Master pentest methodology, web exploitation, network attack paths, privilege escalation, and professional reporting — with frameworks and a full engagement walkthrough.
Start Pentest Interview Practice →Penetration tester interviews go beyond theory — interviewers want to see you can find real vulnerabilities, chain them into meaningful attack paths, and communicate risk to both technical and non-technical audiences. Most interviews combine methodology questions, technical deep-dives, scenario walkthroughs, and often a practical component.
This guide covers six core domains, provides reusable answer frameworks for methodology and finding write-ups, walks through a complete web application engagement, and includes a tool reference.
A penetration tester simulates real-world attacks against systems, applications, and networks to find vulnerabilities before malicious actors exploit them. They scope engagements, conduct reconnaissance, exploit vulnerabilities, document findings, and provide actionable remediation guidance.
A vulnerability assessment scans for known weaknesses without exploitation. A penetration test validates exploitability, chains findings for real-world impact, and shows what an attacker could achieve. A vuln scan says the door is unlocked; a pentest walks through it.
Rules of engagement define scope (which systems), boundaries (permitted techniques), communication protocols (emergency contacts), and legal protections. Signed before testing begins to protect both parties.
Every interview starts with methodology. These test structured, repeatable approaches.
Scoping & rules of engagement — Define targets, boundaries, authorisation, communication protocols.
Reconnaissance — Passive and active information gathering to map the attack surface.
Enumeration & vulnerability discovery — Services, versions, configurations, potential weaknesses.
Exploitation — Validate vulnerabilities through controlled exploitation within RoE.
Post-exploitation — Privilege escalation, lateral movement, data access — assess real impact.
Reporting — Findings with evidence, risk ratings, attack narratives, remediation guidance.
Remediation validation — Retest after fixes to confirm vulnerabilities are resolved.
Recon is where engagements are won or lost. Systematically map the attack surface before touching targets.
Web app testing is the most common engagement type. OWASP Top 10 depth, injection, auth bypasses.
Moving through infrastructure, exploiting services, compromising Active Directory environments.
Chaining findings into meaningful attack narratives that demonstrate real-world impact.
A pentest is only as valuable as its report. Communicate to both technical teams and executives.
Title — Specific description — not 'SQL Injection' but 'Blind SQL Injection in /api/search Endpoint'.
Severity rating — CVSS or risk rating with justification based on exploitability and business impact.
Description — What the vulnerability is, where it exists, and why it matters.
Evidence — Step-by-step reproduction with screenshots, request/response pairs, commands.
Impact — What an attacker could achieve: data access, system compromise, lateral movement.
Remediation — Specific, actionable fix recommendations prioritised by effectiveness.
References — CWE, OWASP, CVE where applicable.
Knowing when to use each tool matters more than memorising flags.
| Phase | Tool | Purpose |
|---|---|---|
| Reconnaissance | Amass / Subfinder | Subdomain enumeration and attack surface discovery |
| Reconnaissance | Shodan / Censys | Internet-wide service and exposure discovery |
| Reconnaissance | theHarvester | Email, subdomain, and employee OSINT |
| Scanning | Nmap | Port scanning, service detection, OS fingerprinting |
| Scanning | Masscan | High-speed port scanning for large ranges |
| Web Testing | Burp Suite | Web app proxy, scanner, manual testing platform |
| Web Testing | SQLMap | SQL injection detection and exploitation |
| Web Testing | Gobuster / Feroxbuster | Directory brute-forcing, virtual host discovery |
| Exploitation | Metasploit | Exploitation framework with payloads and post-exploitation |
| Exploitation | Impacket | Network protocol exploitation (SMB, Kerberos, LDAP, WMI) |
| Post-Exploitation | BloodHound | AD attack path mapping and privilege analysis |
| Post-Exploitation | Mimikatz | Windows credential extraction (LSASS, SAM, DCSync) |
| Post-Exploitation | CrackMapExec | Network-wide credential validation and lateral movement |
| Privilege Escalation | LinPEAS / WinPEAS | Automated local privilege escalation enumeration |
| Cracking | Hashcat / John | Offline password hash cracking with GPU acceleration |
| Reporting | Pwndoc / Ghostwriter | Collaborative pentest reporting platforms |
Methodology walkthroughs, attack chain explanations, and finding presentations.
Start Pentest Interview Practice →These roles share offensive skills but differ in scope, methodology, and objectives.
