Penetration Testing Methodology
Penetration testing methodology defines the structured sequence of phases, documentation requirements, and professional standards that govern how authorized security assessments are planned, executed, and reported. This page covers the formal methodology landscape as it applies to US-based engagements — including major frameworks, phase structures, classification distinctions, and the regulatory contexts that shape how methodology choices are made. The reference spans both practitioner and procurement perspectives within the professional penetration testing service sector.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
Penetration testing methodology is the codified operational framework that separates a legally defensible, reproducible security assessment from an ad hoc attack simulation. The National Institute of Standards and Technology defines penetration testing in NIST SP 800-115 as security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. Methodology formalizes how that mimicry is authorized, bounded, executed, and documented.
Scope within the penetration testing service landscape covers 5 principal engagement contexts: external network assessments, internal network assessments, web application testing, wireless testing, and physical or social engineering assessments. Each context applies the same underlying methodology phases but differs in technical tooling, access assumptions, and rules of engagement.
The legal boundary is established by the Computer Fraud and Abuse Act (18 U.S.C. § 1030), which treats unauthorized computer access as a federal criminal offense. Methodology documentation — particularly the signed rules of engagement and scope authorization — constitutes the primary legal protection distinguishing an authorized penetration test from prosecutable intrusion. Authorization documentation is therefore not administrative overhead; it is a statutory necessity.
For context on how this methodology reference fits within the broader penetration testing service landscape, see the Penetration Testing Provider Network Purpose and Scope.
Core mechanics or structure
The major published methodologies — including NIST SP 800-115, the PTES (Penetration Testing Execution Standard), and OWASP Testing Guide v4.2 — converge on a common phase sequence despite differences in terminology and scope emphasis.
Phase 1 — Planning and Authorization
Scope definition, rules of engagement, authorization documentation, emergency contact protocols, and legal agreements are established before any technical activity begins. This phase produces the formal statement of work and engagement authorization letter.
Phase 2 — Reconnaissance
Passive and active information gathering about the target. Passive techniques use open-source intelligence (OSINT) without touching target systems; active techniques involve direct interaction and are governed strictly by the authorized scope. PTES subdivides this into open-source intelligence, target identification, and infrastructure enumeration.
Phase 3 — Threat Modeling and Vulnerability Identification
Attack surface analysis, threat modeling against the identified environment, and vulnerability enumeration using both automated scanning and manual analysis. NIST SP 800-115 distinguishes this phase from exploitation: enumeration alone does not constitute a completed penetration test.
Phase 4 — Exploitation
Active exploitation of confirmed vulnerabilities to demonstrate real-world impact. This phase requires human-driven attack chaining — the deliberate combination of individual vulnerabilities into escalation paths that automated scanners cannot replicate. Common exploitation categories include authentication bypass, privilege escalation, injection attacks, and lateral movement across network segments.
Phase 5 — Post-Exploitation
Assessment of persistence mechanisms, data exfiltration feasibility, lateral movement depth, and the realistic blast radius of a sustained compromise. PCI DSS v4.0, Requirement 11.4 explicitly requires penetration testing that includes attempts to compromise segmentation controls, making post-exploitation a compliance-mandated phase in cardholder data environments.
Phase 6 — Reporting
Findings are documented with severity ratings (typically using CVSS v3.1 scoring), proof-of-concept evidence, business impact narratives, and remediation guidance. Reports are produced in two formats: an executive summary and a technical findings appendix.
Causal relationships or drivers
Methodology standardization is driven by 3 overlapping forces: regulatory mandate, insurance underwriting requirements, and procurement qualification standards.
Regulatory mandate is the primary driver in financial services, healthcare, and federal contracting. PCI DSS v4.0 Requirement 11.4 mandates penetration testing at least annually and after significant infrastructure changes. HIPAA Security Rule (45 CFR § 164.306) requires covered entities to implement technical safeguard evaluations, with penetration testing recognized by HHS as an appropriate evaluation mechanism. FedRAMP requires annual penetration testing for cloud service providers seeking authorization, with methodology requirements codified in the FedRAMP Penetration Test Guidance document.
