Compliance & Governance

NIST SP 800-115

Technical Guide to Information Security Testing and Assessment

NIST (National Institute of Standards and Technology) Source Document →

What It Is

The U.S. government’s technical guide for security testing. While PTES tells you how to run a pentest, NIST 800-115 tells you how to govern the testing process — planning, scoping, rules of engagement, and reporting within an organizational risk management framework.

Key areas:

  • Review Techniques — Documentation review, log review, ruleset review, system configuration review
  • Target Identification and Analysis — Network discovery, vulnerability scanning, wireless scanning
  • Target Vulnerability Validation — Password cracking, penetration testing, social engineering
  • Security Assessment Planning — Roles, scope, rules of engagement, legal considerations, reporting

Why It Matters

If your pentest methodology needs to be defensible to auditors, regulators, or government clients, NIST 800-115 is the reference they expect. It positions security testing within the broader NIST risk management framework (complementing NIST CSF, 800-53, and 800-37), giving your findings organizational context beyond “we found these vulns.”

The planning section is particularly valuable — it covers the legal, organizational, and logistical considerations that trip up engagements when ignored.

When to Use It

Federal engagements, compliance-driven assessments, or any situation where the testing methodology itself will be audited. Also useful as a governance overlay on top of PTES — PTES runs the engagement, NIST 800-115 governs it.

The Offensive Angle

The social engineering section is worth reading even if you never use the framework formally. NIST’s treatment of social engineering as a formal testing technique — with planning, authorization, and risk management — is a good model for how to include human-channel testing without crossing ethical lines.

Pairs Well With

  • PTES — Technical engagement workflow under NIST 800-115’s governance umbrella
  • NIST CSF — The framework that 800-115 testing measures against
  • NIST 800-53 — The control catalog that testing validates