Getting Started Understanding the PTES Framework

Threat Exploit follows The Penetration Testing Execution Standard (PTES) standard which provides a common language and structured baseline for performing security evaluations. This guide covers the core goals, community origins, and the seven main phases of the PTES framework.

Created in 2009 by a group of information security practitioners, PTES was designed to address the lack of standardization in the industry. It ensures that businesses know exactly what to expect from a penetration test, and provides security service providers with clear guidance on delivering high-quality, valuable results.

Standard vs. Technical Guidelines
The core PTES framework defines what should be done during a penetration test, not how to do it. For specific technical instructions, the community maintains a separate companion guide called the PTES Technical Guidelines.

The Penetration Testing Lifecycle

The PTES framework is organized into seven distinct phases. These phases cover the entire lifecycle of a penetration test, from the initial handshake to the final deliverable.

flowchart TD
    A[Pre-engagement Interactions] --> B[Intelligence Gathering]
    B --> C[Threat Modeling]
    C --> D[Vulnerability Analysis]
    D --> E[Exploitation]
    E --> F[Post Exploitation]
    F --> G[Reporting]

Here is a breakdown of what each phase entails:

  1. 1

    Pre-engagement Interactions

    The initial communication phase where testers and the organization define the scope, rules of engagement, and the primary business reasoning behind the penetration test.

  2. 2

    Intelligence Gathering

    Testers work behind the scenes to collect publicly available information (OSINT) and get a better understanding of the target organization's footprint.

  3. 3

    Threat Modeling

    Using the gathered intelligence, testers identify the most likely threats and categorize the assets that need to be protected, ensuring the test mimics real-world adversary behavior.

  4. 4

    Vulnerability Analysis

    Testers actively research and identify potential security flaws within the defined scope that could be leveraged by an attacker.

  5. 5

    Exploitation

    The technical security expertise of the testers comes into play. They attempt to exploit the identified vulnerabilities to gain access, proving the real-world risk of the flaws.

  6. 6

    Post Exploitation

    After gaining access, testers determine the business impact. This involves maintaining access, escalating privileges, and demonstrating what a real attacker could accomplish (e.g., data exfiltration) without causing actual harm.

  7. 7

    Reporting

    The final and most critical phase. The entire process is captured in a comprehensive report that makes sense to the customer, providing both executive summaries and technical remediation steps.

Intensity Levels

Because no two penetration tests are alike, PTES is designed to be flexible. A standard web application test requires a different approach than a full-scale red team engagement.

To accommodate this, the standard defines a baseline (the minimum required for a basic pentest) and introduces levels of intensity. These levels allow organizations to define how much sophistication they expect their simulated adversary to exhibit, enabling testers to step up the intensity in areas where the organization needs the most rigorous testing.

Frequently Asked Questions

Who is involved with this standard?

PTES was founded by a group of industry experts from financial institutions, service providers, and security vendors (including Chris Nickerson, Dave Kennedy, Chris John Riley, and many others). It is an open group, and the founders actively welcome down-to-earth opinions and contributions from the broader InfoSec community.

Does the standard cover all possible pentest scenarios?

While it is impossible to cover every edge case, PTES defines a strict baseline for minimum requirements. The framework uses "intensity levels" to provide more comprehensive activities for organizations with higher security needs or specific industry requirements.

Does this effort standardize reporting as well?

Yes. The creators of PTES believe that standardizing the test without defining the report is useless. The framework explicitly defines requirements for both executive (business-level) and technical reporting.

Who is the intended audience?

There are two main audiences:

  1. Businesses: To help them demand a specific baseline of quality and scope when hiring a pentester.

  2. Service Providers: To provide a clear baseline for the activities, scoping, and deliverables required to provide a professional service.

Additional Resources

Explore these community resources to dive deeper into the PTES framework and its practical applications.

PTES Technical Guidelines

Access the technical companion guide that explains the "how-to" behind the standard's execution phases.

PTES Mindmap

Download the original FreeMind mindmap used to create the first drafts of the standard.