Penetration Testing Methodologies — PTES, OWASP, and NIST Frameworks

What Are Penetration Testing Methodologies and Why Do They Matter?

The Penetration Testing Execution Standard (PTES) defines the industry-standard 7-phase lifecycle for professional pen test engagements, while NIST SP 800-115 provides the US government’s authoritative guidance on information security testing and assessment. The OWASP Testing Guide v4.2 adds 91 purpose-built test cases for web application security.

Penetration testing methodologies provide the structured frameworks that transform ad hoc hacking into repeatable, professional security assessments. Without a methodology, testers miss critical areas, produce inconsistent results, and deliver reports that cannot be compared across engagements. A methodology ensures every test follows the same process, every finding is rated consistently, and every report meets a recognised standard.

For career changers, understanding methodologies is what separates someone who can use Metasploit from someone who can run a professional engagement. Employers and clients do not hire hackers — they hire professionals who follow established frameworks.

When I started studying pen testing, I thought the value was in the tools and exploits. It took reading my first real engagement report to realise the methodology was the product. The client did not care which exploit was used — they cared that every system in scope was tested, every finding was rated against an industry standard, and the report told them exactly what to fix and in what order. That is what a methodology delivers: professionalism, consistency, and trust.

Certification objectives: CompTIA PenTest+ PT0-002 covers PTES, OWASP, and NIST methodologies (Domain 1). CompTIA Security+ SY0-701 addresses pen testing concepts (Domain 4.1). OSCP validates methodology through its hands-on exam structure. CEH v13 covers kill chain and MITRE ATT&CK mapping.

What Do Real-World Methodology Failures Look Like?

OSSTMM v3 identifies that the most common cause of ineffective security testing is misalignment between methodology and engagement scope — using a general-purpose framework for a specialised assessment, or no framework at all.

Different engagements require different methodologies. Choosing the wrong framework — or none at all — leads to incomplete assessments and wasted budget.

Scenario	Wrong approach	Right methodology	Outcome
Web application pen test for an e-commerce site	Used PTES network methodology on a web app; missed OWASP Top 10 categories entirely	OWASP Testing Guide — purpose-built for web application security	All 10 OWASP categories tested; SQL injection and broken access control found and reported
Government infrastructure assessment in Australia	Tester used informal methodology with no documentation trail	NIST SP 800-115 + ACSC guidance — structured, auditable, meets government compliance	Assessment accepted by IRAP assessors; findings mapped to ASD Essential Eight controls
Annual PCI DSS pen test for a payment processor	Tester ran automated scans only, with no manual exploitation	PTES with manual exploitation phase — PCI DSS requires demonstrated exploitation, not just scanning	Passed PCI audit; three chained vulnerabilities found that scanners missed entirely
Red team exercise for a financial institution	Tester followed a linear methodology with no adversary emulation	MITRE ATT&CK framework — maps to real adversary tactics, techniques, and procedures	Realistic simulation of APT group; tested detection across 12 ATT&CK techniques
Startup security assessment with limited budget	Client requested full PTES engagement but only funded 3 days	Scoped OWASP Testing Guide focused on critical application paths only	High-impact findings identified within budget; client roadmap for future comprehensive testing
Post-breach assessment after a ransomware incident	Tester began with reconnaissance as if the network were unknown	NIST SP 800-115 — adapted for post-incident context with focus on persistence and lateral movement	Found three backdoors the incident response team missed; confirmed attacker’s entry vector

How Do Penetration Testing Methodologies Work?

NIST SP 800-115 defines three categories of security testing techniques — review, target identification and analysis, and target vulnerability validation — that provide the conceptual foundation for all major pen testing methodologies.

The Analogy: Building Codes for Security Testing

Think of pen testing methodologies like building codes for construction. A builder could technically construct a house without following any code — and it might even stand up. But without codes, there is no guarantee the foundations are deep enough, the wiring is safe, or the structure will survive a storm. Building inspectors use codes to evaluate whether the work meets a known standard.

Pen testing methodologies are the building codes of offensive security. They tell you what to test, in what order, to what depth, and how to report the results. When a client receives a PTES-compliant pen test report, they know the assessment followed a recognised, repeatable standard — just as a homeowner knows a code-compliant building was inspected to a defined standard.

