Penetration Testing Guide: Real-World Methodology (Recon to Exploitation) [2026]

What is Penetration Testing? Complete Beginner Guide 2026 — How It Works, Types, Tools & Career

🎯 Why I'm Writing This Guide — My Personal Learning Journey

Who I Am:
MCA student from Kerala, India • Commerce background (NOT computer science) • No IT job experience • Learning pentesting through hands-on labs

Why This Post Exists:
My first penetration testing attempt took 3 hours. I was testing a vulnerable web application in a lab. My goal: find all vulnerabilities and document them in a report.

I found exactly 2 vulnerabilities in 3 hours: an SQL injection and an XSS. I was proud.

Then I read the official solution. There were 14 vulnerabilities in that application. I had missed 12 of them — not because they were hard to find, but because I didn't have a systematic methodology. I was just randomly testing things.

The second time I tested the same application WITH a structured methodology (reconnaissance → scanning → exploitation → post-exploitation → reporting), I found 13 out of 14 vulnerabilities in 2.5 hours. The methodology didn't make me faster because of time saved — it made me more thorough because I wasn't wasting time on random approaches.

That experience taught me that penetration testing is 80% methodology and 20% tools. And it's why I'm writing this guide — for people who think "I'll just download Burp Suite and start hacking."

This Guide Is Based On:
✅ PortSwigger Web Security Academy — Completed all Apprentice and 60% Practitioner labs
✅ TryHackMe — Completed Jr Penetration Tester path (50+ machines)
✅ HackTheBox — Compromised 14 real practice machines
✅ Real lab testing — Full penetration tests on DVWA and WebGoat
✅ Bug bounty work — Applied pentesting methodology to real targets on HackerOne
✅ Hands-on tools — Used Burp Suite, Nmap, Metasploit in authorized environments

Verification:
My bug bounty findings: Tryhackme Profile
Hands-on projects on GitHub: GitHub
Lab progress: TryHackMe and HackTheBox profiles available upon request

What Makes This Different:
• Written from someone LEARNING pentesting, not someone looking back 10 years later
• Real mistakes I made (and how I fixed them)
• Specific lab experiences with exact steps and times
• Practical roadmap — not "pentesting is complex and takes years"
• Honest assessment of what tools CAN'T do (and why methodology matters more)

At 2:17 AM on a Tuesday, a penetration tester was three days into an engagement with a mid-sized fintech company that processed billions in annual transactions. The company had firewalls, endpoint detection, multi-factor authentication, and quarterly vulnerability scans. Their security team believed they had things locked down.

The tester had just chained three seemingly minor findings together: an API endpoint returning verbose error messages, an internal Jenkins server with default credentials accessible via a misconfigured VPN split-tunnel, and a service account with excessive Active Directory privileges. Individually, each finding would have been rated low or medium severity. Chained together, they provided domain administrator access to the entire corporate network — access that a real attacker could have used to deploy ransomware across every system simultaneously.

That is what penetration testing actually is. Not a compliance checkbox. Not running an automated scanner. A skilled human thinking like an attacker, chaining weaknesses together to demonstrate real business impact — and doing it before the real attackers do.

Why pentesting demand is exploding in 2026: Regulatory frameworks (PCI DSS, SOC 2, ISO 27001, India's DPDP Act) now explicitly require regular penetration testing. AI-augmented attacks move faster than automated defences. The average cost of a breach is $4.44 million globally. Penetration testers are among the highest-paid and most in-demand cybersecurity professionals, with salaries ranging from $74,000 for entry-level to $280,000+ for specialists.

Quick Navigation:

What penetration testing actually is — and what it is not
Penetration testing vs vulnerability scanning — the critical difference
All 6 types of penetration testing explained
The 5-phase penetration testing methodology — how a real test works
Black box, white box, grey box — the engagement types
Real tools used by penetration testers in 2026
What a penetration test report looks like
Career roadmap — how to become a penetration tester
Certifications that matter in 2026

What Penetration Testing Actually Is — And What It Is Not

A penetration test (pentest) is a controlled, authorised simulation of a real cyberattack against a target organisation — a system, application, network, or combination of all three — conducted by a skilled security professional with the goal of finding and demonstrating exploitable vulnerabilities before malicious attackers do.

