- Examine and analyze info gathered during info gathering phase - Four types of analysis: - descriptive - diagnostic - predictive - prescriptive - Vulnerability research and analysis - look to the following sources for vulnerability disclosures on each component - CVEdetails - exploit db - vulners - packet storm security - NIST - understand the functionality of PoC code as it may require modification