The Major Methodologies

Methodology	Full name	Focus	Best for
PTES	Penetration Testing Execution Standard	End-to-end pen test lifecycle (7 phases)	General-purpose network and infrastructure pen tests
OWASP Testing Guide	Open Web Application Security Project	Web application security (286 test cases)	Web app and API security assessments
OSSTMM	Open Source Security Testing Methodology Manual	Measurable security through operational testing	Telecommunications, physical security, wireless testing
NIST SP 800-115	Technical Guide to Information Security Testing and Assessment	Government and enterprise security assessments	Compliance-driven testing, US/Australian government contexts

Threat Modelling Frameworks

Beyond test execution, two frameworks help pen testers model adversary behaviour:

Framework	Purpose	How pen testers use it
Cyber Kill Chain (Lockheed Martin)	Models 7 stages of an intrusion from reconnaissance to actions on objectives	Maps pen test activities to attacker phases; helps communicate findings to defenders
MITRE ATT&CK	Catalogues 200+ real-world adversary techniques across 14 tactics	Maps specific pen test techniques to documented adversary behaviour; validates detection coverage

Step-by-Step: Understanding Each Methodology

PTES — The 7 Phases

The Penetration Testing Execution Standard defines seven phases that cover an engagement from start to finish.

Pre-engagement interactions. Define scope, objectives, rules of engagement, timelines, and legal agreements. This is the contract phase — nothing happens without signed authorisation.
Intelligence gathering. Collect information about the target through passive and active reconnaissance. OSINT, DNS enumeration, technology fingerprinting, organisational structure, employee information from public sources.
Threat modelling. Analyse gathered intelligence to identify the most likely attack paths. Which assets are most valuable? Which systems are most exposed? What would a real attacker target first?
Vulnerability analysis. Identify vulnerabilities through automated scanning, manual testing, and research. Cross-reference findings with the threat model to prioritise exploitation attempts.
Exploitation. Attempt to exploit identified vulnerabilities to gain access. Document every step, capture evidence, and stay within scope. This is where theoretical risk becomes demonstrated impact.
Post-exploitation. From the exploited foothold, assess what an attacker could achieve: privilege escalation, lateral movement, data exfiltration, persistence. Determine the true business impact.
Reporting. Deliver the executive summary and technical findings. Each finding includes severity rating, evidence, reproduction steps, and remediation guidance. The report is the primary deliverable — it is what the client pays for.

OWASP Testing Guide

The OWASP Testing Guide is specifically designed for web application security testing. Version 4.2 organises testing into 12 categories with 91 individual test cases.

Key categories include:

Information gathering — technology fingerprinting, application mapping, entry point identification
Configuration and deployment management — default credentials, directory listing, HTTP methods, TLS configuration
Identity management — user registration, account provisioning, role definitions
Authentication — credential testing, session management, multi-factor bypass attempts
Authorisation — privilege escalation, insecure direct object references (IDOR), forced browsing
Session management — cookie attributes, session fixation, timeout testing
Input validation — SQL injection, cross-site scripting (XSS), command injection, file inclusion
Error handling — information leakage through error messages
Cryptography — weak algorithms, improper certificate validation
Business logic — workflow bypasses, race conditions, price manipulation
Client-side testing — DOM-based XSS, JavaScript injection, clickjacking

OWASP also maintains the OWASP Top 10 — a regularly updated list of the most critical web application security risks. The current version (2021) includes broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery.

NIST SP 800-115

NIST SP 800-115 provides guidance for planning and conducting technical information security assessments. It is widely referenced in government and enterprise contexts, particularly in the US and Australia.

NIST defines three types of testing:

Review techniques — documentation review, log review, rule set review, configuration review
Target identification and analysis — network discovery, vulnerability scanning, wireless scanning
Target vulnerability validation — password cracking, penetration testing, social engineering (with appropriate authorisation)

NIST SP 800-115 emphasises planning, coordination with system owners, and thorough documentation. It is less prescriptive about specific exploitation techniques than PTES but provides stronger guidance on governance, risk management, and reporting within an organisational context.

OSSTMM

The Open Source Security Testing Methodology Manual (version 3) takes a different approach from the other frameworks. Rather than focusing on finding vulnerabilities, OSSTMM measures the attack surface and operational security controls. It quantifies security through metrics called “ravs” (Risk Assessment Values).

