The Penetration Testing Execution Standard (PTES) provides a common language and scope for performing security evaluations. This page outlines the core goals, target audience, and the organizational structure behind the framework.
Core Goals and Philosophy
Started in 2009 by a group of information security practitioners, the PTES framework was created to address the lack of standardization in the penetration testing industry. Without a standard, businesses often receive low-quality assessments, and security practitioners lack clear guidance on what constitutes a quality service.
The framework aims to solve this by establishing:
A Minimum Baseline: Defining the absolute minimum requirements for a basic penetration test.
Scalable Intensity Levels: Providing "levels" on top of the baseline for organizations with higher security needs (ranging from standard web application tests to full-scale red team engagements).
Standardized Reporting: Defining clear expectations for both executive (business) and technical reporting, ensuring the final deliverable provides actionable value.
The core PTES standard focuses on what needs to be done during an engagement, rather than how to do it. A companion PTES Technical Guidelines document is maintained separately to provide the specific technical execution details.
Target Audience
The standard is designed to bridge the gap between those who need security services and those who provide them.
| Audience | Benefits & Goals |
|---|---|
| Businesses | Enables organizations to demand a specific, measurable baseline of quality and scope when purchasing a penetration test. |
| Service Providers | Provides a structured baseline for required activities, ensuring nothing is missed from initial scoping through to final deliverables. |
The 7 Phases of PTES
The framework organizes the lifecycle of a penetration test into seven distinct phases. This structure ensures a logical progression from initial planning to the final report.
flowchart TD
A[Pre-engagement Interactions] --> B[Intelligence Gathering]
B --> C[Threat Modeling]
C --> D[Vulnerability Analysis]
D --> E[Exploitation]
E --> F[Post Exploitation]
F --> G[Reporting]- 1
Pre-engagement Interactions
The initial communication phase where testers and the organization define the scope, goals, and reasoning behind the penetration test.
- 2
Intelligence Gathering
Testers work behind the scenes to collect information and gain a better understanding of the target organization's footprint.
- 3
Threat Modeling
Using the gathered intelligence to identify potential threats and model how an attacker might approach the target.
- 4
Vulnerability Analysis
Actively identifying flaws and weaknesses in the target's systems, applications, or networks.
- 5
Exploitation
Applying technical security expertise to exploit the identified vulnerabilities and gain unauthorized access.
- 6
Post Exploitation
Determining the value of the compromised systems, maintaining access, and combining technical findings with business context.
- 7
Reporting
Capturing the entire process in a comprehensive document that makes sense to the customer and provides actionable remediation steps.
Governance and Contributors
PTES is not a closed system; it is driven by an open group of information security practitioners from all areas of the industry, including financial institutions, service providers, and security vendors. What started as a discussion among six founding members quickly grew into a collaborative industry effort.
View Founding Members and Key Contributors
The group includes practitioners from across the cybersecurity landscape:
Chris Nickerson, CEO - Lares Consulting
Dave Kennedy, CEO - TrustedSec
Chris John Riley, IT Security Analyst - Raiffeisen Informatik GmbH
Eric Smith, Partner - Lares Consulting
Iftach Ian Amit, Director of Services - IOActive
Andrew Rabie, Wizard - Avon Products Inc
Stefan Friedli, Senior Security Consultant - scip AG
Justin Searle, Senior Security Analyst - InGuardians
Brandon Knight, Senior Security Consultant
Chris Gates, Senior Security Consultant - Lares Consulting
Joe McCray, CEO - Strategic Security
Carlos Perez, Lead Vulnerability Research Engineer - Tenable Security
John Strand, Owner - Black Hills Information Security
Steve Tornio, Senior Consultant - Sunera LLC
Nick Percoco, Senior Vice President - SpiderLabs at Trustwave
Dave Shackelford, Security Consultant, SANS Instructor
Val Smith - Attack Research
Robin Wood, Senior Security Engineer - RandomStorm
Wim Remes, Security Consultant
Can I contribute to the standard?
Yes! The PTES group welcomes insight and down-to-earth opinions from the community. If you have experience to share, you are encouraged to reach out and contribute to the ongoing evolution of the standard.
Next Steps
Ready to dive deeper into the framework?