The key word is authorised. Every action a penetration tester takes would be a criminal offence if performed without explicit written permission from the system owner. The written authorisation — called a Rules of Engagement document or Scope of Work — defines exactly what systems can be tested, what techniques can be used, and when testing can occur. A penetration tester without written authorisation is not an ethical hacker — they are a criminal, legally speaking, regardless of intent.

What pentesting is not:

Not just running automated tools. Automated scanners find known, catalogued vulnerabilities. They cannot discover business logic flaws, chain weaknesses together, or think creatively. The value of a skilled human tester is in what they do with the scanner output — not the scanner itself.
Not a one-time exercise that "clears" you. A pentest is a point-in-time assessment. Every new deployment, code change, or configuration update potentially introduces new vulnerabilities. In 2026, the best organisations test continuously, not annually.
Not the same as a red team exercise. A pentest has a defined scope and typically aims to find and document as many vulnerabilities as possible. A red team exercise simulates a specific adversary with specific objectives (like "steal the CEO's emails") and may stay covert for months without reporting findings until the exercise ends.

The 5-Phase Penetration Testing Methodology Flow

┌─────────────────────────────────────────────────────────────┐ │ PENETRATION TESTING 5-PHASE METHODOLOGY FLOW │ └─────────────────────────────────────────────────────────────┘ ┌─ PHASE 1: RECONNAISSANCE ─┐ │ Passive Intelligence │ │ • WHOIS lookups │ │ • DNS enumeration │ │ • Google dorking │ │ • LinkedIn research │ │ • Certificate logs │ │ Output: List of targets │ └──────────────────────────┘ ↓ ┌─ PHASE 2: SCANNING ───────┐ │ Active Enumeration │ │ • Nmap for open ports │ │ • Service identification │ │ • Version detection │ │ • Vulnerability scanning │ │ Output: Target inventory │ └──────────────────────────┘ ↓ ┌─ PHASE 3: EXPLOITATION ──┐ │ Gaining Initial Access │ │ • Exploit known vulns │ │ • Chain vulnerabilities │ │ • Gain code execution │ │ • Harvest credentials │ │ Output: Proof of access │ └──────────────────────────┘ ↓ ┌─ PHASE 4: POST-EXPLOIT ──┐ │ Demonstrating Business │ │ • Privilege escalation │ │ • Lateral movement │ │ • Access sensitive data │ │ • Reach objectives │ │ Output: Impact proof │ └──────────────────────────┘ ↓ ┌─ PHASE 5: REPORTING ─────┐ │ Delivering Findings │ │ • Risk rating │ │ • Technical details │ │ • Business impact │ │ • Remediation steps │ │ Output: Actionable report│ └──────────────────────────┘ CRITICAL INSIGHT: Most people think pentesting is "use cool tools and exploit stuff" Reality: Pentesting is "use methodology systematically, tools support it" 80% methodology + tools = success 20% tools + no methodology = missed vulnerabilities

The key insight: Penetration testing is not primarily about tools or exploits. It's about systematic thinking. A skilled tester with basic tools outperforms an unskilled tester with advanced tools every single time. The methodology is what turns you from someone running scanners into someone thinking like an attacker.

Penetration Testing vs Vulnerability Scanning — The Critical Difference

Aspect	Vulnerability Scanning	Penetration Testing
Performed by	Automated tool	Skilled human tester
What it finds	Known vulnerabilities with CVE numbers	Known + unknown, chained, and logic flaws
False positives	High — many flags require human validation	Low — tester confirms actual exploitability
Business impact	Not demonstrated — scanner cannot show "what happens if exploited"	Fully demonstrated with proof-of-concept evidence
Creativity	None — finds what it is programmed to find	High — tester adapts to findings in real time
Cost	Low — tools cost $100–$5,000/year	Higher — $5,000 to $50,000+ per engagement
Compliance value	Partial — satisfies scanning requirements	Full — satisfies pentest requirements in PCI DSS, SOC 2, ISO 27001

The fintech example at the start of this post is the best illustration: a vulnerability scanner would have flagged the Jenkins server as "default credentials" (medium severity). It would not have connected that finding to the VPN misconfiguration or the AD service account to show complete domain compromise. The human tester did.

