Guide

How to run your first penetration test in 30 minutes

A complete walkthrough for teams with no security background — from adding your domain to reading the results and deciding what to fix first.

PN
Priya Nair June 18, 2024 8 min read Guide

Most penetration testing guides are written for security professionals. This one isn’t. If you’re a founder, CTO, or engineer who needs to know whether your web application is secure — but you don’t have a dedicated security team — this guide is for you.

We’ll walk through the entire process using PenScan: from registering your domain to reading a completed vulnerability report. The whole process takes about 30 minutes from start to results.

Before you start

You'll need access to your domain's DNS settings (via your registrar or DNS provider like Cloudflare, Route 53, or GoDaddy). The actual scan configuration takes about 5 minutes — the rest of the time is the scan running.

Step 1 — Create your account and add your domain

Sign up at app.penscan.org. No credit card required — new accounts get 2 free credits to run their first scans.

Once logged in, go to Targets → Add target. Enter your root domain — for example, acmecorp.com. PenScan will automatically discover subdomains (like api.acmecorp.com, staging.acmecorp.com) as part of the scan, so you only need to register the root.

01
What PenScan does with your domain

After you add a target, PenScan runs passive subdomain enumeration using HackerTarget, AlienVault OTX, crt.sh, and passive DNS records. This typically discovers 5–40 subdomains for a typical SaaS product, depending on how long the domain has been active.

You don't pay for subdomain discovery — it's included with every scan credit.

Step 2 — Verify that you own the domain

This is the most important step. PenScan will not scan any target without verified ownership. This protects both you and the people whose systems you might accidentally test.

After adding your target, PenScan shows you a DNS TXT record to add to your domain. It looks like this:

# Add this TXT record to your DNS
Name: _penscan-verify.acmecorp.com
Value: penscan-verify=a8f3c2d1-4b9e-4c7f-9a2b-d5e8f1a3b6c4

Log in to your DNS provider and add this record. It typically takes 1–5 minutes to propagate. Once PenScan detects the record, your target is verified and the scan can proceed.

Step 3 — Configure and launch your scan

With your target verified, go to Scans → New scan. Select your target and choose your configuration:

  • Standard scan — all 7 engines, balanced depth. Recommended for most teams.
  • Deep scan — extended crawl depth and more aggressive probing. Takes longer but finds more.
  • Quick scan — Nmap + Nuclei only. Good for a fast check on a specific target.

For your first scan, choose Standard. Click Launch scan. PenScan will now run OWASP ZAP, Nuclei, Wapiti, Nikto, SSLyze, Nmap, and Dalfox concurrently against your verified target.

What happens during the scan

Each engine runs in its own isolated container. ZAP actively crawls and probes your application. Nuclei checks against 5,000+ vulnerability templates. SSLyze checks your TLS configuration. The dashboard shows live progress from each engine. You can safely close the tab — the scan runs server-side and you'll get an email when it's complete.

Step 4 — Read your results

When the scan completes (typically 20–30 minutes for a standard external assessment), you’ll find your results in Vulnerabilities. Here’s how to read them:

Severity levels

Every finding has a CVSS-based severity score:

  • Critical (9.0–10.0) — Fix immediately. These represent direct paths to data breach or full system compromise.
  • High (7.0–8.9) — Fix this sprint. Significant risk that could be exploited with moderate effort.
  • Medium (4.0–6.9) — Fix within 30 days. Real risk but requires specific conditions or attacker skill.
  • Low (0.1–3.9) — Fix when convenient. Defence-in-depth improvements.

What to fix first

Sort by severity (Critical → High) and start there. For each finding, PenScan shows you the affected URL or parameter, the evidence the scanner found, and a remediation recommendation. Critical and High findings almost always have concrete, specific fixes — often a single line of code or a configuration change.

Step 5 — Verify your fixes with a re-scan

Once you’ve addressed Critical and High findings, run another scan. PenScan will show whether the vulnerability is still present. When a finding is no longer detected, mark it as resolved in the dashboard — this creates a verified remediation record for your audit trail.

Pro tip

Set up a recurring scan on a monthly cadence. Security is not a one-time event — new vulnerabilities are introduced with every deployment. Monthly scans catch regressions before your users (or attackers) do.

Summary

  • Add your domain at app.penscan.org (2 min)
  • Add the DNS TXT record to verify ownership (2–5 min)
  • Launch a Standard scan (1 min)
  • Wait for results — typically 20–30 min
  • Sort by Critical/High and start fixing
  • Re-scan to verify each fix