The information is used to plan and steer the assessment.
Mapping the web application and API comes next and includes the enumeration of directories/subdomains, associated routes and other endpoints, authentication/authorization mechanisms, session management, and more.
Discovery consists of using the gathered information to find known vulnerability classes as well as finding new ways to potentially compromise the application.
Exploitation comprises actual attempts to exploit the discovered vulnerabilities and misconfigurations found in the previous steps.