Common Penetration Testing Methodologies and Other Standards

By Mark D. Albin, MS

A penetration test is only as good as the methodology behind it. Following an established standard ensures testing is consistent, repeatable, and covers the areas that matter most, rather than depending on the instincts of whoever happens to be running the test. Below are some of the most widely used and actively maintained penetration testing methodologies and standards.

Common Penetration Testing Methodologies

MITRE ATT&CK

The MITRE ATT&CK framework is an invaluable resource for understanding adversary tactics, techniques, and procedures (TTPs). It's a continuously evolving knowledge base, updated regularly with new findings from real-world observations of cyber adversary behavior. This framework serves various purposes, from red teaming and threat hunting to incident response and security assessment, offering a practical approach to cybersecurity.

OWASP WSTG

The OWASP Web Security Testing Guide (WSTG) is a community-driven, comprehensive guide for web application security testing. It provides detailed scenarios for testing vulnerabilities, methodologies for both automated and manual testing, and best practices for secure coding and application design. Its community-driven approach ensures it stays updated with the latest threats and countermeasures.

NIST SP 800-115

Special Publication (SP) 800-115 by NIST offers comprehensive guidelines covering the technical, management, and reporting aspects of information security testing. It emphasizes a holistic approach, aligning testing processes with business objectives and regulatory requirements, and provides detailed guidance on reporting and follow-up for identified vulnerabilities.

OSSTMM

The Open Source Security Testing Methodology Manual (OSSTMM) provides a robust framework for repeatable and consistent security testing. It covers a wide range of areas including operational security metrics, trust analysis, various forms of security testing (such as human, physical, wireless), and compliance regulations. The OSSTMM is notable for its comprehensive approach to security testing, emphasizing a structured and methodical process.

PTES

The Penetration Testing Execution Standard (PTES) is a detailed framework that encompasses the entire process of a penetration test, from pre-engagement interactions to post-exploitation and reporting. It guides testers on the latest attack types, methods, and tools. PTES is distinguished by its focus on the entire lifecycle of penetration testing, offering a thorough perspective on each stage of the testing process.

CREST

CREST is an international accreditation body that certifies both penetration testing organizations and individual testers against a defined code of conduct and technical standard. Rather than a testing methodology in itself, CREST accreditation gives organizations a way to verify that a testing provider follows recognized, audited processes, which makes it especially useful when selecting a third-party penetration testing vendor or meeting vendor-assurance requirements.

Choosing the Right Methodology

The right methodology depends on what's being tested. For web applications, the OWASP WSTG offers the most detailed, application-specific guidance. For network and infrastructure testing or red team engagements, PTES and MITRE ATT&CK pair well together - PTES structures the engagement while ATT&CK maps observed techniques to real adversary behavior. For compliance-driven testing, NIST SP 800-115 aligns most closely with regulatory reporting expectations, an approach also reflected in the NIST Cybersecurity Framework 2.0. When evaluating outside vendors, CREST accreditation is a useful baseline to look for regardless of which testing methodology they follow.

Methodology is only part of the picture - the tools used during testing matter too. Our articles on Nmap in Cybersecurity Practices and Understanding Open Source Cybersecurity Tools cover some of the tooling that supports these methodologies in practice.

Looking to have your environment assessed against one of these standards? Our Managed IT Services team can help scope and coordinate a penetration test suited to your organization.

Common Penetration Testing Methodologies and Other Standards | IT Master Services