resource by bypassing security restrictions. In this phase, an attempt is made to take advantage of the identified vulnerabilities to access the assets considered in the audit, for which purpose exploits and targeted attacks of different types are used in order to exploit said vulnerabilities and gain control of the systems.
In this phase, mechanisms are prepared to ensure the persistence of the access obtained and lateral movements are carried out to achieve control of other assets, while trying to obtain the greatest possible value from the accesses obtained, analyzing and collecting the information with the greatest possible value.
The last phase consists of preparing a report specifying the conclusions of the penetration tests. In this phase, both the detailed audit report, which contains the technical and methodological results obtained, and the executive report, which summarises the results obtained, the associated risk and the proposed mitigation plan for said risks, are generated.