Blue Goat Cyber

Blue Goat Cyber Penetration Testing Methodology

Our penetration testing methodology is designed to reduce penetration testing risk while maximizing success and efficiency.

Blue Goat Cyber Penetration Testing Methodology

Blue Goat Cyber Penetration Testing Methodology

Phase 1 – Planning and Preparation

Planning and preparation are essential to a successful penetration test. In this phase, a kickoff meeting is used to discuss and clarify the scope, rules of engagement, points of contact, and objectives. Clearly defined objectives are critical. Otherwise, the penetration test will likely yield unclear results and recommendations.
In most cases, the objective of a penetration test is to demonstrate the exploitability of existing vulnerabilities within the target organization’s networks, systems, and infrastructure. The scoping of the penetration test identifies the specific assets, networks, personnel, physical locations, and staff involved in the test. Rules of Engagement (ROE) cover the timing and extent of the penetration test. Identifying time periods where testing could impact the target organization is critical to ensure the success of both the ongoing business needs of the organization as well as the penetration test. The ROE should also cover guidelines and instructions for penetration testers when they gain root-level access to target systems or obtain access to sensitive information. Off-limit targets also need to be delineated and agreed upon in this phase.
Performing a penetration test on an organization is only accomplished with prior authorization. Some of the tools and techniques are considered illegal without authorization.

Phase 2 – Reconnaissance / Discovery

The purpose of this phase is to gather as much information about the targeted assets, network, and locations as possible. Discovery has both passive and active stages. 

Phase 3 – Vulnerability Enumeration / Analysis

The next phase is to determine the vulnerabilities that exist on designated targets. Tools such as Nessus, Burp Suite Professional, and OWASP ZAP are examples of automated vulnerability scanners. Manual analysis is also used to identify vulnerabilities. This step provides a list of potentially exploitable vulnerabilities on the target systems and allows us to plan the Exploitation Phases.
Passive discovery uses tools and information publicly available about the target organization and its assets/networks. In passive discovery, the target is never directly “touched” by the penetration testing team. Expected results from the passive discovery phase should include domain names, server names, Internet service provider information, and web applications. Active discovery is more “hands-on” with the targets, including scanning for live hosts and services.

Phase 4 – Initial Exploitation

Once vulnerable targets are identified, we determine which of the vulnerable targets are suitable for exploitation. We use many factors to prioritize attacks, including hostnames, location on the network, and exploitability of vulnerabilities. The tools and techniques used during this phase of the penetration test have the highest probability of causing disruptions. The exploitation of vulnerabilities is unreliable and is essentially forcing a system or software to do something it was not designed to do. This can often have unintended consequences, such as unresponsive applications and/or systems. Password cracking and brute forcing open services like telnet, ftp, or http are also accomplished during this phase of the penetration test.

Phase 5 – Expanding Foothold / Deeper Penetration

Once an initial foothold is gained on a target system, the exploitation process becomes iterative. The initial compromised system is used to perform further discovery, vulnerability enumeration, and exploitation of additional assets. During this phase, it is common to use privilege escalation attacks on assets to gain elevated privileges on the target network.

Phase 6 – Cleanup

The cleanup phase is essential to ensure all the tools, shells, code, created accounts, or anything used by the penetration testers is removed from compromised systems. Hostile attackers use similar tools and techniques used by ethical penetration testers. Leaving penetration testing tools on compromised targets is bad practice and facilitates malicious compromise. The cleanup process should involve the organization’s staff to ensure thorough and complete removal.

Phase 7 – Report Generation

Information from Phases 1-6 is analyzed and put in a report template. The report documents actions taken during the penetration test with detailed remediation guidance.

Task Breakdown, by Penetration Testing Methodology Phase

1.1 Kick-Off Meeting
1.2 Explicit Test Authorization Document Review and Signature
1.3 Rules of Engagement Document Review and Signature
2.1 Passive Reconnaissance
2.2 Active Reconnaissance
2.3 Prioritize Target List
3.1 Enumerate Target Vulnerabilities
3.2 Analyze Vulnerabilities
3.3 Map Vulnerabilities to Exploits
3.4 Prioritize Targets to Exploit
4.1 Compromise Targets
4.2 Gain Consistent Target Access
4.3 Use Compromised Targets for Additional Reconnaissance
5.1 Escalate Privileges
5.2 Configure Pivot Point
5.3 Accomplish Objective
6.1 Review Compromised Targets
6.2 Remove Files, Data, and Accounts Used for Exploitation
6.3 Verify System State is Pre-Test
7.1 Analyze Penetration Testing Documentation
7.2 Prioritize Findings
7.3 Write, Review, and Present Report

Steps to Schedule Your Penetration Test:

blue goat cyber penetration testing

Popular Penetration Tests

Black Box Penetration Testing

External Black Box Penetration Testing is one of our most popular services.

Web Application Penetration Testing

Our Web Application Testing includes both Black Box and Gray Box Penetration Testing.

HIPAA Penetration Testing

Our HIPAA Penetration Testing is designed to help you meet the HIPAA Security Rule.

We offer every type of penetration test available. We broadly categorize our testing into two main categories, based on the location they are typically performed from: “Remote” and “Onsite”.

Most of our penetration testing services can be performed remotely, saving you travel expenses.

Remote Penetration Testing

Onsite Penetration Testing

Vulnerability Assessment Services

A Vulnerability Assessment is the process of evaluating assets in an enterprise for missing patches and misconfigurations.


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Our purpose is simple — to make your organization secure

The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.

Medical Device Cybersecurity

We understand that often the key objective of testing medical devices is to assist with FDA approval.

Penetration Testing Services

How secure is your network? When is the last time you tested your cybersecurity defenses?

HIPAA Security Risk Analysis (SRA)

We help you meet the requirement to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. 


We help you mature your cybersecurity posture in alignment with your compliance requirements and business objectives.