What It Is
The most practitioner-oriented penetration testing framework. Seven phases map directly to how a real engagement flows from scoping call to final report:
- Pre-engagement Interactions — Scope, rules of engagement, authorization, emergency contacts
- Intelligence Gathering — OSINT, footprinting, identifying the target’s attack surface
- Threat Modeling — Who would attack this target, why, and how? Prioritize attack paths
- Vulnerability Analysis — Active and passive identification of exploitable weaknesses
- Exploitation — Validate vulnerabilities by exploiting them under controlled conditions
- Post-Exploitation — Pivoting, persistence, privilege escalation, data exfiltration — demonstrate real impact
- Reporting — Document everything. Findings, evidence, risk ratings, remediation
Why It Matters
PTES was written by pentesters for pentesters. It doesn’t just tell you what to test — it tells you how to conduct yourself professionally throughout an engagement. The pre-engagement and reporting phases are as detailed as the technical ones, because a pentest that can’t be communicated to stakeholders is a pentest that doesn’t drive change.
When to Use It
Use PTES as your default engagement framework. It’s the skeleton you hang everything else on — OWASP WSTG for web app test cases, MASTG for mobile, OSSTMM for metrics. PTES defines the workflow; other frameworks fill in domain-specific depth.
The Offensive Angle
Post-exploitation is where PTES separates from vulnerability scanning. A scanner finds the hole. PTES phase 6 asks: what can an attacker do with this hole? Can they pivot to the domain controller? Exfiltrate the member database? Establish persistence that survives a reboot? That’s the difference between a findings list and a threat narrative.
Pairs Well With
- OWASP WSTG — Fills in web app test cases for phases 4-5
- OWASP MASTG — Fills in mobile test cases
- ISSAF — More granular phase breakdown if you need it
- NIST 800-115 — Governance wrapper for the engagement