Blue Goat Cyber Penetration Testing Methodology

Our penetration testing methodology is designed to reduce penetration testing risk while maximizing success and efficiency.
Blue Goat’s penetration testing methodology is based on the following guidelines and standards:
  • FDA Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions
  • FDA Design Considerations and Premarket Submission Recommendations for Interoperable Medical Devices
  • The Open Source Security Testing Methodology Manual
  • U.S. NIST SP 800-115: Technical Guide to Information Security Testing and Assessment
  • FDA Premarket Notification 510(k)
  • FDA Premarket Approval (PMA)
  • EU Medical Devices Regulation (MDR)
  • UL 2900 set of standards (UL’s Cybersecurity Assurance Program)
  • ANSI/ISA 62443-4-1
Blue Goat Cyber Penetration Testing Methodology

Phase 1 – Planning and Preparation

Planning and preparation are essential to a successful penetration test. In this phase, a kickoff meeting is used to discuss and clarify the scope, rules of engagement, points of contact, and objectives. Clearly defined objectives are critical. Otherwise, the penetration test will likely yield unclear results and recommendations.
In most cases, the objective of a penetration test is to demonstrate the exploitability of existing vulnerabilities within the target organization’s networks, systems, and infrastructure. The scoping of the penetration test identifies the specific assets, networks, personnel, physical locations, and staff involved in the test. Rules of Engagement (ROE) cover the timing and extent of the penetration test. Identifying periods where testing could impact the target organization is critical to ensure the success of both the ongoing business needs of the organization as well as the penetration test. The ROE should also cover guidelines and instructions for penetration testers when they gain root-level access to target systems or obtain access to sensitive information. Off-limit targets also need to be delineated and agreed upon in this phase.
Performing a penetration test on an organization is only accomplished with prior authorization. Some of the tools and techniques are considered illegal without authorization.

Phase 2 – Reconnaissance / Discovery

This phase aims to gather as much information about the targeted assets, network, and locations as possible. Discovery has both passive and active stages.

Phase 3 – Vulnerability Enumeration / Analysis

The next phase is to determine the vulnerabilities that exist on designated targets. Tools such as Nessus, Burp Suite Professional, and OWASP ZAP are examples of automated vulnerability scanners. Manual analysis is also used to identify vulnerabilities. This step lists potentially exploitable vulnerabilities on the target systems and allows us to plan the Exploitation Phases.
Passive discovery uses tools and information publicly available about the target organization and its assets/networks. In passive discovery, the penetration testing team never directly “touched” the target. Expected results from the passive discovery phase should include domain names, server names, Internet service provider information, and web applications. Active discovery is more “hands-on” with the targets, including scanning for live hosts and services.

Phase 4 – Initial Exploitation

Once vulnerable targets are identified, we determine which of the vulnerable targets are suitable for exploitation. We use many factors to prioritize attacks, including hostnames, location on the network, and exploitability of vulnerabilities. The tools and techniques used during this phase of the penetration test have the highest probability of causing disruptions. Exploiting vulnerabilities is unreliable and essentially forces a system or software to do something it was not designed to do. This can often have unintended consequences, such as unresponsive applications and/or systems. Password cracking and brute forcing open services like telnet, ftp, or http are also accomplished during this phase of the penetration test.

Phase 5 – Expanding Foothold / Deeper Penetration

Once an initial foothold is gained on a target system, the exploitation process becomes iterative. The initial compromised system performs further discovery, vulnerability enumeration, and exploitation of additional assets. During this phase, it is common to use privilege escalation attacks on assets to gain elevated privileges on the target network.

Phase 6 – Cleanup

The cleanup phase is essential to ensure all the tools, shells, code, created accounts, or anything used by the penetration testers is removed from compromised systems. Hostile attackers use tools and techniques similar to those ethical penetration testers use. Leaving penetration testing tools on compromised targets is bad practice and facilitates malicious compromise. The cleanup process should involve the organization’s staff to ensure thorough and complete removal.

Phase 7 – Report Generation

In phases 1-6, information is analyzed and put in a report template. The report documents actions taken during the penetration test with detailed remediation guidance.

Task Breakdown, by Penetration Testing Methodology Phase

1.1 Kick-Off Meeting
1.2 Explicit Test Authorization Document Review and Signature
1.3 Rules of Engagement Document Review and Signature
2.1 Passive Reconnaissance
2.2 Active Reconnaissance
2.3 Prioritize Target List
3.1 Enumerate Target Vulnerabilities
3.2 Analyze Vulnerabilities
3.3 Map Vulnerabilities to Exploits
3.4 Prioritize Targets to Exploit
4.1 Compromise Targets
4.2 Gain Consistent Target Access
4.3 Use Compromised Targets for Additional Reconnaissance
5.1 Escalate Privileges
5.2 Configure Pivot Point
5.3 Accomplish Objective
6.1 Review Compromised Targets
6.2 Remove Files, Data, and Accounts Used for Exploitation
6.3 Verify System State is Pre-Test
7.1 Analyze Penetration Testing Documentation
7.2 Prioritize Findings
7.3 Write, Review, and Present Report

Steps to Schedule Your Penetration Test:

blue goat cyber penetration testing

Popular Penetration Tests

Black Box Penetration Testing

External Black Box Penetration Testing is one of our most popular services.

Web Application Penetration Testing

Our Web Application Testing includes both Black Box and Gray Box Penetration Testing.

HIPAA Penetration Testing

Our HIPAA Penetration Testing is designed to help you meet the HIPAA Security Rule.

Vulnerability Assessment Services

A Vulnerability Assessment is the process of evaluating assets in an enterprise for missing patches and misconfigurations.


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Our purpose is simple — to make your organization secure

The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Penetration Testing Services

How secure is your network? When is the last time you tested your cybersecurity defenses?

HIPAA Security Risk Analysis (SRA)

We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. 


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.