Penetration testers are walked through a series of steps that mimic the "hacker methodology":

Information Gathering, Attack & Penetration, Local Information Gathering, Privilege Escalation, etc. Information gathering and device discovery is fair, using various TCP/IP scan types (syn, TCP connect, ICMP [Internet Control Message Protocol]), but isn't as thorough as some competitors, which use SNMP and other additional discovery methods to be even more accurate. However, you can import host lists from other discovery tools, like GFI's LANguard (http://www.gfi.com/languard) and the open source Nmap (http://www.insecure.org/nmap).

Discovery continues on each host with a port scan. In what I think is a smart choice, the default ports scanned match only the ports that Core Impact will use to do exploitation, but you can easily create a custom port scan list, or take just the most common TCP and UDP (User Datagram Protocol) ports. Full-service enumeration will verify the protocol running on each port.

While it will not tell you which Web server product is running on port 80, Core Impact will verify that the protocol is HTTP, and recognize the same even on non-default ports. For example, it will identify a Remote Desktop Protocol (RDP) application even if it is not running on its default TCP port number, 3389.

OS fingerprinting is provided within the product using a licensed copy of the Nmap OS fingerprinting database. It would be nice to see application fingerprinting enabled, so you could identify the correct Web server (Apache, IIS, etc.).