Most business owners have heard of penetration testing but are not sure what actually happens during one. This is the plain-English version. No jargon, no sales pitch. Just a clear walkthrough of the process from first contact to final report.
Step 1: Scoping
Before any testing begins, we agree on scope. Scope defines exactly what is included in the engagement: which applications, which IP addresses, which user roles, and which attack types are authorized. This is a legal agreement as much as a technical one.
A scope call typically takes 30 minutes. We ask about your environment, explain what our testing will look like, and confirm pricing. You sign a Rules of Engagement document before we touch anything.
Most small business web app pentests scope to one application with 2 to 5 user roles. That is where the most valuable findings typically live.
Step 2: Reconnaissance
We start by learning everything about your target that is publicly available. Domain registration, DNS records, SSL certificates, technology stack indicators, public API endpoints, and anything exposed through search engines or public repositories.
This is passive intelligence gathering. We are not touching your systems yet. We are building a map of your attack surface the same way a real attacker would before choosing where to strike.
Step 3: Active Testing
This is the core of the engagement. We systematically test your application or network against the full OWASP Top 10 (for web apps) or known network attack vectors (for infrastructure assessments).
For a web application, this includes testing for injection flaws (SQL, command, LDAP), broken authentication and session management, insecure direct object references, security misconfigurations, sensitive data exposure, cross-site scripting, broken access control, and business logic vulnerabilities that automated scanners cannot find.
The business logic testing is where our work differs from running a scanner. Automated tools can find known vulnerability signatures. A human tester can find the flaw where you can view another customer's order by changing a single number in a URL. That finding does not appear in any scanner output.
Step 4: Exploitation
When we find a potential vulnerability, we attempt to exploit it to confirm it is real and to understand the true impact. A theoretical SQL injection is a medium finding. A confirmed SQL injection that extracts your entire customer database is a critical one.
We document the exploit path, the evidence, and the potential impact for every confirmed finding. We stop before causing actual damage and do not retain any data we access during testing.
Step 5: The Report
You receive a written report within 5 business days. The report contains an executive summary (written for business owners, not IT teams), a detailed findings section with each vulnerability explained, its severity rating, the evidence we collected, and step-by-step remediation guidance.
Findings are rated Critical, High, Medium, and Low. We do not inflate ratings. A medium finding is a medium finding.
Step 6: Walkthrough Call
We schedule a call to walk you through the report. You can ask questions about any finding, get clarification on remediation steps, and discuss which items to prioritize. This call is included in every engagement.
What It Costs
Blackhount's web application penetration testing starts at $500 for small, single-application scopes. Most small business engagements land between $500 and $2,000 depending on application complexity and number of user roles. Network assessments are priced separately.
We price upfront. You know the cost before we start.
Get a Quote