Coloured diagram with four interlocking circles representing the phases/process of a penetration test: 1. planning and preparation, 2. automated scanning, 3. manual penetration testing, 4. validation and report.

Penetration test procedure in 4 phases

The objective of a penetration test is defined individually according to the company's requirements. A pentest at mioso - IT Security usually runs through 4 phases. The start of a pentest begins before our pentesters launch a simulated attack on the system. The company and its systems, including strengths and weaknesses, are analysed and the possible strategies for an attack are determined.

What is the pentest procedure at mioso - IT Security?

1. Planning and preparation
In the preparation phase, we discuss the scope of the pentest and the required resources on the part of the company with the customer. The test period is defined here and, depending on the type of pentest, our pentesters are given user accounts with different authorisations or just a target IP, for example. Before the actual pentest begins, as much information as possible is collected in this phase that could be of interest. Various publicly available sources of information are searched for this purpose. Auch die möglichen Angriffsvektoren werden in der Vorbereitungsphase erkundet. Sometimes our pentesters also carry out port scans and document the versions of services and applications.

2. Automated scanning
The automated tests serve as the basis for the subsequent manual tests. Automated tools are used to scan the environment and identify potential vulnerabilities and possible points of attack. The automated scans are always monitored by our qualified IT security specialists to ensure that the tools do not overshoot the mark. We see the results as supplementary preparatory work - not as a replacement for a manual pentest.

3. Manual penetration testing
Automated penetration tests alone are not enough. Since automated tools are only as good as the existing database of known vulnerabilities, not all security gaps and potential attack vectors can be recognised. Automated pentests often deliver incomplete and/or incorrect results (e.g. false positives). In our manual pentest, the results from the automated scanning and testing are verified and further more complex tests for vulnerabilities are carried out.

4. Validation and report
4 Validation and report As the provider, we record the results of the pentest in a report. You also receive suggestions for improvement measures for the identified vulnerabilities. Our final report contains the documentation of the procedure, detailed test results and a list of weaknesses with the focal points identified. Weak points are described in more detail and a proof of concept is provided if necessary. In addition, the vulnerabilities found are classified using a risk matrix. You can see what a pentest report from mioso - IT Security can look like on the "Example pentest report" page.