OSSTMM covers five channels:

Human security (social engineering, personnel awareness)
Physical security (access controls, surveillance, environmental)
Wireless communications (WiFi, Bluetooth, RF)
Telecommunications (VoIP, PBX, fax)
Data networks (the traditional pen test scope)

OSSTMM is less commonly used for standard pen tests but is valuable for organisations that want a measurable, repeatable security assessment methodology that extends beyond just network and application testing.

Risk Scoring: CVSS and DREAD

Pen testers need standardised methods to rate the severity of findings. Two models are widely used:

CVSS v3.1 (Common Vulnerability Scoring System)

Metric group	What it measures	Examples
Base score	Inherent severity of the vulnerability	Attack vector (network/local), complexity, privileges required, user interaction, impact on CIA
Temporal score	Factors that change over time	Exploit code maturity, remediation level, report confidence
Environmental score	Organisation-specific context	Modified impact based on asset criticality and existing controls

CVSS base scores range from 0.0 to 10.0:

Critical (9.0–10.0): Unauthenticated remote code execution, full system compromise
High (7.0–8.9): Authenticated RCE, full database access, privilege escalation to admin
Medium (4.0–6.9): Stored XSS, CSRF, information disclosure of sensitive data
Low (0.1–3.9): Information disclosure of non-sensitive data, missing security headers

DREAD Model

DREAD provides a simpler, more intuitive scoring approach using five factors rated 1–10:

Factor	Question	Scoring
Damage	How bad is the impact if exploited?	1 (minimal) to 10 (complete system compromise)
Reproducibility	How easy is it to reproduce the exploit?	1 (very difficult) to 10 (every time, trivially)
Exploitability	How easy is it to exploit?	1 (requires deep expertise) to 10 (script kiddie level)
Affected users	How many users are impacted?	1 (single user) to 10 (all users)
Discoverability	How easy is it to discover?	1 (requires insider knowledge) to 10 (publicly visible)

The average of these five scores gives the overall DREAD rating. While less granular than CVSS, DREAD is useful for quickly triaging findings during an engagement and is easier to explain to non-technical stakeholders.

How Do Methodologies Fit Into a Security Architecture?

PTES and NIST SP 800-115 both position penetration testing within a broader security assessment programme that includes vulnerability management, configuration review, and compliance auditing — each methodology serving a complementary architectural role.

PTES 7 Phases

PTES — Penetration Testing Execution Standard

Seven phases that structure a professional pen test engagement from contract to report

Pre-Engagement

Phase 1

Scope definition

Legal agreements

Rules of engagement

Intelligence Gathering

Phase 2

OSINT collection

Active recon

Technology fingerprinting

Threat Modelling

Phase 3

Asset identification

Attack path analysis

Prioritisation

Vulnerability Analysis

Phase 4

Automated scanning

Manual testing

Research and correlation

Exploitation

Phase 5

Exploit execution

Proof of concept

Evidence capture

Post-Exploitation

Phase 6

Privilege escalation

Lateral movement

Impact assessment

Reporting

Phase 7

Executive summary

Technical findings

Remediation guidance

Idle

PTES vs OWASP Testing Guide

PTES

General-purpose — Covers network, infrastructure, and application testing
7-phase lifecycle — End-to-end from pre-engagement to reporting
Threat modelling included — Dedicated phase for attack path analysis
Exploitation focus — Emphasises demonstrating real-world impact

OWASP Testing Guide

Web-app specific — Purpose-built for web applications and APIs
12 test categories — 91 individual test cases covering all web attack vectors
OWASP Top 10 aligned — Maps directly to the most critical web risks
Defensive guidance — Each test case includes remediation recommendations

Verdict: Use PTES for infrastructure and network pen tests. Use OWASP Testing Guide for web application assessments. Many engagements combine both.

Use case

PTES structures the overall engagement. OWASP provides depth for the web application components within that engagement.

What Do Penetration Testing Methodologies Look Like in Practice?

The OWASP Testing Guide v4.2 provides 91 individual test cases with specific instructions, expected results, and remediation guidance — demonstrating how a structured methodology translates into practical testing activities.