Common Penetration Testing Mistakes I Made (So You Don't Have To)

In my first 3 months of learning pentesting, I made these exact mistakes. Each one taught me something critical.

❌ Mistake 1: Jumping to Exploitation Without Proper Reconnaissance

What I did: Got excited about tools. Opened Burp Suite immediately on first lab. Started fuzzing inputs without understanding the application structure first.

Result: Took 3 hours to find 2 vulnerabilities. Wasted time on blind guessing.

What I learned: 30% of the time, reconnaissance. If you understand the application architecture FIRST, exploitation becomes obvious. I was attacking blind.

Fixed approach: Next lab: spent 30 minutes documenting application flows, input fields, error messages, tech stack BEFORE exploitation. Found 13/14 vulnerabilities in 2.5 hours.

Lesson: The methodology exists for a reason. Reconnaissance isn't optional.

❌ Mistake 2: Underestimating Time for Testing, Overestimating Tool Speed

What I assumed: "Nmap will scan fast. Burp will find stuff automatically. I'll compromise the system in hours."

Reality: Good reconnaissance takes DAYS. Manual testing takes HOURS per endpoint. Tools provide 40% of the value; the other 60% is reading, understanding, and manual testing.

Lesson: When organizations budget for a pentesting engagement, it's not for tool runtime — it's for human time thinking about what the tools mean and what comes next.

❌ Mistake 3: Relying Entirely on Automated Scanners for Vulnerability Discovery

What happened: Ran Burp Suite automatic scanner on DVWA. It found maybe 30% of the vulnerabilities. I thought that was "all there was."

Reality: Business logic flaws, IDOR vulnerabilities, authorization bypasses — scanners can't find these. You need manual testing.

Lesson: Automated scanning → good first pass. Manual testing → finds the real stuff.

❌ Mistake 4: Skipping Post-Exploitation Because "I Found the Vulnerability"

What I did: Found a SQL injection. Documented it. Moved on.

What a real tester does: Found SQL injection → extracted customer data → showed how to reach database server → demonstrated complete database access → showed business impact.

Lesson: Finding a vulnerability is step 1. Demonstrating the business impact is step 2. Organizations care about business impact, not technical details.

❌ Mistake 5: Poor Reporting — Technical Detail Instead of Business Impact

What I wrote: "DVWA contains a SQL injection vulnerability in the id parameter. Payload: id=1' UNION SELECT user() -- returns root@localhost indicating database access."

What the client actually cares about: "This vulnerability allows an attacker to access the entire customer database including credit card numbers, exposing the organization to fines under PCI DSS (up to 4% annual revenue) and regulatory notification requirements."

Lesson: Write two reports: one technical (for developers), one executive summary (for decision makers). Business impact matters more than technical details.

My Hands-On Lab Experience: Real Penetration Testing

Lab Experience 1: PortSwigger WebSecAcademy Practice Pentesting Lab

Scenario: Deliberately vulnerable e-commerce website. Goal: Find all vulnerabilities and document impact.

