Once the host IP addresses are gathered, the tester then chooses what exploits to execute and how aggressive they should to be. Testers can choose to enable or disable penetration tests that take a long time, like a password brute force.

If the product is able to exploit the intended victim and gain access, a small, memory-only agent is executed on the host. This agent is called Level 0. Once the agent is installed, the remote tester can pillage and plunder the compromised host, escalate privileges if needed, dump password hashes, install a keylogger, take screenshots, enumerate users and groups, and so on.

The agent allows a mini-shell to be installed with a limited series of commands (list, copy, move, rename, upload, download, and execute a command). The remote agent and mini-shell can be installed remotely using non-exploitation techniques (NetBIOS, Telnet, rlogin, etc.) as well as remotely uninstalled, removing all traces of its existence.

Customized groups of exploits can be gathered into a single macro. Client-side attacks are simulated by connecting to the remotely installed agent, which then runs the exploit locally (often in Internet Explorer).

But the real value of any commercial vulnerability scanner is how well the exploits are crafted. Taking nothing away from the incredible team members at Metasploit and Nessus, Core Security Technologies has a highly paid staff of creators and a highly paid staff of QA reviewers. They research and create highly reliable and more functional exploits.