IT GRC Hub All articles
VAPT & Red TeamTutorialBeginner

VAPT 101: from recon to a reportable finding

The end-to-end workflow of a black-box web app pen test, and what makes a finding survive client pushback.

Rudy Prasetiya

Rudy Prasetiya

Apr 28, 2026 · 9 min

NIST CSFISO 27001
VAPT 101: from recon to a reportable finding

Penetration testing isn't 'run a scanner, paste output.' This walkthrough covers the full workflow I use on a black-box web app engagement: recon, mapping, exploitation, evidence capture, and the finding write-up that doesn't get downgraded by the client.

Phase 1 — passive recon

Before sending a single packet to the target, gather public surface area: subdomains, exposed S3 buckets, leaked credentials in pastes, GitHub history of the org, and tech stack fingerprints.

Subdomain enumerationbash
# Stack: amass + subfinder + httpx
amass enum -passive -d target.com -o passive.txt
subfinder -d target.com -silent >> passive.txt
sort -u passive.txt | httpx -silent -status-code -tech-detect -o live.txt

Scope first

Always confirm scope in writing before recon. 'Passive' OSINT is fine; active scanning of an unscoped subdomain is not.

Phase 2 — mapping & active discovery

Use Burp Suite (or Caido) as a proxy while crawling the application logged in as each role. The role matrix is the single most important artifact — most real findings are authorization failures, not exotic exploits.

Phase 3 — exploitation

Prioritize by business impact, not CVSS. An IDOR that lets a free-tier user read paid-tier invoices is more reportable than a reflected XSS on a logged-out 404 page.

Risk

Never exfiltrate real customer data to prove an IDOR. Capture the response headers and a redacted snippet — that is sufficient evidence and keeps you on the right side of the law.

Phase 4 — the finding write-up

A reportable finding has six parts: title, severity (with rationale), affected asset, reproduction steps, evidence, and remediation. Skip any one of them and the client will push back during readout.

  1. Title — outcome-led, not tool-led ('Authenticated user can read other users' invoices', not 'Burp found IDOR').
  2. Severity — CVSS plus a one-line business-impact sentence.
  3. Reproduction — copy-pasteable curl, with cookies redacted.
  4. Evidence — screenshot + response excerpt, redacted.
  5. Remediation — concrete code or config change, not 'apply the principle of least privilege'.
  6. Mapping — OWASP Top 10 + Annex A.8 / NIST CSF subcategory.

Best practice

Send the draft report to the dev lead before the formal readout. Findings that the team has already triaged are findings that get fixed.

#vapt#pentesting#owasp#web-security
Rudy Prasetiya

Rudy Prasetiya

IT GRC, cybersecurity & audit practitioner. Writes about controls that actually hold.