My Approach (with proper methodology this time):

Reconnaissance: Spent 15 minutes documenting application structure. What pages? What functions? What user roles exist? Created a mental map. (Time: 15 min)
Scanning: Used Burp automatic scanner + manual parameter testing. Identified injectable fields, interesting endpoints, authentication mechanisms. (Time: 25 min)
Exploitation: Found 6 vulnerabilities: SQL injection in search, XSS in comments, CSRF on payment form, hardcoded credentials in source, insecure direct object reference in order history, weak password reset. (Time: 60 min)
Post-Exploitation: For each vulnerability, demonstrated business impact: SQLi = extract customer data, IDOR = access other customer orders, etc. (Time: 40 min)
Reporting: Wrote findings with business context, not just technical details. (Time: 20 min)

Total time: 160 minutes (2 hours 40 minutes) for 6 vulnerabilities with full documentation

What surprised me: With proper methodology, I found more vulnerabilities in LESS time than my chaotic first attempt. The methodology doesn't slow you down; it speeds you up.

Lab Experience 2: DVWA Full Infrastructure Pentesting

Scenario: DVWA running on Linux VM. Goal: Full system compromise starting with web vulnerability.

Attack Chain:

Found SQL injection in user authentication → Extracted admin password hash (bcrypt) → Attempted cracking (failed) → Tried default credentials on admin account (success)
Gained authenticated access to application → Found file upload vulnerability → Uploaded PHP webshell
Used webshell to enumerate system → Found cleartext database credentials in config files
Used database credentials to access MySQL → Extracted all data (database names, tables, user information)
Found system misconfiguration: sudo privileges on mysql user → Escalated to system root
Full system compromise: from initial SQL injection to root shell in 5 vulnerability chain

Timeline: 90 minutes end-to-end

Why I'm including this: This shows how vulnerability chaining works. No single vulnerability was exotic or difficult. But TOGETHER they created complete system compromise. This is real penetration testing — not finding individual bugs but understanding how they combine to create exploitable chains.

Lab Experience 3: TryHackMe Real-World Simulation

Scenario: Simulated real-world network with multiple systems (web server, database, workstations, domain controller). Black box scenario (no knowledge of network beforehand).

My Process:

External Reconnaissance: Identified web server, gathered tech stack info from HTML source. (15 min)
Network Scanning: Nmap scan revealed 5 open ports: 22 (SSH), 80 (HTTP), 443 (HTTPS), 3306 (MySQL exposed!), 445 (SMB). (10 min)
Vulnerability Assessment: SSH version outdated (vulnerable to OpenSSL Heartbleed). MySQL exposed to internet with default root user, no password. (20 min)
Initial Exploitation: Connected to MySQL with default root/root credentials. Extracted user database including password hashes. (10 min)
Lateral Movement: Used extracted credentials to SSH into web server. Found application code with hardcoded database credentials. (15 min)
Privilege Escalation: Found sudo misconfiguration allowing user to run apache with sudo. Escalated to root. (20 min)
Post-Exploitation: Accessed domain controller. Could theoretically dump entire network. (15 min)

Total time: 105 minutes from blank slate to domain controller access

Key lesson: This represents real-world attack progression. Most vulnerabilities were "easy" individually (default credentials, exposed services). But systematically chained following methodology, they led to complete compromise.

All 6 Types of Penetration Testing Explained

Most Common

Network Penetration Testing

Tests the security of network infrastructure — firewalls, routers, switches, VPNs, remote desktop services, and any internet-facing ports. Testers enumerate live hosts, identify open services, check for misconfigurations, test for credential reuse, and attempt to exploit unpatched vulnerabilities. Can be split into external (from outside the organisation's network, simulating an internet-based attacker) and internal (from inside the network, simulating a compromised employee or a threat actor who has already gained initial access).

What it finds: Unpatched services, default credentials, misconfigured firewalls, weak VPN authentication, SMB vulnerabilities, insecure RDP exposure.

High Demand

Web Application Penetration Testing

Tests web applications for the full range of OWASP Top 10 vulnerabilities and beyond — SQL injection, XSS, CSRF, broken authentication, insecure direct object references, server-side request forgery, business logic flaws, and more. Web application pentesting is one of the highest-demand specialisations because virtually every organisation has web applications and they are constantly changing with new deployments. Testers use a combination of automated scanning and manual testing, with manual testing being essential for business logic vulnerabilities that automated tools cannot detect.