Mapping Pen Test Activities to PTES Phases

# Phase 2: Intelligence Gathering — passive OSINT
theHarvester -d example.com -b google,linkedin,dnsdumpster -l 200

# Phase 2: Intelligence Gathering — subdomain enumeration
subfinder -d example.com -o subdomains.txt
amass enum -passive -d example.com

# Phase 3: Threat Modelling — identify exposed services
nmap -sV -sC --top-ports 1000 -oN nmap_scan.txt 192.168.1.0/24

# Phase 4: Vulnerability Analysis — automated scanning
nessus --scan --target 192.168.1.0/24 --policy "Basic Network Scan"
nikto -h http://target.example.com -o nikto_results.html -Format htm

OWASP Testing in Practice

# Authentication testing — brute-force login (authorised target only)
hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form \
  "target.example.com/login:username=^USER^&password=^PASS^:Invalid credentials"

# SQL injection testing with sqlmap
sqlmap -u "http://target.example.com/product?id=1" --batch --risk=3 --level=5

# XSS testing — reflected XSS detection
# Manual test: inject payload into every input field
# &lt;script&gt;alert('XSS')&lt;/script&gt;
# Automated: use Burp Suite Active Scanner or OWASP ZAP

# Directory traversal testing
curl "http://target.example.com/download?file=../../../../etc/passwd"

# IDOR testing — check if changing the user ID returns other users' data
curl -H "Cookie: session=YOUR_SESSION" "http://target.example.com/api/user/1"
curl -H "Cookie: session=YOUR_SESSION" "http://target.example.com/api/user/2"

MITRE ATT&CK Mapping

# Example: mapping pen test findings to ATT&CK techniques

Finding: Phishing email with malicious macro delivered to finance team
  -> T1566.001 - Spearphishing Attachment (Initial Access)

Finding: Macro executed PowerShell reverse shell
  -> T1059.001 - PowerShell (Execution)

Finding: Attacker used Mimikatz to dump credentials
  -> T1003.001 - LSASS Memory (Credential Access)

Finding: Used stolen credentials to access file server
  -> T1021.002 - SMB/Windows Admin Shares (Lateral Movement)

Finding: Exfiltrated sensitive documents via HTTPS
  -> T1041 - Exfiltration Over C2 Channel (Exfiltration)

CVSS Calculator Example

# Finding: SQL injection in login form allowing full database extraction

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Breakdown:
  Attack Vector (AV): Network — exploitable remotely
  Attack Complexity (AC): Low — no special conditions needed
  Privileges Required (PR): None — unauthenticated
  User Interaction (UI): None — no victim action needed
  Scope (S): Unchanged — impact limited to vulnerable component
  Confidentiality (C): High — full database access
  Integrity (I): High — can modify database contents
  Availability (A): None — no service disruption

Base Score: 9.1 (Critical)

Legal and ethical warning: Only use these tools and techniques on systems you own or have explicit written authorisation to test. Unauthorised testing is a criminal offence under the Criminal Code Act 1995 (Australia), the Computer Fraud and Abuse Act (US), and the Computer Misuse Act 1990 (UK). Practise in lab environments such as DVWA, WebGoat, TryHackMe, and Hack The Box.

What Are the Limitations of Penetration Testing Methodologies?

PTES acknowledges that methodologies are guidelines, not rigid scripts — effective pen testing requires adapting the framework to the specific engagement context rather than following a checklist mechanically.

Factor	Consideration	Common failure
One methodology for all engagements	Each methodology has strengths for specific engagement types	Using PTES for a web-only test misses OWASP depth; using OWASP for network testing misses infrastructure
Methodology without adaptation	Frameworks are guidelines, not rigid scripts	Following a checklist without critical thinking misses creative attack paths that real adversaries would find
Over-reliance on CVSS scores	CVSS measures technical severity, not business risk	A “Medium” CVSS finding on a system processing credit cards may be a critical business risk
Ignoring the Cyber Kill Chain	Findings reported in isolation without showing attack chains	Client cannot see how three “Medium” findings chain together into a “Critical” compromise path
Skipping threat modelling	Testers jump straight from recon to exploitation	Testing every service equally wastes time; threat modelling focuses effort on the highest-value targets
DREAD subjectivity	DREAD scores depend on the assessor’s judgement	Two testers may rate the same finding differently; CVSS provides more consistent scoring
Methodology compliance vs value	Client wants compliance checkbox rather than genuine security improvement	Tester produces a compliant report that passes audit but does not find the real vulnerabilities
No methodology versioning	Using outdated methodology versions	OWASP Top 10 2017 misses risks identified in 2021 version; always use current editions

What Interview Questions Should You Expect About Pen Testing Methodologies?

