Penetration Testing Frameworks

Imagine you just landed your first penetration testing engagement. The client is a mid-size e-commerce company, and they want you to evaluate the security of their web application, internal network, and employee security awareness. You sit down, open your laptop, and then what? Do you start running nmap right away? Do you test the login page for SQL injection first? Do you try phishing an employee?

Without a structured approach, a penetration test quickly becomes a disorganized collection of random checks. You might miss critical attack surfaces, skip important documentation, or deliver findings that the client cannot act on. Worse, you might test systems that were never in scope and find yourself in legal trouble. This is exactly the problem that penetration testing frameworks solve.

A penetration testing framework is a structured methodology that guides security professionals through every stage of an engagement, from initial planning and scoping to exploitation, reporting, and remediation validation. Consider the analogy of a building inspector following a code-compliance checklist: the inspector does not wander through the building, hoping to notice problems. Instead, they follow a systematic process that ensures every structural element, electrical system, and fire safety measure is evaluated against a known standard. Penetration testing frameworks serve the same purpose for security assessments.

Relying on a structured methodology provides several benefits. It ensures thoroughness so that critical areas are not overlooked. It promotes consistency so that different testers on the same team produce comparable results. It supports compliance by aligning the assessment with regulatory requirements. It also improves communication because clients, auditors, and stakeholders can understand and trust a process grounded in a recognized standard.

There are many penetration testing frameworks in active use today, and each has its own philosophy, strengths, and ideal use cases. In this room, we will explore the following in depth:

1. Open Source Security Testing Methodology Manual (OSSTMM) (opens in new tab), a scientific, metrics-driven approach to security testing
2. OWASP Web Security Testing Guide (WSTG) (opens in new tab), the go-to framework for web application assessments
3. NIST Special Publication 800-115 (opens in new tab), the U.S. government's technical guide to security testing and assessment
4. Penetration Testing Execution Standard (PTES) (opens in new tab), a practical, phase-driven standard that mirrors how real engagements are conducted
5. Information Systems Security Assessment Framework (ISSAF) (opens in new tab), a historically influential methodology with a detailed nine-step assessment model

We will also introduce MITRE ATT&CK (opens in new tab) as a complementary knowledge base that maps adversary tactics and techniques. We will survey several other notable frameworks, including the WASC Threat Classification (opens in new tab), CSA Cloud Controls Matrix (opens in new tab), OWASP Mobile Application Security Testing Guide (MASTG) (opens in new tab), PCI DSS Penetration Testing Guidelines (opens in new tab), and the CBEST Framework (opens in new tab), so you know when and where they apply.

Learning Objectives

• Describe the purpose and structure of the major penetration testing frameworks.
• Compare frameworks based on their scope, methodology, and intended use cases.
• Select an appropriate framework for a given engagement scenario.
• Explain how MITRE ATT&CK complements traditional penetration testing methodologies.

Prerequisites

• Familiarity with basic networking concepts
• A general understanding of what penetration testing involves