JT
JT Exams
Log inStart Free Trial
SecurityPT0-002

Penetration Testing Methodology Explained for CompTIA PenTest+

Penetration testing without a methodology is just hacking. The PenTest+ exam tests whether you can execute an authorized, structured security assessment that provides real value to an organization: finding exploitable weaknesses before attackers do, documenting findings in a way that enables remediation, and operating within defined boundaries that protect both the tester and the client. Every phase of the penetration testing lifecycle exists for a reason, and understanding those reasons is what distinguishes a certified professional from someone who just runs scanning tools.

8 min
3 sections · 7 exam key points

Planning, scoping, and reconnaissance

Every penetration test begins with defining its scope and obtaining written authorization. The Rules of Engagement (RoE) document specifies what systems can be tested, which attack techniques are permitted or prohibited, the testing time window, how to handle sensitive data discovered during testing, and emergency contact procedures if testing causes unintended disruption. Operating without written authorization is illegal regardless of intent. The scope must be clearly documented and signed before any technical work begins.

Reconnaissance is the information-gathering phase. Passive reconnaissance collects information without directly interacting with the target systems: searching public records, LinkedIn profiles, job postings, DNS records, WHOIS data, and certificate transparency logs. This information does not trigger IDS alerts. Active reconnaissance directly interacts with target systems: DNS zone transfers, port scanning, web application crawling. Active reconnaissance may alert defenders and should only begin after written authorization.

OSINT (Open Source Intelligence) is a key passive reconnaissance technique. Tools like Shodan search the internet for exposed services (including devices that should not be publicly accessible). Maltego maps relationships between people, organizations, domains, and IP addresses. Google dorks use advanced search operators to find sensitive files, login portals, and configuration data inadvertently exposed on public websites. OSINT findings often reveal attack surface that the organization did not know was publicly accessible.

Exploitation, post-exploitation, and reporting

The exploitation phase uses discovered vulnerabilities to gain initial access to target systems. Techniques include password attacks (brute force, credential stuffing, password spraying against login portals), phishing (simulated email attacks to capture credentials or deliver payloads), vulnerability exploitation (using Metasploit or manual exploits against known CVEs), and web application attacks (SQL injection, XSS, authentication bypass). The goal is to demonstrate that a vulnerability is exploitable, not to cause damage.

Post-exploitation demonstrates the impact of a successful initial compromise. Privilege escalation moves from a low-privilege account to administrator or root. Lateral movement spreads access to other systems within the network. Persistence establishes mechanisms to maintain access (scheduled tasks, registry run keys, web shells). Data exfiltration demonstrates what an attacker could steal. Each of these steps is carefully documented with timestamps, screenshots, and command output for the final report.

The penetration test report is the primary deliverable that provides value to the client. It includes an executive summary for non-technical leadership (business impact, overall risk rating, key findings), a technical findings section for the security team (each vulnerability with evidence, CVSS score, affected systems, and remediation steps), and an appendix with raw data. Findings are prioritized by risk: critical findings with active exploitation paths appear first. Remediation recommendations must be specific and actionable, not generic.

How to choose the correct answer

Written authorization (Rules of Engagement) must exist before any testing activity, including passive reconnaissance.

Passive recon: no direct target interaction (OSINT, public records, DNS lookups on public servers).

Active recon: direct interaction with target (port scanning, banner grabbing, web crawling). More detectable.

Exploitation: demonstrate vulnerability is exploitable. Post-exploitation: demonstrate impact (privilege escalation, lateral movement, data exfiltration).

Reporting: executive summary for leadership (business risk), technical findings for security team (remediation steps).

Retesting: after client applies fixes, retest to verify remediation was effective. Not part of original pentest scope unless agreed.

Black box: no prior knowledge of target. White box: full knowledge (source code, architecture). Gray box: partial knowledge.

Key exam facts — PT0-002

  • Rules of Engagement: written authorization, scope definition, permitted techniques, emergency contacts. Required before any testing.
  • Pentest phases: Planning/Scoping, Reconnaissance, Scanning/Enumeration, Exploitation, Post-Exploitation, Reporting.
  • Passive recon: OSINT, Shodan, Google dorks, LinkedIn, DNS records. No direct target interaction.
  • Active recon: port scanning (Nmap), banner grabbing, vulnerability scanning. Direct target interaction.
  • Metasploit: exploitation framework. Burp Suite: web application testing proxy. Nmap: network scanning.
  • Executive summary: business risk and impact for non-technical leadership. Technical findings: specifics for security team.
  • CVSS score in report: communicates severity of each finding in a standardized, comparable way.

Common exam traps

Penetration testers can legally test any publicly accessible system as long as they do not cause damage.

Authorization is required regardless of whether a system is publicly accessible. Testing without explicit written permission from the system owner is illegal under laws like the Computer Fraud and Abuse Act (CFAA) in the US and equivalent laws in other jurisdictions. The fact that a system is reachable from the internet does not constitute authorization to test it. Written Rules of Engagement signed before testing begins is mandatory.

A penetration test that finds no vulnerabilities means the system is secure.

A penetration test represents a point-in-time assessment by a specific team using specific techniques within a defined scope and timeframe. Not finding vulnerabilities means the testers did not find vulnerabilities under those conditions. New vulnerabilities are discovered daily, scopes may exclude some attack surfaces, and testers have time constraints. A clean pentest report is positive evidence but not proof of security.

Post-exploitation is optional and only relevant if the client wants a demonstration.

Post-exploitation is essential to demonstrating real-world impact. Showing that a vulnerability exists (exploitation) has less business value than showing what an attacker could actually do with that access (post-exploitation). Escalating to domain admin, reaching financial databases, or demonstrating data exfiltration turns a theoretical vulnerability into a concrete business risk that motivates remediation investment.

Practice this topic

PT0-002practice questions

Test yourself on PenTest+ Methodology

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

CySA+ Threat & Vulnerability

CS0-003

Vulnerability Management

Security+CISSP

Threat Actors

Security+CISSP

Network Security Controls

Security+CISSP