The Penetration Testing Execution Standard (PTES) is a framework that defines the phases, methodologies, and practices for conducting thorough and consistent penetration tests.
Developed by leading penetration testing professionals, PTES provides guidance in a standardised format that helps both penetration testing teams conducting tests, and organisations commissioning them, to understand what a complete penetration test should encompass. The framework addresses not just the technical testing activities but also pre-engagement interactions, scoping, rules of engagement, reporting, and post-engagement activities to ensure that penetration tests are professionally executed.
PTES divides the penetration testing process into seven distinct phases:
- Pre-engagement Interactions (defining scope, rules of engagement, and objectives)
- Intelligence Gathering (collecting information about the target)
- Threat Modelling (identifying and prioritising potential attack vectors)
- Vulnerability Analysis (discovering and validating vulnerabilities)
- Exploitation (attempting to exploit vulnerabilities to demonstrate impact)
- Post Exploitation (determining the value of compromised systems and maintaining access – if authorised)
- Reporting (documenting findings, evidence, and recommendations)
Each phase includes detailed technical guidelines covering specific methodologies, tools, and techniques appropriate for different testing scenarios.