It is trivial to understand the stages of an application pentest as it lays the groundwork and ensures that the pentester covers all the possible endpoints and does an efficient scan. A web application pentest is broadly categorized in the following stages:

• Planning and reconnaissance
• Client end code analysis
• Manual testing 
• Automated testing
• Exploiting discovered issues 
• Digging deep for data exfiltration
•  Taking shells
• Reporting

Among these stages, the planning and reconnaissance stage is the most important stage, as there are possibilities that a tester might miss out critical entry endpoints into the application, and those areas might go untested. Let's explore in a little more detail what happens in each stage.