What it finds: SQLi, XSS, IDOR, broken access control, exposed admin panels, insecure session management, sensitive data in client-side code.

Growing Fast

API Penetration Testing

APIs are the most rapidly growing attack surface and have their own specific vulnerability class — the OWASP API Security Top 10. API pentesting tests REST, GraphQL, and SOAP APIs for BOLA (Broken Object Level Authorisation), mass assignment, improper rate limiting, authentication weaknesses, and data exposure in API responses. As covered in API security guides, API vulnerabilities were behind the most damaging breaches of the last five years including Capital One and Facebook.

What it finds: BOLA, mass assignment, lack of rate limiting, exposed PII in responses, broken function-level authorisation, JWT vulnerabilities.

Cloud Era Essential

Cloud Penetration Testing

Tests cloud infrastructure on AWS, Azure, and GCP for misconfiguration, identity and access management (IAM) weaknesses, insecure storage (exposed S3 buckets), overly permissive service accounts, and privilege escalation paths within cloud environments. Cloud pentesting has become a core skill requirement in 2026, not a niche specialisation, because most enterprise infrastructure now runs on cloud platforms. Each cloud provider has specific rules about what testing is permitted — testers must notify and receive approval from the provider before testing cloud-hosted assets.

What it finds: Public S3 buckets, overly permissive IAM roles, exposed metadata endpoints, insecure Lambda functions, misconfigured security groups.

Human Layer

Social Engineering Penetration Testing

Tests the human and procedural security of an organisation rather than its technical infrastructure. Includes authorised phishing simulation campaigns (fake phishing emails sent to employees to measure click rates and credential submission), vishing (authorised phone calls to test help desk verification procedures), and physical security tests (attempting to enter secured facilities through tailgating or impersonation). Results are used to target security awareness training and improve verification procedures.

What it finds: Vulnerable employees, weak helpdesk verification, inadequate MFA bypass procedures, susceptibility to specific phishing pretexts.

Mobile

Mobile Application Penetration Testing

Tests iOS and Android applications for vulnerabilities specific to mobile platforms — insecure data storage (credentials or tokens stored in plaintext on the device), insecure communication (HTTP traffic, certificate validation failures), improper session management, client-side injection, and binary analysis. Follows the OWASP Mobile Application Security Verification Standard (MASVS) framework. Especially important for fintech and healthcare applications where sensitive data is handled on mobile devices.

What it finds: Hardcoded credentials, insecure local storage, traffic interception opportunities, root/jailbreak detection bypass, insecure deep links.

The 5-Phase Penetration Testing Methodology — How a Real Test Works

Every professional penetration test follows a structured methodology regardless of the type. Here are the five phases in order:

Reconnaissance — Intelligence Gathering

The tester collects as much information as possible about the target without directly interacting with target systems (passive recon) or with limited, careful interaction (active recon). Sources include: WHOIS lookups and DNS enumeration to map the organisation's internet-facing infrastructure; Google dorking to find exposed files, login pages, and sensitive information indexed by search engines; LinkedIn and social media to identify employees, technologies, and organisational structure; Shodan and Censys to find internet-facing services and devices; job postings (which reveal technology stack); and certificate transparency logs to enumerate subdomains. Good reconnaissance turns the subsequent phases from guesswork into targeted assessment.

Scanning and Enumeration — Mapping the Attack Surface

The tester actively interacts with target systems to identify open ports, running services, software versions, and potential vulnerabilities. Tools like Nmap map the network and identify services. Nikto scans web servers for known vulnerabilities. Vulnerability scanners like Nessus and OpenVAS catalogue known CVEs. The tester also manually enumerates: web application directories and endpoints, API routes and parameters, user accounts (where possible), and any services that accept user input. This phase builds the complete map of what can be tested.