CompTIA PenTest+ PT0-002 Domain 1 (Planning and Scoping) directly tests knowledge of PTES, OWASP, NIST SP 800-115, and MITRE ATT&CK — making methodology questions among the most common in pen testing interviews.

Understanding methodologies demonstrates professionalism. Interviewers use these questions to gauge whether you can operate within a structured framework.

Q1: What is PTES and what are its seven phases?

Strong answer: “PTES is the Penetration Testing Execution Standard. Its seven phases are: pre-engagement interactions (scope and legal), intelligence gathering (recon), threat modelling (attack path analysis), vulnerability analysis (finding weaknesses), exploitation (proving impact), post-exploitation (assessing full compromise potential), and reporting (delivering actionable findings). Each phase builds on the previous one, and skipping phases — especially pre-engagement and reporting — undermines the entire engagement.”

Q2: When would you use OWASP Testing Guide instead of PTES?

Strong answer: “OWASP Testing Guide is purpose-built for web application security, with 91 test cases across 12 categories covering everything from authentication to business logic. I would use it when the engagement is focused on a web application or API. For a broader infrastructure test, I would use PTES as the overall framework and incorporate OWASP for the web application components within the engagement. They complement each other.”

Q3: Explain how you would calculate a CVSS score for a finding.

Strong answer: “I would evaluate the base score metrics: attack vector (is it network-accessible or local only?), attack complexity (are special conditions needed?), privileges required, user interaction needed, scope change, and impact on confidentiality, integrity, and availability. For example, an unauthenticated SQL injection accessible over the network with high confidentiality and integrity impact would score around 9.1 — Critical. I would also note any temporal and environmental factors that might adjust the score for the client’s specific context.”

Q4: What is MITRE ATT&CK and how does it relate to pen testing?

Strong answer: “MITRE ATT&CK is a knowledge base of real-world adversary tactics, techniques, and procedures. It catalogues over 200 techniques across 14 tactics like initial access, execution, persistence, and exfiltration. Pen testers use it to map their activities to documented adversary behaviour, which helps clients understand whether their defences can detect real attack techniques. It also helps structure red team exercises around specific threat actors’ known TTPs.”

Q5: What is the difference between CVSS and DREAD for risk scoring?

Strong answer: “CVSS is a standardised, granular scoring system that evaluates technical severity across multiple metrics like attack vector, complexity, and CIA impact. It produces consistent scores regardless of the assessor. DREAD is simpler — it rates five intuitive factors (Damage, Reproducibility, Exploitability, Affected users, Discoverability) on a 1-to-10 scale and averages them. CVSS is the industry standard for formal reports, but DREAD can be useful for quick triage and explaining risk to non-technical stakeholders.”

How Are Methodologies Used in Real Security Operations?

The ACSC (Australian Cyber Security Centre) recommends that penetration testing engagements use established methodologies (PTES, OWASP, NIST SP 800-115) and that testers hold recognised certifications (CREST, OSCP, or equivalent) to ensure professional, repeatable results.

Choosing a Methodology for the Engagement

In production security operations, methodology selection depends on the engagement type, client requirements, and regulatory context:

Network infrastructure pen test — PTES as the primary framework, supplemented by NIST SP 800-115 for governance and documentation
Web application pen test — OWASP Testing Guide as the primary framework, structured within PTES pre-engagement and reporting phases
Red team exercise — MITRE ATT&CK for adversary emulation, Cyber Kill Chain for communication, PTES for engagement management
Compliance-driven test — NIST SP 800-115 for government, PTES for PCI DSS, OWASP for application-level PCI requirements
Wireless security assessment — OSSTMM for wireless-specific methodology, supplemented by PTES for overall engagement structure

Reporting Standards

Professional pen test reports follow consistent structures regardless of methodology:

Report section	Purpose	Audience
Executive summary	Business risk overview in plain language	C-suite, board, non-technical stakeholders
Scope and methodology	What was tested, how, and within what constraints	Compliance auditors, risk managers
Findings summary	Table of all findings with severity ratings	Technical leadership, risk managers
Detailed findings	Individual vulnerability write-ups with evidence and remediation	Engineers, system administrators
Risk rating methodology	How severity was calculated (CVSS, DREAD, or custom)	Auditors, compliance teams
Remediation roadmap	Prioritised action plan for addressing findings	Technical leadership, project managers

Australian Context: ACSC and CREST Methodology

In Australia, the Australian Cyber Security Centre (ACSC) publishes guidance on penetration testing that aligns with international standards while addressing local regulatory requirements.