Cyber insurance underwriting increasingly requires documented methodology evidence as a condition of coverage or premium determination. Insurers evaluate whether a testing program follows a named standard rather than accepting informal assessments.
CMMC (Cybersecurity Maturity Model Certification) under 32 CFR Part 170 requires third-party assessments for defense contractors seeking Level 2 or Level 3 certification, with those assessments relying on methodology structures aligned with NIST SP 800-171.
The Penetration Testing Providers provider network reflects this regulatory landscape by organizing providers according to the compliance contexts they serve.
Classification boundaries
Methodology classifications operate along two primary axes: knowledge state (what the tester knows about the target before beginning) and access state (what credentials or network position the tester starts from).
Knowledge State Classifications:
- Black box — No prior knowledge of the target environment. Simulates an external attacker with no insider information.
- Grey box — Partial knowledge: the tester may receive network diagrams, user-level credentials, or application documentation. Simulates an authenticated user or a partially informed attacker.
- White box — Full disclosure: source code, architecture diagrams, administrative credentials, and full documentation are provided. Maximizes coverage depth but does not simulate a realistic external threat.
Access State Classifications:
- External — Testing originates from outside the network perimeter, simulating internet-based attacks.
- Internal — Testing originates from within the network, simulating a compromised internal host or malicious insider.
- Assumed breach — Testing begins with a pre-positioned foothold inside the environment, bypassing perimeter controls to focus exclusively on post-compromise detection and lateral movement resistance.
These classifications are not mutually exclusive. A single engagement may involve an external black-box phase followed by a white-box internal review. The PTES standard and NIST SP 800-115 both accommodate multi-phase structures within a single engagement scope.
Tradeoffs and tensions
Depth versus coverage: Thorough exploitation requires extended time on individual targets, which reduces the breadth of systems tested within a fixed engagement window. Organizations with large attack surfaces face a structural choice between shallow-wide and deep-narrow assessment strategies.
Realism versus safety: The most realistic methodology — unlimited scope, live exploitation with persistence — carries the highest operational risk to production systems. Rules of engagement restrictions that protect operational continuity simultaneously limit the realism of the simulated threat. NIST SP 800-115 acknowledges this tension explicitly, noting that testers must balance thoroughness against the risk of unintended service disruption.
Automated versus manual testing: Automated scanning tools achieve consistent, fast vulnerability enumeration but miss logic flaws, chaining opportunities, and context-specific vulnerabilities that require human reasoning. The OWASP Testing Guide v4.2 explicitly frames manual testing as the authoritative technique for authentication and business logic vulnerability classes.
Point-in-time validity: A penetration test produces a snapshot of exploitability at a specific moment. Infrastructure changes, new deployments, or patch cycles alter the threat surface within weeks. Compliance frameworks requiring annual testing — including PCI DSS — set a minimum cadence, not an optimum.
Reporting standardization: No single mandatory reporting format exists across the industry. CVSS scoring provides vulnerability severity standardization, but business impact framing, remediation prioritization, and proof-of-concept presentation vary substantially between practitioners and firms, complicating cross-engagement comparisons.
Common misconceptions
Misconception: Vulnerability scanning and penetration testing are equivalent.
Vulnerability scanning enumerates potential weaknesses using automated signatures. Penetration testing requires human-driven exploitation to confirm that a vulnerability is reachable, exploitable, and consequential. NIST SP 800-115 explicitly distinguishes between the two, placing exploitation as a separate and mandatory phase that scanning tools cannot replicate.
Misconception: A passed penetration test certifies security.
Penetration testing assesses exploitability within a defined scope, timeframe, and knowledge state. A finding-free report reflects the limits of the tested scope and the methodology applied — not an absence of vulnerabilities across the full environment.
Misconception: White-box testing is less rigorous than black-box testing.
Black-box testing replicates threat actor conditions but frequently misses vulnerabilities requiring deep system knowledge. White-box testing, with full access to source code and architecture, typically identifies a larger total vulnerability count. The OWASP Testing Guide v4.2 favors white-box or grey-box approaches for comprehensive application security assessments.
Misconception: Penetration testing is solely a technical exercise.
