Getting Started Exploring Framework Goals and Governance

The Penetration Testing Execution Standard (PTES) provides a common language and scope for performing security evaluations. This page outlines the core goals, target audience, and the organizational structure behind the framework.

Core Goals and Philosophy

Started in 2009 by a group of information security practitioners, the PTES framework was created to address the lack of standardization in the penetration testing industry. Without a standard, businesses often receive low-quality assessments, and security practitioners lack clear guidance on what constitutes a quality service.

The framework aims to solve this by establishing:

  • A Minimum Baseline: Defining the absolute minimum requirements for a basic penetration test.

  • Scalable Intensity Levels: Providing "levels" on top of the baseline for organizations with higher security needs (ranging from standard web application tests to full-scale red team engagements).

  • Standardized Reporting: Defining clear expectations for both executive (business) and technical reporting, ensuring the final deliverable provides actionable value.

The core PTES standard focuses on what needs to be done during an engagement, rather than how to do it. A companion PTES Technical Guidelines document is maintained separately to provide the specific technical execution details.

Target Audience

The standard is designed to bridge the gap between those who need security services and those who provide them.

AudienceBenefits & Goals
BusinessesEnables organizations to demand a specific, measurable baseline of quality and scope when purchasing a penetration test.
Service ProvidersProvides a structured baseline for required activities, ensuring nothing is missed from initial scoping through to final deliverables.

The 7 Phases of PTES

The framework organizes the lifecycle of a penetration test into seven distinct phases. This structure ensures a logical progression from initial planning to the final report.

flowchart TD
    A[Pre-engagement Interactions] --> B[Intelligence Gathering]
    B --> C[Threat Modeling]
    C --> D[Vulnerability Analysis]
    D --> E[Exploitation]
    E --> F[Post Exploitation]
    F --> G[Reporting]
  1. 1

    Pre-engagement Interactions

    The initial communication phase where testers and the organization define the scope, goals, and reasoning behind the penetration test.

  2. 2

    Intelligence Gathering

    Testers work behind the scenes to collect information and gain a better understanding of the target organization's footprint.

  3. 3

    Threat Modeling

    Using the gathered intelligence to identify potential threats and model how an attacker might approach the target.

  4. 4

    Vulnerability Analysis

    Actively identifying flaws and weaknesses in the target's systems, applications, or networks.

  5. 5

    Exploitation

    Applying technical security expertise to exploit the identified vulnerabilities and gain unauthorized access.

  6. 6

    Post Exploitation

    Determining the value of the compromised systems, maintaining access, and combining technical findings with business context.

  7. 7

    Reporting

    Capturing the entire process in a comprehensive document that makes sense to the customer and provides actionable remediation steps.

Governance and Contributors

PTES is not a closed system; it is driven by an open group of information security practitioners from all areas of the industry, including financial institutions, service providers, and security vendors. What started as a discussion among six founding members quickly grew into a collaborative industry effort.

View Founding Members and Key Contributors

The group includes practitioners from across the cybersecurity landscape:

  • Chris Nickerson, CEO - Lares Consulting

  • Dave Kennedy, CEO - TrustedSec

  • Chris John Riley, IT Security Analyst - Raiffeisen Informatik GmbH

  • Eric Smith, Partner - Lares Consulting

  • Iftach Ian Amit, Director of Services - IOActive

  • Andrew Rabie, Wizard - Avon Products Inc

  • Stefan Friedli, Senior Security Consultant - scip AG

  • Justin Searle, Senior Security Analyst - InGuardians

  • Brandon Knight, Senior Security Consultant

  • Chris Gates, Senior Security Consultant - Lares Consulting

  • Joe McCray, CEO - Strategic Security

  • Carlos Perez, Lead Vulnerability Research Engineer - Tenable Security

  • John Strand, Owner - Black Hills Information Security

  • Steve Tornio, Senior Consultant - Sunera LLC

  • Nick Percoco, Senior Vice President - SpiderLabs at Trustwave

  • Dave Shackelford, Security Consultant, SANS Instructor

  • Val Smith - Attack Research

  • Robin Wood, Senior Security Engineer - RandomStorm

  • Wim Remes, Security Consultant

Can I contribute to the standard?

Yes! The PTES group welcomes insight and down-to-earth opinions from the community. If you have experience to share, you are encouraged to reach out and contribute to the ongoing evolution of the standard.

Next Steps

Ready to dive deeper into the framework?

Technical Guidelines

Explore the companion guide that provides the technical commands, tools, and methodologies for executing the PTES phases.