The Engagement Lifecycle

Every professional penetration test follows the same cycle; at least on paper. The tools change, the targets change, the findings change, but the structure doesn’t. This is the engagement lifecycle, and understanding it is what separates a pentester from someone who just knows how to use Nmap.

The cycle has four phases:

Pre-Engagement: Before you touch a keyboard. You receive the scope of work, review the rules of engagement, attend the kickoff call, confirm the target list, and clarify ambiguities with the client. Most beginners do not prioritize this, and that is a big mistake. Every detail in this phase matters.

Execution: The testing itself. Enumeration, exploitation, lateral movement, privilege escalation. However, it’s not just hacking. Instead, it’s hacking methodically, within the scope, during the authorized window, while documenting every step as you go. Your notes during execution become your evidence in the report.

Reporting: Shells and cracked hashes are not considered deliverables. The report is the deliverable. The written report with findings, severity ratings, evidence, and remediation guidance. This is what the client pays for.

Delivery: The readout. You present your findings, walk through the attack chain, and face client questions. This is the moment where you should demonstrate your expertise in translating technical work into business speak. You communicate risk in business terms. You defend your methodology and your severity ratings.

In this course, you’ll work through TadiSec’s engagement with Navigating Security Corp following this exact cycle. Module 2 covers pre-engagement. Module 3 covers execution and documentation. Module 4 covers reporting and delivery.

The diagram below is a one-page reference of the lifecycle. Download it; it’s the map for everything that follows.

On the right, arrange the engagement phases in the correct order. It sounds simple, but the wrong answers are designed to reflect mistakes beginners actually make.