How we test

Our Testing Methodology

A modern penetration test follows the same lifecycle a real attacker would. PentestMe automates each phase with a curated, continuously-updated tool chain — and an AI orchestration layer that decides which tool to run next based on what the previous one found.

Phase 1

Reconnaissance

Map the surface

We discover what's exposed before we touch anything. Sources are open and passive so they don't trip detection or affect uptime.

Domain & subdomain enumeration

Subfinder, Sublist3r, Amass, Certificate Transparency logs

DNS recon

dnsrecon, dnsenum, dns-audit, WHOIS / ASN lookups

Tech-stack fingerprinting

WhatWeb, Wappalyzer-class detectors, GraphQL introspection

Email & employee harvesting

theHarvester, OSINT correlation

Compromised credentials

Continuous dark-web / infostealer feed

Continuous attack-surface tracking

Discovers assets you forgot you owned

Phase 2

Scanning & Enumeration

Find the doors

Active probes against the surface to identify live systems, exposed services, and entry points. Findings feed the next phase automatically — no hand-off, no idle time.

Port scanning

Nmap (advanced + NSE), Masscan, RustScan

Service banner grabbing

Nmap NSE, WhatWeb, Nikto

Web crawling

OWASP ZAP, Nuclei, Nikto

Content & vhost discovery

ffuf, gobuster, dirb, Arjun (hidden parameters)

AD-adjacent enumeration

enum4linux, netexec, ldap-tools, SMB scanner

VoIP / SIP

sipvicious, sipscan, nmap-sip, nuclei-voip

Email & API

smtp-user-enum, mail-server-checker, api-security-scanner, graphql-introspection

Phase 3

Vulnerability Analysis

Find the weaknesses

We test every door against the current CVE catalogue and OWASP Top 10. CVSS scores are recalculated against your exposure context — not the static NVD rating.

OWASP Top 10

ZAP, Nuclei, XSStrike, Commix, Arjun

Auth & API security

auth-bypass, JWT-security, OAuth-security, API rate-limit checks

SQL injection

sqlmap with autonomous follow-up

TLS / SSL

testssl, sslyze, sslscan

Email security

SPF / DKIM / DMARC, mail-server config, open-relay detection

SharePoint / Exchange / O365

Dedicated Nuclei template packs

Cloud (AWS / Azure / GCP)

Prowler, ScoutSuite, AzureHound, kube-bench, kube-hunter

Containers & WAF

Trivy, wafw00f, byp4xx, default-creds

Phase 4

Exploitation

Prove the impact

We confirm exploitability so you know which findings are real risk versus theoretical. Every active exploit is gated by your authorization scope — we never go further than the engagement permits.

Autonomous PoC generation

XSS, SQL injection, command injection, IDOR, authentication bypass

sqlmap-driven data-exposure proof

For confirmed SQLi, with safe row caps

Exploit-chain discovery

AI identifies multi-step paths (e.g. SSRF + open redirect = chain)

Native phishing campaigns

Dedicated HTTPS infrastructure, custom templates, full click + credential tracking

Exploit-DB integration

Known public PoC retrieval for matched CVEs

What we don't do automatically. We don't deploy persistence, establish C2 channels, or pivot through compromised hosts without explicit human authorization. Those behaviours belong to red-team engagements, which you can request as a manual add-on.

Phase 5

Post-Exploitation

Measure the blast radius

Where authorized, we measure what an attacker could reach after a successful breach. This is where most platforms stop — PentestMe goes deep on Active Directory and cloud identity.

Active Directory

BloodHound-Python, Impacket-suite, Kerbrute, LDAPdomaindump, NetExec

AD-specific findings

ASREP-roastable, Kerberoastable, RBCD, unconstrained delegation, LAPS misconfig

Cloud lateral paths

AzureHound, ROADtools — Azure AD attack graphs

Internal-network scanning

VPN-gated. You provide the VPN config; we scan as an attacker who phished a workstation would.

Credential brute-force

Hydra (SIP), IMAP/POP3, SMTP-auth — against accounts you authorize

Privilege-escalation discovery

privesc-check, lateral-movement detection

What runs automatically vs on request

PentestMe's continuous automation covers the most-needed phases on every scan. For chained novel paths or red-team-class engagements, request a manual pentest add-on.

	Automated scans	Manual pentest (add-on)
Recon, scanning, enumeration	Continuous	Deeper, on demand
Vulnerability analysis	Every scan	With business-logic review
Exploitation (PoC)	Within authorized scope	Chained & novel paths
Persistence, C2, lateral pivot	Not automated	Full red-team engagement
Social engineering campaigns	Native phishing	Vishing, spear-phish, physical

Standards we map to

Every finding is tagged against the frameworks your compliance team actually uses.

OWASP Top 10

Web & API Security Top 10

PCI-DSS v4.0

Req. 11.4 — internal & external pen-testing

ISO/IEC 27001:2022

A.12.6 — vulnerability management

SOC 2

CC7.1 — system monitoring

NIST SP 800-115

Technical guide to security testing

A note on authorization

Every active test — port scan, credential check, exploitation, phishing — requires you to have either attested ownership of the target during signup, or an explicit written authorization on file. We log every test request against this authorization so there's never any ambiguity about scope. We are bound by the same Computer Misuse legislation our customers are.

Ready to see what your environment looks like to an attacker?

Run your first scan in minutes. No credit card required for the free tier.

Start scanning Request manual pentest