Penetration Testing Methodologies: A Complete Guide to OWASP, PTES, NIST, OSSTMM, and More

What Is the OWASP Web Security Testing Guide (WSTG)?

The OWASP Web Security Testing Guide (WSTG) is the most widely referenced standard for web application penetration testing. Maintained by the Open Web Application Security Project — a global nonprofit dedicated to improving software security — the WSTG provides a comprehensive set of test cases organized by vulnerability category.

The current version (v4.2) covers 91 test cases across 12 categories:

Key strengths: Each test case includes a clear objective, description, how to test, remediation advice, and references. The guide is freely available, community-maintained, and integrates with the OWASP Top 10 risk list.

Best suited for: Web application security assessments, API security testing, DevSecOps integration, and organizations that need to validate their applications against the OWASP Top 10.

What Is the Penetration Testing Execution Standard (PTES)?

The Penetration Testing Execution Standard (PTES) is one of the most comprehensive frameworks for structuring a complete penetration testing engagement. Developed by a collaborative group of security professionals, PTES defines best practices across the entire testing lifecycle — from initial client communication through final reporting.

PTES is organized into seven distinct phases:

What sets PTES apart is its emphasis on the pre-engagement and post-exploitation phases that other methodologies often overlook. The pre-engagement section covers scoping, rules of engagement, authorization, and emergency contact procedures. The post-exploitation phase addresses privilege escalation, lateral movement, data exfiltration, and persistence — providing the business-impact evidence that executive stakeholders need.

Key strengths: Detailed technical guidance with specific tooling recommendations; strong emphasis on clear communication between testers and clients; repeatable and auditable process.

Best suited for: General-purpose penetration testing engagements covering network, system, and application targets; consulting firms needing a standardized engagement framework.

What Is NIST SP 800-115?

NIST Special Publication 800-115, “Technical Guide to Information Security Testing and Assessment,” is published by the National Institute of Standards and Technology. It provides guidance for organizations on planning and conducting technical security tests, analyzing findings, and developing mitigation strategies.

NIST SP 800-115 categorizes security testing into three types:

• Testing — actively probing systems to identify vulnerabilities (e.g., penetration testing, vulnerability scanning)
• Examination — reviewing systems, configurations, policies, and procedures for compliance with security requirements
• Interviewing — discussing security processes and practices with personnel to identify gaps

For penetration testing specifically, the standard defines a four-phase approach:

Key strengths: Backed by the authority of the U.S. federal government; aligns with the NIST Risk Management Framework (RMF) and other 800-series publications; emphasizes risk-based prioritization of testing efforts.

Best suited for: U.S. federal agencies and contractors required to follow NIST guidelines; organizations pursuing FedRAMP authorization; compliance-driven security programs needing to demonstrate alignment with NIST frameworks.

What Is the Open Source Security Testing Methodology Manual (OSSTMM)?

The OSSTMM, published by the Institute for Security and Open Methodologies (ISECOM), takes a fundamentally different approach from other penetration testing standards. Rather than focusing narrowly on technical vulnerability exploitation, OSSTMM provides a methodology for testing operational security across five channels:

• Human security — social engineering, trust testing, and personnel security awareness
• Physical security — facility access controls, perimeter security, and environmental controls
• Wireless security — electromagnetic spectrum, RF signal analysis, and wireless protocol assessment
• Telecommunications — voice networks, PBX systems, VoIP, and telephony infrastructure
• Data networks — traditional network and system penetration testing

A distinguishing feature of OSSTMM is its RAV (Risk Assessment Values) scoring system, which provides quantifiable metrics for measuring operational security. This allows organizations to track security posture improvements over time with actual numbers rather than subjective ratings.

Key strengths: Broadest scope of any pen testing methodology (covers physical, human, and wireless alongside digital); quantitative security metrics; vendor-neutral and peer-reviewed.

Best suited for: Organizations needing holistic security assessments that extend beyond IT systems; environments where physical security, social engineering, and telecommunications are critical attack vectors.

What Is the Information Systems Security Assessment Framework (ISSAF)?

The ISSAF, published by the Open Information Systems Security Group (OISSG), is one of the most granular penetration testing frameworks ever developed. It provides detailed, domain-specific assessment procedures for virtually every technology layer in an enterprise environment.

ISSAF organizes its guidance into three phases with extensive technical domain coverage:

Within the assessment phase, ISSAF provides specialized testing procedures for:

• Password security and cracking methodologies
• Windows and Unix/Linux system assessment
• Database security (SQL Server, Oracle, MySQL)
• Web application and source code auditing
• Network infrastructure (switches, routers, firewalls, IDS)
• VPN, VoIP, and wireless security
• Storage area network (SAN) assessment
• Social engineering testing procedures

What Is the MITRE ATT&CK Framework?

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is not a penetration testing methodology in the traditional sense. It is a globally curated knowledge base of real-world adversary tactics, techniques, and procedures (TTPs) based on observed cyberattacks.

ATT&CK organizes adversary behaviour into 14 tactical categories that map the attack lifecycle:

Penetration testers use ATT&CK to:

• Plan realistic attack simulations — model test scenarios based on the TTPs of specific threat actors relevant to the target industry
• Map findings to known adversary behaviour — communicate results in terms defenders understand
• Identify detection gaps — evaluate whether the organization’s security controls can detect each technique
• Prioritize remediation — focus on the techniques most frequently used by threat groups targeting the organization’s sector

Key strengths: Grounded in real-world threat intelligence; continuously updated with new adversary techniques; matrices available for Enterprise, Mobile, ICS, and Cloud environments.

Best suited for: Red team operations, adversary simulation exercises, purple team engagements, and organizations wanting to validate their detection and response capabilities against known threat actors.