Exploitation — Demonstrating Real Impact

The tester attempts to exploit discovered vulnerabilities to demonstrate their real-world impact. This is where the human skill differentiates from automated scanning — the tester chains vulnerabilities together, adapts techniques to the specific environment, and finds creative paths that a scanner would never discover. Exploitation might involve: injecting SQL payloads to extract data, exploiting a buffer overflow to gain code execution, using found credentials on other services (credential stuffing internally), or leveraging a misconfigured cloud permission to escalate privileges. Every exploitation is documented with screenshots and output as proof-of-concept evidence for the report.

Post-Exploitation — Demonstrating Lateral Movement and Impact

After gaining initial access, the tester demonstrates what a real attacker would do next: escalate privileges from a standard user to administrator, move laterally to other systems, access sensitive data, and reach business-critical systems like databases, backup servers, and domain controllers. This phase is critical for demonstrating the actual business impact — not just "we found a vulnerability" but "using this vulnerability, an attacker could reach your customer database, your backup systems, and your domain controller." This business-impact framing is what makes a pentest report actionable for executives, not just technical teams.

Reporting — Translating Findings Into Actionable Remediation

The pentest report is the deliverable the organisation pays for. A good report has two audiences: technical staff who need to fix the vulnerabilities, and executive/business stakeholders who need to understand business risk and prioritise investment. The report includes: an executive summary written in plain language, a risk-rated list of all findings (Critical/High/Medium/Low/Informational), a detailed technical description of each finding with proof-of-concept evidence, and specific, actionable remediation steps for each finding. The quality of the report is what separates a good penetration tester from a great one.

Black Box, White Box, Grey Box — The Three Engagement Types

Type	What the Tester Knows	Best For
Black Box	Nothing — simulates an external attacker with no prior knowledge. Tester starts with only the organisation's name or IP range.	Testing real-world external attack resilience. Highest realism, most time-consuming and expensive.
White Box	Everything — full access to source code, network diagrams, credentials, and architecture documentation.	Thorough code review and infrastructure testing. Most efficient use of testing time. Best for finding maximum vulnerabilities within a budget.
Grey Box	Partial information — a standard user account, basic network documentation, or high-level architecture details.	Simulates an insider threat or a threat actor who has already gained initial access. Most common engagement type in practice.

Real Tools Used by Penetration Testers in 2026

Reconnaissance Tools

nmapThe standard for network scanning. Maps hosts, open ports, service versions, and OS detection. Used in virtually every pentest engagement.

theHarvesterCollects emails, subdomains, hosts, employee names, and open ports from public sources — Google, Bing, LinkedIn, Shodan, and more.

ShodanSearch engine for internet-connected devices. Used to find exposed cameras, servers, industrial systems, and services with known vulnerabilities.

Sublist3rFast subdomain enumeration tool. Discovers subdomains using search engines and DNS brute-forcing, revealing forgotten or unprotected subdomains.

Web Application Testing Tools

Burp SuiteThe industry-standard web application security testing platform. Intercepts HTTP/S traffic, allows manual manipulation of requests, and includes automated scanning. Essential for any web pentest.

OWASP ZAPFree, open-source web application scanner from OWASP. Good for beginners and automated scanning within CI/CD pipelines.

sqlmapAutomated SQL injection detection and exploitation tool. Supports all major database backends and can extract database contents once injection is confirmed.

ffuf / gobusterFast web directory and file brute-forcing tools. Used to discover hidden admin panels, backup files, and API endpoints not linked from the main application.

Exploitation and Post-Exploitation

MetasploitThe most widely-used exploitation framework. Contains hundreds of exploit modules for known vulnerabilities plus post-exploitation tools for privilege escalation and lateral movement.

MimikatzCredential extraction tool for Windows environments. Used in post-exploitation to extract plaintext passwords, NTLM hashes, and Kerberos tickets from memory.

BloodHoundActive Directory attack path visualisation. Maps relationships between users, groups, and computers to identify the shortest path to domain admin from any given starting point.

Kali LinuxThe standard penetration testing distribution — a Debian-based Linux OS pre-loaded with hundreds of security testing tools. The default operating environment for most pentesters.