Methodology includes pre-engagement legal review, scope negotiation, authorization documentation, and post-engagement remediation validation. The non-technical phases are what distinguish a compliant assessment from unauthorized access under 18 U.S.C. § 1030.
Misconception: Annual testing satisfies all compliance obligations.
PCI DSS v4.0 Requirement 11.4 mandates testing after significant environmental changes in addition to the annual cadence. A single annual test conducted without change-triggered assessments may leave an organization out of compliance following major infrastructure updates.
For additional context on navigating this reference resource, see How to Use This Penetration Testing Resource.
Checklist or steps (non-advisory)
The following phase sequence reflects the methodology structure described in NIST SP 800-115 and PTES. This is a reference enumeration of standard engagement phases, not a procedural prescription.
Pre-Engagement
- [ ] Scope definition document completed and signed by authorizing official
- [ ] Rules of engagement finalized, including out-of-scope systems and prohibited techniques
- [ ] Emergency escalation contacts identified for both client and testing team
- [ ] Legal authorization letter or contract executed prior to any technical activity
- [ ] Data handling and confidentiality requirements documented
Reconnaissance
- [ ] Passive OSINT collection completed (DNS records, WHOIS, public code repositories, job providers, SSL certificates)
- [ ] Active reconnaissance techniques confirmed as within authorized scope before execution
- [ ] Target asset inventory cross-referenced against scope boundaries
Vulnerability Identification
- [ ] Automated scanning performed against all in-scope hosts and services
- [ ] Manual analysis applied to identified attack surface (authentication mechanisms, input handling, API endpoints)
- [ ] Findings documented with evidence prior to exploitation phase
Exploitation
- [ ] Each exploitation attempt tied to a specific documented vulnerability
- [ ] Privilege escalation paths mapped and tested
- [ ] Lateral movement opportunities assessed within authorized network segments
- [ ] Evidence captured (screenshots, logs, proof-of-concept artifacts) for each confirmed finding
Post-Exploitation
- [ ] Persistence mechanisms assessed (not necessarily installed in production unless authorized)
- [ ] Data exfiltration feasibility evaluated within scope boundaries
- [ ] Segmentation controls tested per engagement requirements (mandatory for PCI DSS environments per Requirement 11.4)
Reporting
- [ ] CVSS v3.1 scores applied to each finding
- [ ] Executive summary produced covering business impact framing
- [ ] Technical findings appendix produced with full reproduction steps
- [ ] Remediation guidance included for each finding
- [ ] Report delivered through encrypted channel per data handling agreement
Post-Engagement
- [ ] Tester-created artifacts and access credentials removed from client environment
- [ ] Debrief conducted with client technical and security leadership
- [ ] Remediation validation retesting scope and timeline agreed upon
Reference table or matrix
| Methodology Framework | Primary Scope | Knowledge State Support | Regulatory Alignment | Governing Body |
|---|---|---|---|---|
| NIST SP 800-115 | Network, application, physical | All three (black/grey/white) | FedRAMP, FISMA, CMMC | NIST |
| PTES (Penetration Testing Execution Standard) | Network, application, social engineering | All three | General industry | PTES |
| OWASP Testing Guide v4.2 | Web applications, APIs | Grey and white emphasis | PCI DSS, HIPAA (application layer) | OWASP |
| PCI DSS Penetration Testing Guidance | Network and application (cardholder data scope) | Grey and white | PCI DSS v4.0 Requirement 11.4 | PCI SSC |
| ISSAF (Information Systems Security Assessment Framework) | Network, system, application | All three | General industry | OISSG |
| FedRAMP Penetration Test Guidance | Cloud service provider infrastructure | Grey emphasis | FedRAMP Authorization | FedRAMP PMO |
| Knowledge State | Threat Scenario Simulated | Coverage Depth | Typical Compliance Use Case |
|---|---|---|---|
| Black box | External attacker, no insider knowledge | Shallow-to-medium | Initial perimeter assessment |
| Grey box | Authenticated user, partial insider | Medium-to-deep | Application testing, PCI DSS |
| White box | Full disclosure, code review integration | Maximum | FedRAMP, CMMC, pre-release assessment |
| Assumed breach | Post-compromise lateral movement | Targeted deep | Detection capability validation |