ACSC Pen Test Guidance:

Recommends using established methodologies (PTES, OWASP, NIST SP 800-115) rather than proprietary approaches
Emphasises that testers should hold recognised certifications (CREST, OSCP, or equivalent)
Requires pen test findings to map to ASD Essential Eight maturity levels where applicable
Notes that critical infrastructure entities under the SOCI Act 2018 should include pen testing as part of their risk management programs

CREST Methodology: CREST (Council of Registered Ethical Security Testers) does not define its own pen testing methodology. Instead, CREST certifications validate that testers can execute established methodologies to a professional standard. CREST-certified companies must demonstrate:

Documented methodology aligned with PTES, OWASP, or equivalent
Quality assurance processes for every engagement
Secure handling of client data and findings
Ongoing professional development for testing staff

For career changers in Australia, CREST certification (starting with CREST Registered Penetration Tester) is highly valued in government and enterprise contexts. Many Australian government tenders require CREST-certified testing providers.

IRAP and Pen Testing: IRAP (Information Security Registered Assessors Program) assessments often include penetration testing as a component. IRAP assessors evaluate systems against the Australian Government Information Security Manual (ISM), which references pen testing requirements for systems handling classified and sensitive information.

Summary and Key Takeaways

Penetration testing methodologies provide the structure, consistency, and professionalism that separate a security assessment from ad hoc hacking.

PTES provides the most comprehensive end-to-end framework with seven phases covering everything from legal agreements to final reporting. It is the go-to for general infrastructure pen tests.
OWASP Testing Guide is essential for web application testing, with 91 test cases across 12 categories. It maps directly to the OWASP Top 10 and should be used for any engagement involving web applications or APIs.
NIST SP 800-115 provides governance-focused guidance suited to government and enterprise environments where compliance documentation and audit trails are critical.
MITRE ATT&CK and the Cyber Kill Chain help testers map activities to real adversary behaviour, improving communication with defenders and validating detection capabilities.
CVSS is the industry standard for severity scoring and should be used in formal pen test reports. DREAD is useful for quick triage and non-technical communication.
Methodology selection depends on engagement type. Network tests use PTES, web tests use OWASP, red teams use ATT&CK. Most engagements combine multiple frameworks.
In Australia, CREST certification and ACSC guidance shape how pen tests are conducted for government and critical infrastructure, with findings expected to map to ASD Essential Eight controls.

Individual results vary. Career timelines, salary outcomes, and job availability depend on your location, experience, market conditions, and effort. The information on this page is educational, not a guarantee of employment outcomes.

Penetration Testing Fundamentals for scope, types, and rules of engagement
Incident Response for the defensive perspective on what happens when attacks succeed
Web App Hacking for OWASP Top 10 vulnerabilities and Burp Suite usage
Vulnerability Analysis for the automated scanning phase of pen test methodology

More resources

PTES — Penetration Testing Execution Standard

The official PTES documentation covering all seven phases of the penetration testing lifecycle.

Visit OWASP Web Security Testing Guide

The comprehensive open-source guide to web application security testing — 91 test cases across 12 categories.

Visit MITRE ATT&CK Framework

The knowledge base of real-world adversary tactics and techniques used to map pen test activities to documented threat behaviour.

Visit

Frequently Asked Questions

What is PTES in penetration testing?

PTES (Penetration Testing Execution Standard) is a comprehensive framework that defines seven phases for conducting professional penetration tests: pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. It is the most widely referenced methodology for general-purpose infrastructure and network pen tests.

What is the OWASP Testing Guide?

The OWASP Testing Guide is an open-source framework specifically designed for web application security testing. Version 4.2 organises testing into 12 categories with 91 individual test cases covering authentication, authorisation, input validation, business logic, session management, and more. It maps directly to the OWASP Top 10 list of critical web application security risks.

What is NIST SP 800-115?

NIST SP 800-115 is the US government's Technical Guide to Information Security Testing and Assessment. It provides guidance for planning and conducting security assessments including penetration testing, vulnerability scanning, and security reviews. It is widely used in government and enterprise contexts where compliance documentation and audit trails are required.