Focus: Finding and documenting vulnerabilities within defined scope and timeframe
Key skills: Web app testing, network exploitation, AD attacks, reporting, Burp Suite, Nmap, Metasploit, Impacket
Interview focus: Methodology, OWASP, network exploitation, privilege escalation, reporting, tool proficiency
Focus: Simulating realistic adversaries to test detection and response — stealth paramount
Key skills: Custom C2, malware dev, EDR evasion, social engineering, OPSEC, Cobalt Strike/Sliver
Interview focus: Adversary simulation, C2 frameworks, evasion, OPSEC, custom tooling, detection bypass
Focus: Building defensive security infrastructure
Key skills: Defensive tooling, network security, cloud security, automation, detection engineering
Interview focus: Security architecture, SIEM, vulnerability management, incident response, cloud security
Focus: Finding vulnerabilities in public assets for bounty rewards
Key skills: Web app testing, creative attack thinking, automation, responsible disclosure
Interview focus: Creative vulnerability discovery, web exploitation depth, responsible disclosure
Grey-box engagement against an e-commerce platform before a major product launch.
Scoping — Grey-box test of shop.client.com, api.client.com, admin.client.com. Stripe and prod DB modification excluded. Two-week window. VPN and test accounts provided.
Reconnaissance — Subdomain enumeration discovers staging.client.com, docs.client.com (public API docs), monitoring.client.com. Stack: React, Node.js/Express, PostgreSQL, Redis, S3.
Web app vulnerabilities — IDOR on /api/orders/{id} exposes all customer orders. Stored XSS in product reviews. No rate limiting on login. Publicly accessible internal API documentation.
Privilege escalation — Admin panel uses weak credentials (admin:admin123). Role parameter manipulation escalates employee to admin. Unvalidated file upload enables RCE. Environment variables expose DB credentials and S3 keys.
Attack chain — Exposed docs reveal structure, absent rate limiting enables credential stuffing, IDOR exposes customer PII, XSS steals admin sessions, default creds or stolen session grants admin access, role manipulation + file upload = RCE + cloud credential theft. Full application compromise.
Reporting & debrief — Executive summary, 8 findings (2 critical, 3 high, 2 medium, 1 low), attack narrative, prioritised remediation. Debrief with dev team. Retest scheduled 4 weeks post-debrief.
Methodology discipline: Structured, repeatable approach — not jumping to tools without understanding context.
Technical depth: Explain how attacks work at protocol level, not just which tool to run.
Attack chain thinking: Combine individual findings into meaningful narratives showing real-world impact.
Communication & reporting: Explain technical findings to non-technical stakeholders. The report is the deliverable.
Ethics & professionalism: Rules of engagement, responsible disclosure, legal boundaries, professional restraint.
OSCP is the gold standard — 24-hour practical exam proving real exploitation skills. OSWE for web depth. CRTO for red team. GPEN and GWAPT for enterprise. CompTIA PenTest+ or eJPT for entry-level.
Yes. Python essential for custom scripts and tool extension. Bash for Linux workflows. JavaScript for XSS and web testing. PowerShell for AD testing. Ability to read C for exploit code. Custom tooling separates strong from average.
Increasingly yes. CTF challenges, take-home labs, live demonstrations on HackTheBox, or code review exercises. Some ask for anonymised pentest report samples. Practice on HackTheBox, TryHackMe, and PortSwigger Academy.
OSCP or equivalent certs, active HackTheBox/TryHackMe profiles, detailed writeups, open-source tool contributions, CTF competitions, PortSwigger Academy. Treat labs as real engagements with professional documentation.
Focusing on tools instead of methodology. 'I would run Nmap then Metasploit' shows tool dependence. Explain your thinking: understand the surface, identify services, research vulnerabilities, then validate. The tool is implementation detail.
Essential for internal pentests. AD attack paths (Kerberoasting, delegation abuse, ACL attacks, DCSync, Golden Tickets) are tested in almost every internal pentest interview. Understand Kerberos, common misconfigs, and BloodHound.
Pentests find as many vulnerabilities as possible in defined scope. Red teams simulate realistic adversaries to test detection and response with stealth. Pentests measure vulnerability coverage; red teams measure defensive capability.
Security blogs (PortSwigger, Project Zero, SpecterOps), vulnerability disclosures, offensive communities, conference talks (DEF CON, Black Hat), lab platforms, CTF competitions, and published pentest reports.
Document out-of-scope discoveries as observations. If client requests additional testing, formalise: update SoW, get written authorisation, adjust timeline/budget. Never test outside agreed scope — professional and legal boundary.
Report writing is the most underrated skill. Clear communication, explaining technical concepts to non-technical audiences, client management, time management during fixed-window engagements, and ethical judgement.
Practice offensive security scenarios, methodology walkthroughs, and technical exploitation questions.
Launch Pentest Interview Simulator →Takes less than 15 minutes.