- Explore network - find open ports and the like
- Explore site - find all possible pages on the site - using common name and such. Also crawl urls on found pages for internal urls. Make note of posts/puts etc
- Analyse network - look at common security vulnerabilities for port
- Analyse requests - look at cookies and formdata start giving different data and checking response code {ML}