Skip to main content

PTaaS - Pentest Lifecycle

The Intigriti pentest lifecycle explained from start to finish

Pascal Schulz avatar
Written by Pascal Schulz
Updated yesterday

Quick overview

A penetration test (pentest) is a controlled, authorised attack simulation that tests systems, applications, networks, and more to identify vulnerabilities an attacker could exploit. The engagement typically moves through: scoping, kickoff and rules of engagement, testing, reporting, remediation and retest, and closure.

The next sections explain each step of running a pentest with Intigriti, with a practical checklist of actions the client should take at each stage.

1. Requesting a pentest

An administrator on the company profile in the Intigriti platform can request a new pentest via the Request pentest button in the platform. The request form captures initial scope, test timeframe, test accounts and more. For a step-by-step walkthrough of the request flow, it is possible to consult the platform guide.

2. Pentest draft creation

After submission, the Intigriti Solutions Engineering team reviews the provided information and populates the draft pentest program in the platform which is auto-created after pentest request submission. The draft records scope details, proposed timelines, required accesses, and preliminary rules of engagement.

3. Communication channel creation

When the draft is created, the requesting company administrator is invited to a shared Slack channel hosted in an Intigriti workspace. The channel can be used for setup questions, status updates, and stakeholder coordination. It is possible to invite additional stakeholders on request.

4. Asset and scope review

The Intigriti team reviews the assets in scope to confirm test readiness, evaluate environments and credentials, and identify potential blockers. During this review the team estimates the testing effort (in hours) required for adequate coverage. Alternatively, a client can opt for a time-boxed pentest, where the test duration is fixed up front. Any questions or issues discovered during the review are raised in the shared Slack channel.

5. Pentest launch call

Once the draft is ready, a launch call is scheduled to confirm objectives, finalise the rules of engagement, agree test windows, and resolve any remaining setup items. The call is used to ensure alignment on priorities and escalation paths before testing begins.

6. Researcher selection

Intigriti works with a vetted global pool of pentesters. After the launch, the opportunity is offered to qualified researchers who may apply to participate. Final researcher selection is made by the client, with Intigriti providing recommendations based on qualifications and skill matching.

7. Researcher adding and pentest start

A few days before the start date, the selected researcher is added to the Slack channel so setup questions and access issues can be clarified before testing begins. On the agreed start date, the researcher begins testing. Vulnerabilities are submitted live through the Intigriti platform as they are discovered; each submission is validated and reproduced by the Intigriti triage team.

8. Pentest end

At the end of the agreed test window, the program is closed for new submissions. Intigriti then guides the client through the acceptance process for submitted findings and the next steps for remediation and reporting.

9. Report creation and evaluation

After client acceptance, Intigriti prepares the agreed deliverable β€” either a letter of attestation or a full pentest report depending on the selected PTaaS option β€” and shares it privately with the client. The report contains an executive summary, technical details, evidence, and prioritised remediation guidance.

(optional). Retesting

If requested by the client, the researcher can retest fixed submissions to confirm that applied patches are effective. Retesting can be limited to verified fixes or run as a fuller verification pass depending on the scope and agreement.

Did this answer your question?