What It Is
The U.S. government’s technical guide for security testing. While PTES tells you how to run a pentest, NIST 800-115 tells you how to govern the testing process — planning, scoping, rules of engagement, and reporting within an organizational risk management framework.
Key areas:
- Review Techniques — Documentation review, log review, ruleset review, system configuration review
- Target Identification and Analysis — Network discovery, vulnerability scanning, wireless scanning
- Target Vulnerability Validation — Password cracking, penetration testing, social engineering
- Security Assessment Planning — Roles, scope, rules of engagement, legal considerations, reporting
Why It Matters
If your pentest methodology needs to be defensible to auditors, regulators, or government clients, NIST 800-115 is the reference they expect. It positions security testing within the broader NIST risk management framework (complementing NIST CSF, 800-53, and 800-37), giving your findings organizational context beyond “we found these vulns.”
The planning section is particularly valuable — it covers the legal, organizational, and logistical considerations that trip up engagements when ignored.
When to Use It
Federal engagements, compliance-driven assessments, or any situation where the testing methodology itself will be audited. Also useful as a governance overlay on top of PTES — PTES runs the engagement, NIST 800-115 governs it.
The Offensive Angle
The social engineering section is worth reading even if you never use the framework formally. NIST’s treatment of social engineering as a formal testing technique — with planning, authorization, and risk management — is a good model for how to include human-channel testing without crossing ethical lines.
Pairs Well With
- PTES — Technical engagement workflow under NIST 800-115’s governance umbrella
- NIST CSF — The framework that 800-115 testing measures against
- NIST 800-53 — The control catalog that testing validates