Getting Started Understanding Organizational Structure

The Penetration Testing Execution Standard (PTES) provides a common language and scope for performing security evaluations. This page outlines how the standard is structured, the core phases of a PTES-compliant engagement, and the community-driven governance model that maintains it.

Who is this for? PTES serves two main communities: businesses (enabling them to demand a specific baseline of quality work) and service providers (providing a clear baseline for necessary testing activities, scoping, and deliverables).

The 7 Phases of Execution

The core of the standard consists of seven main sections. These cover the entire lifecycle of a penetration test, from the initial communication to the final deliverable.

flowchart TD
    A["Pre-engagement Interactions"] --> B["Intelligence Gathering"]
    B --> C["Threat Modeling"]
    C --> D["Vulnerability Analysis"]
    D --> E["Exploitation"]
    E --> F["Post Exploitation"]
    F --> G["Reporting"]

Each phase is designed to ensure a comprehensive and valuable security assessment:

PhaseFocus AreaDescription
1. Pre-engagementScoping & LogisticsThe initial communication, scoping, and reasoning behind the penetration test.
2. Intelligence GatheringReconnaissanceWorking behind the scenes to gain a deep understanding of the target organization.
3. Threat ModelingRisk IdentificationMapping out potential threats based on the intelligence gathered.
4. Vulnerability AnalysisFlaw DiscoveryIdentifying and researching potential security weaknesses.
5. ExploitationTechnical ExecutionApplying technical security expertise to actively exploit discovered vulnerabilities.
6. Post ExploitationBusiness ImpactDemonstrating the actual business risk and impact of a successful breach.
7. ReportingDeliverablesCapturing the entire process in a way that makes sense to the customer and provides actionable value.

As no two penetration tests are identical, the standard is designed to accommodate different levels of intensity. This allows organizations to define how much sophistication they expect from an adversary, and enables testers to scale their efforts based on the organization's specific threat landscape.

Governance and Community

PTES was born in early 2009 following a discussion among industry professionals about the varying quality of penetration testing.

The standard is not controlled by a single corporate entity. Instead, it is governed and maintained by a diverse group of information security practitioners spanning financial institutions, service providers, and security vendors.

While the initiative started with about six founding members (including practitioners from Lares Consulting, TrustedSec, IOActive, and others), it quickly grew. The governance model remains open—the community actively welcomes new insights, down-to-earth opinions, and contributions from industry professionals.

Technical Guidelines

The core PTES standard focuses on what needs to be done and why, rather than the exact technical commands to run. Because tools and techniques evolve rapidly, the technical "how-to" is maintained as a separate, companion resource.

PTES Technical Guidelines

Access the companion guide containing specific tools, commands, and technical methodologies for executing a PTES-compliant penetration test.

Frequently Asked Questions

Is this a formal standard?

Yes. The goal is to create an actual standard so businesses have a reliable baseline of what is required when they commission a penetration test. The lack of standardization historically hurt the industry by allowing low-quality work to pass as penetration testing. PTES provides practitioners with the guidance needed to deliver quality service.

Does the standard cover all possible pentest scenarios?

While it is impossible to cover every edge case, the standard defines a strict baseline for the minimum requirements of a basic pentest. It also includes several "levels" on top of that baseline to accommodate more comprehensive activities required by organizations with higher security needs.

Does PTES standardize reporting?

Yes. Providing a standard for the execution of a test without defining the deliverable would be incomplete. PTES defines both executive (business) reporting and technical reporting as integrated parts of the standard.

Can I join or contribute to the standard?

Absolutely. PTES is an open group. If you have down-to-earth opinions and want to contribute to the ongoing development of the standard, you are encouraged to reach out and participate.