top of page


What is a Penetration Testing Methodology?

A penetration testing methodology is the manner in which a penetration test is organized and executed. Penetration testing methodologies exist to identify security vulnerabilities in an organization. Each different methodology outlines the process a company may take to discover those vulnerabilities. While companies can use their own custom processes, there are many readily established, industry-recognized methodologies that can be a great option for organizations to use. Some organizations use these developed methods as an “out of the box” solution, while others use them as a baseline to build on.

The top four penetration testing methodologies that are industry-recognized and respected are:


  2. OWASP

  3. NIST

  4. PTES

What Is OSSTMM? The Open Source Security Testing Methodology Manual, or OSSTMM, is one of the most recognizable penetration testing methodologies in the industry. It is a peer-reviewed methodology maintained by the Institute for Security and Open Methodologies (ISECOM). OSSTMM allows companies to tailor their penetration tests to their specific needs while providing developers accessibility to more secure portions of their environment for development. OSSTMM contains checks to ensure adherence to regulations and laws. With a combination of technical direction, customizability for several environments, and broad support for several organization types, OSSTMM is a universal go-to among penetration testing methodologies. What Is OWASP? OWASP, or Open Web Application Security Project, is a set of standards and guidelines for the security of web applications, and is often the starting point for IT personnel when initially venturing into the realm of penetration testing. OWASP provides several resources on its own to improve the security posture of both internal and external web applications by providing companies with a comprehensive list of vulnerability categories for web applications, as well as ways to mitigate or remediate them. What Is PTES? PTES is the Penetration Testing Execution Standard, and provides a high-level overview of a penetration test, consisting of the following seven steps:

  • Pre-engagement Interactions

  • Intelligence Gathering

  • Threat Modeling

  • Vulnerability Analysis

  • Exploitation

  • Post Exploitation

  • Reporting

What Is NIST? NIST stands for the National Institute of Standards and Technology. Generally speaking, NIST is more of a security framework than a penetration testing methodology. NIST provides companies with baseline standards for configuring technologies and stacks within their environment, which can be applied to penetration testing. In relation to penetration testing, NIST Special Publication 800-115 contains standards and best practices for conducting an internal security assessment.

Why Are Penetration Methodologies Important? Penetration methodologies are a great way for companies to implement regular security assessments into their organization. Following the established methodologies described above allows for this easy implementation into companies where knowledge and experience with penetration tests may be limited, or where existing infrastructure within a company has made penetration testing difficult in the past. As with any solution to security threats, care should be taken to ensure that the methodology used fits the needs of the organization without adding unnecessary work for developers and other personnel. The four methodologies referenced above have been sufficiently tested and refined to be broadly applicable to most organizations. While there is occasionally a need for newly designed methodologies in companies with niche or esoteric software necessities, the creation of an independent methodology should be used as a last resort to avoid unnecessary research and work for IT personnel.

Caution should be taken when it comes to selecting a framework for penetration testing. While each of these frameworks can provide structure and organization to daily technological operations, if implemented poorly, they can use up too much time and effort, creating an unnecessary workload for what should be a simple process. To avoid this, Emagined Security urges companies not to regard penetration testing as a standard project with daily standups and updates. Flexibility within these methodologies is fundamental to success in the implementation, as each organization will have individual and independent needs surrounding these tests. Feedback from security assessments allows an organization to change and adapt according to results. Reports should never contain the same information twice, as an organization should update the security posture following every completed assessment. Penetration testing is no exception. When followed flexibly and updated regularly, penetration testing methodologies work for those who use them and bring simplicity and success to an organization’s process of cyber security assessment.