What is the difference between CVSS and DREAD?

CVSS (Common Vulnerability Scoring System) is a standardised, granular scoring system that evaluates vulnerability severity across multiple technical metrics on a 0-10 scale. It produces consistent scores regardless of who performs the assessment. DREAD is a simpler model that averages five intuitive factors (Damage, Reproducibility, Exploitability, Affected users, Discoverability) on a 1-10 scale. CVSS is the industry standard for formal reports; DREAD is useful for quick triage.

What is MITRE ATT&CK and why do pen testers use it?

MITRE ATT&CK is a knowledge base of over 200 real-world adversary techniques organised across 14 tactics (like initial access, execution, persistence, and exfiltration). Pen testers use it to map their activities to documented adversary behaviour, which helps clients understand whether their defences can detect real attack techniques. It is especially valuable for red team exercises that emulate specific threat actors.

What is the Cyber Kill Chain?

The Cyber Kill Chain, developed by Lockheed Martin, models seven stages of a cyberattack: reconnaissance, weaponisation, delivery, exploitation, installation, command and control, and actions on objectives. Pen testers use it to map their activities to attacker phases and communicate findings to defenders in terms of where in the kill chain their defences succeeded or failed.

How do I choose the right pen testing methodology?

Choose based on the engagement type: PTES for general infrastructure and network pen tests, OWASP Testing Guide for web applications and APIs, NIST SP 800-115 for government and compliance-driven assessments, and MITRE ATT&CK for red team exercises. Most real-world engagements combine multiple frameworks — for example, PTES for overall structure with OWASP for web application components.

What is OSSTMM?

OSSTMM (Open Source Security Testing Methodology Manual) is a security testing framework that focuses on measuring operational security across five channels: human, physical, wireless, telecommunications, and data networks. Unlike PTES and OWASP, which focus on finding vulnerabilities, OSSTMM measures the attack surface and quantifies security through Risk Assessment Values. It is less commonly used for standard pen tests but valuable for comprehensive operational security assessments.

What does CREST certification mean for pen testing in Australia?

CREST (Council of Registered Ethical Security Testers) is an international accreditation body that validates pen testing professionals and companies. In Australia, many government and enterprise tenders require CREST-certified testing providers. CREST certifications include Registered Penetration Tester (CRT), Certified Infrastructure Tester (CCT Inf), and Certified Web Application Tester (CCT App). CREST does not define its own methodology but validates that testers can execute established frameworks professionally.

How does pen testing methodology relate to CompTIA PenTest+ certification?

CompTIA PenTest+ PT0-002 Domain 1 (Planning and Scoping) directly covers pen testing methodologies including PTES, OWASP, NIST, and MITRE ATT&CK. The exam tests your ability to select appropriate methodologies for different engagement types, define scope and rules of engagement, and apply risk scoring frameworks like CVSS. Understanding methodologies is essential for passing the exam and for professional pen testing practice.

Sources: PTES, OWASP Testing Guide v4.2, NIST SP 800-115, MITRE ATT&CK, ACSC, CREST. Last verified: March 2026.

Penetration Testing Methodologies — PTES, OWASP, and NIST Frameworks

What Are Penetration Testing Methodologies and Why Do They Matter?

What Do Real-World Methodology Failures Look Like?

How Do Penetration Testing Methodologies Work?

The Analogy: Building Codes for Security Testing

The Major Methodologies

Threat Modelling Frameworks

Step-by-Step: Understanding Each Methodology

PTES — The 7 Phases

OWASP Testing Guide

NIST SP 800-115

OSSTMM

Risk Scoring: CVSS and DREAD

How Do Methodologies Fit Into a Security Architecture?

PTES 7 Phases

PTES vs OWASP Testing Guide

What Do Penetration Testing Methodologies Look Like in Practice?

Mapping Pen Test Activities to PTES Phases

OWASP Testing in Practice

MITRE ATT&CK Mapping

CVSS Calculator Example

What Are the Limitations of Penetration Testing Methodologies?

What Interview Questions Should You Expect About Pen Testing Methodologies?

How Are Methodologies Used in Real Security Operations?

Choosing a Methodology for the Engagement

Reporting Standards

Australian Context: ACSC and CREST Methodology

Summary and Key Takeaways

Related

Related sections

More resources

Frequently Asked Questions