The 5 Stages of Penetration Testing
(And How AI Expands Them to 12)

Penetration testing follows a structured methodology to ensure thorough and repeatable security assessments. The traditional model defines 5 stages: Reconnaissance, Scanning, Exploitation, Post-Exploitation, and Reporting. Modern AI frameworks like zeScanner expand this into 12 specialized phases, adding granularity that enables autonomous agents to work more effectively.

The Classic 5 Stages

1

Reconnaissance

Gathering information about the target through passive and active means. Includes OSINT, DNS lookups, WHOIS queries, and social engineering research.

zeScanner phases: Passive Reconnaissance Internet Research
2

Scanning

Actively probing the target to identify live hosts, open ports, running services, and potential vulnerabilities.

zeScanner phases: Network Discovery Service Detection Service Enumeration Web Analysis
3

Exploitation

Attempting to exploit discovered vulnerabilities to gain unauthorized access. Validates that vulnerabilities have real-world impact.

zeScanner phases: Vulnerability Scanning Finding Correlation Exploitation
4

Post-Exploitation

After gaining access, assessing the full impact by exploring internal resources, testing lateral movement, and evaluating data exposure.

zeScanner phases: Post-Exploitation Compliance Checks
5

Reporting

Documenting all findings with severity ratings, evidence, attack chains, and prioritized remediation recommendations.

zeScanner phases: Reporting

How AI Expands 5 Stages into 12 Phases

The 5-stage model was designed for human pentesters who naturally handle subtasks within each stage. When you introduce autonomous AI agents, you need more granular phase definitions so each agent has a clear scope and objective. zeScanner's 12-phase model breaks down broad stages into specific, actionable phases:

1

Passive Reconnaissance

Gather intelligence from public sources without touching the target. WHOIS lookups, certificate transparency logs, DNS records, and OSINT collection to build a complete picture before active scanning begins.

Recon Agent Threat Intel Agent
2

Network Discovery

Identify live hosts and open ports across the target range using masscan for speed and nmap for accuracy. Adaptive rate limiting based on the selected scan profile.

Discovery Agent
3

Service Detection

Probe discovered ports to fingerprint running services, versions, and operating systems. Uses nmap service detection with version intensity tuned to the scan profile.

Service Detection Agent
4

Internet Research

Cross-reference detected services and versions against NVD, ExploitDB, and GitHub PoC repositories. RAG-powered intelligence enriches findings with real-world exploit availability.

Internet Research Agent
5

Service Enumeration

Deep-dive into discovered services with protocol-specific agents. SMB shares, SNMP communities, DNS zones, LDAP trees, FTP listings, and Active Directory structures are methodically enumerated.

SMB Agent SNMP Agent SSH Agent DNS Agent LDAP Agent FTP Agent SMTP Agent Database Agent Active Directory Agent
6

Web Analysis

Fingerprint web technologies, discover hidden directories, analyze TLS configurations, identify CMS platforms, and test API endpoints for security weaknesses.

Web Fingerprint Agent Web Directory Agent TLS Agent CMS Agent API Security Agent
7

Vulnerability Scanning

Run targeted vulnerability scans using nuclei templates and specialized scanners. Findings are validated and enriched with CVSS scores, MITRE ATT&CK mappings, and exploit availability.

Vulnerability Scanner Agent Vulnerability Research Agent
8

Finding Correlation

The reasoning engine connects individual findings into attack chains. Identifies multi-step exploitation paths and calculates compounded risk scores across correlated vulnerabilities.

Correlation Agent
9

Compliance Checks

Evaluate discovered services and configurations against security benchmarks and compliance frameworks. CIS, PCI-DSS, and custom policy checks are run automatically.

Compliance Agent
10

Exploitation

Attempt controlled exploitation of confirmed vulnerabilities with safety guardrails. Credential testing, brute-force attacks, and known exploit execution validate real-world impact.

Credential Manager Agent Bruteforce Agent Exploit Agent
11

Post-Exploitation

After gaining access, enumerate internal resources, test lateral movement paths, and assess the true blast radius of compromised systems within the network.

Post-Exploitation Agent Pivot Agent
12

Reporting

Generate comprehensive, actionable reports with executive summaries, technical details, attack chain visualizations, remediation priorities, and confidence scores for every finding.

Reporting Agent

Why More Phases Matter

Breaking the assessment into 12 phases provides several advantages:

  • Agent specialization — Each agent focuses on a narrow domain, becoming expert-level at its specific task instead of being a generalist.
  • Parallel execution — Phases 5 and 6 (Service Enumeration and Web Analysis) can run simultaneously, dramatically reducing total scan time.
  • Clear handoffs — Phase transitions act as quality gates where the orchestrator validates completeness before proceeding.
  • Granular control — Users can skip or customize individual phases without affecting others (e.g., skip exploitation for a passive-only assessment).
  • Better reporting — Findings are organized by phase, making reports more structured and actionable.

Related Questions

Experience 12-phase AI-powered pentesting