What It Is
A scientific, metrics-driven security testing methodology. Where most frameworks tell you what to test, OSSTMM tells you how to measure the result. It introduces the rav (risk assessment value) — a quantifiable measure of security that lets you compare posture across engagements, over time, and between different parts of an organization.
Testing is organized by channel — the medium through which interaction occurs:
- Human — Social engineering, physical security awareness
- Physical — Locks, barriers, surveillance, physical access controls
- Wireless — RF, Bluetooth, WiFi, satellite
- Telecommunications — Voice, fax, modem, PBX
- Data Networks — TCP/IP, protocols, services, applications
Why It Matters
Most pentest reports are subjective. “We found 12 highs and 8 mediums” tells you something, but it doesn’t tell you how secure the organization is. OSSTMM’s metrics framework treats security as a measurable property — not a feeling, not a list of findings, but a quantifiable state that can be tracked and compared.
The channel model also forces you to think beyond “applications and networks.” Human and physical channels are real attack surfaces that most technical assessments ignore entirely.
When to Use It
When you need to benchmark and compare security posture — across business units, across time, or across organizations. Particularly valuable for mature security programs that have moved past “find vulns” and need to demonstrate measurable improvement to leadership.
The Offensive Angle
The channel model maps to how sophisticated adversaries actually operate. APT groups don’t limit themselves to network exploitation — they combine social engineering (human channel), physical access (physical channel), and technical exploitation (data networks). OSSTMM’s multi-channel approach mirrors real threat actor methodology.
Pairs Well With
- PTES — Provides the engagement workflow that OSSTMM’s metrics can measure
- ISSAF — Granular lifecycle details within OSSTMM’s channel structure
- NIST 800-115 — Governance and planning framework around OSSTMM’s testing approach