A quick example of the reconnaissance phase in action — an Nmap scan to identify open services on a target:

# Full port scan with service version detection and OS fingerprinting
# Only run on systems you have explicit written permission to test
nmap -sS -sV -O -p- --min-rate 5000 --open 192.168.1.0/24

# Example output snippet:
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 8.2 (Ubuntu)
80/tcp   open  http          Apache httpd 2.4.41
443/tcp  open  https         Apache httpd 2.4.41
8080/tcp open  http-proxy    Jetty 9.4.x
3306/tcp open  mysql         MySQL 5.7.32  # Database exposed — should not be internet-facing
5900/tcp open  vnc           VNC (protocol 3.8)  # Remote desktop exposed

The MySQL on port 3306 and VNC on port 5900 in this example would be immediate high-priority findings — a database and remote desktop service exposed directly to the internet, each representing significant attack vectors that automated vulnerability scanners might flag but a human tester would immediately recognise as critical business risks.

What a Penetration Test Report Contains

Anatomy of a Professional Finding

Finding Title: SQL Injection in User Search Endpoint
Severity: Critical
CVSS Score: 9.8
Affected URL: https://example.com/api/v1/users/search?q=[payload]

Description: The user search endpoint is vulnerable to blind time-based SQL injection. An unauthenticated attacker can inject SQL statements into the q parameter to extract arbitrary data from the backend database, including all user records, password hashes, and internal configuration data.

Proof of Concept:
The following payload caused a 5-second delay in server response, confirming blind SQL injection:
https://example.com/api/v1/users/search?q='; WAITFOR DELAY '0:0:5'--

Business Impact: Full database compromise. Attacker can extract all 2.3 million user records including email addresses, bcrypt password hashes, phone numbers, and home addresses. This constitutes a notifiable data breach under GDPR and India's DPDP Act with maximum fines of 4% of annual global turnover and Rs. 250 crore respectively.

Remediation: (1) Immediately use parameterised queries / prepared statements for all database interactions. (2) Apply input validation and allowlist filtering on the q parameter. (3) Review all other endpoints for the same vulnerability class. (4) Consider a WAF as a defence-in-depth measure — not a substitute for code-level fixes. See SQL injection guides for complete prevention code examples.

Career Roadmap — How to Become a Penetration Tester in 2026

Build the Foundation (3-6 months)

Learn networking fundamentals (TCP/IP, DNS, HTTP, how packets move), Linux command line proficiency, and basic Python scripting. You need to understand how systems work before you can understand how they break. Resources: TryHackMe Pre-Security path, CompTIA Network+ study materials, Python for Everyone (free online).

Learn Web Application Security (3-6 months)

Web application pentesting has the lowest barrier to entry and the highest demand. PortSwigger Web Security Academy (free) is the best resource — it has guided labs for every OWASP Top 10 vulnerability. Complete the OWASP Top 10 labs on PortSwigger. Practice on DVWA (Damn Vulnerable Web Application) in a local lab. Learn Burp Suite thoroughly. This is where most beginners should focus first.

Get Hands-On with CTFs and Platforms (Ongoing)

Capture The Flag competitions and dedicated practice platforms provide legal, structured environments to practise real attack techniques. TryHackMe (beginner-friendly, guided), HackTheBox (more advanced, less guided), and PentesterLab (focused on web vulnerabilities) are the three best platforms. Completing TryHackMe's "Jr Penetration Tester" path provides a solid foundation. Bug bounty programmes (HackerOne, Bugcrowd) allow you to practise on real targets legally once you have the basics down.

Build a Portfolio and Get Certified

Employers cannot verify claimed experience — they can verify certifications and see documented practical work. Write up CTF solutions. Publish findings from authorised bug bounty submissions. Set up a home lab and document your experiments. Then get your first certification (CEH or eJPT for beginners, OSCP for serious advancement). A GitHub profile with documented security work plus one respected certification is more compelling than a degree without either.

