Engagement Methodology

PTES

Penetration Testing Execution Standard

Community-driven (pentest-standard.org) Source Document →

What It Is

The most practitioner-oriented penetration testing framework. Seven phases map directly to how a real engagement flows from scoping call to final report:

  1. Pre-engagement Interactions — Scope, rules of engagement, authorization, emergency contacts
  2. Intelligence GatheringOSINT, footprinting, identifying the target’s attack surface
  3. Threat Modeling — Who would attack this target, why, and how? Prioritize attack paths
  4. Vulnerability Analysis — Active and passive identification of exploitable weaknesses
  5. Exploitation — Validate vulnerabilities by exploiting them under controlled conditions
  6. Post-Exploitation — Pivoting, persistence, privilege escalation, data exfiltration — demonstrate real impact
  7. Reporting — Document everything. Findings, evidence, risk ratings, remediation

Why It Matters

PTES was written by pentesters for pentesters. It doesn’t just tell you what to test — it tells you how to conduct yourself professionally throughout an engagement. The pre-engagement and reporting phases are as detailed as the technical ones, because a pentest that can’t be communicated to stakeholders is a pentest that doesn’t drive change.

When to Use It

Use PTES as your default engagement framework. It’s the skeleton you hang everything else on — OWASP WSTG for web app test cases, MASTG for mobile, OSSTMM for metrics. PTES defines the workflow; other frameworks fill in domain-specific depth.

The Offensive Angle

Post-exploitation is where PTES separates from vulnerability scanning. A scanner finds the hole. PTES phase 6 asks: what can an attacker do with this hole? Can they pivot to the domain controller? Exfiltrate the member database? Establish persistence that survives a reboot? That’s the difference between a findings list and a threat narrative.

Pairs Well With

  • OWASP WSTG — Fills in web app test cases for phases 4-5
  • OWASP MASTG — Fills in mobile test cases
  • ISSAF — More granular phase breakdown if you need it
  • NIST 800-115 — Governance wrapper for the engagement