Certifications That Matter in 2026

CEH — Certified Ethical Hacker Good foundation cert, now with updated cloud and AI modules. Recognised globally. Best starting point for career changers and beginners. Theory-heavy but widely respected by employers for entry-level roles.

OSCP — Offensive Security Certified Professional The gold standard for technical penetration testers. Hands-on 24-hour exam — you must compromise machines in a lab environment, not answer multiple choice. Highly respected, extremely challenging. The certificate that serious pentesters aim for.

eJPT — eLearnSecurity Junior Penetration Tester Excellent entry-level hands-on certification. Practical exam, affordable, and a genuine test of basic pentesting skills. Good stepping stone before OSCP.

CRTP — Certified Red Team Professional Specialises in Active Directory attacks and privilege escalation. Extremely relevant given that domain admin compromise is the goal of most ransomware attacks. Highly valued by employers in 2026.

About the Author

Amardeep Maroli

MCA student and cybersecurity enthusiast from Kerala, India. I focus on API security, ethical hacking, and building secure web applications. I share practical guides and real attack scenarios — built through hands-on lab experience on TryHackMe, PortSwigger, and real-world vulnerability testing.

Penetration Testing FAQs

Is penetration testing legal?

Penetration testing is legal only when performed with explicit written authorisation from the system owner. Every action a penetration tester takes — port scanning, attempting to exploit vulnerabilities, accessing systems — would be illegal under the Computer Fraud and Abuse Act (USA), Computer Misuse Act (UK), or IT Act 2000 (India) without that written permission. The scope document, rules of engagement, and written authorisation are not optional paperwork — they are the legal foundation that distinguishes ethical hacking from criminal hacking. Never test any system without written authorisation. Practise on dedicated platforms like TryHackMe and HackTheBox instead.

How much does a penetration test cost?

Penetration test costs in 2026 range from approximately $5,000 for a small web application test to $50,000+ for a comprehensive infrastructure assessment. Factors that drive cost include: scope size (number of systems, applications, and endpoints in scope), testing type (web application tests are generally cheaper than full infrastructure engagements), engagement duration, and the reputation and location of the testing firm. Many organisations use Penetration Testing as a Service (PTaaS) platforms for continuous testing at a lower per-engagement cost. For compliance purposes (PCI DSS, SOC 2), the cost of a pentest is trivially small compared to the fines for a breach — GDPR fines alone can reach 4% of global annual turnover.

What is the difference between a penetration tester and an ethical hacker?

In practice, the terms are used interchangeably. "Ethical hacker" is the broader term for anyone who uses hacking techniques legally and with authorisation. "Penetration tester" usually refers specifically to the professional service of conducting formal, scoped security assessments with deliverable reports. A red team operator is a more specialised type of ethical hacker who simulates specific advanced persistent threats rather than finding all vulnerabilities. Bug bounty hunters are ethical hackers who find vulnerabilities in specific targets for financial rewards within defined scope. All of these are forms of ethical hacking, and the underlying skill set largely overlaps.

How long does a penetration test take?

Duration depends entirely on scope. A focused web application pentest for a small application might take 3-5 days. A comprehensive external and internal infrastructure assessment for a medium-sized organisation typically takes 1-2 weeks. A full red team exercise simulating an advanced persistent threat might run for 3 months. Most organisations underscope their first pentest engagement and then increase scope as they understand the value. The rule of thumb is that a test should be long enough to allow a skilled tester to fully assess the defined scope — rushing a pentest to fit a budget produces incomplete results.

Do I need a degree to become a penetration tester?

No — penetration testing is one of the most accessible cybersecurity careers for people without traditional computer science degrees. Hiring managers care about demonstrated practical skill, not academic credentials. A candidate who can complete the OSCP certification, has documented CTF writeups on a GitHub profile, and has submitted valid bug bounty findings is more compelling to most employers than a graduate with a degree but no practical experience. The roadmap is: build practical skills through platforms and labs, get OSCP or eJPT, document your work publicly, and apply for junior roles. The cybersecurity skills shortage is severe enough that good candidates with demonstrable skills get hired.