Subscribe
Tags
Security
Penetration testing methodologies and standards
The online space continues to grow rapidly, opening more opportunities for cyberattacks to occur within a computer system, network, or web application. To mitigate and prepare for such risks, penetration testing is a necessary step in finding security vulnerabilities that an attacker might use.
Would your team catch the next zero-day in time?
Join security leaders who rely on the Think Newsletter for curated news on AI, cybersecurity, data and automation. Learn fast from expert tutorials and explainers—delivered directly to your inbox twice weekly. See the IBM Privacy Statement.
First name*
Last name*
Business email*
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. Refer to our IBM Privacy Statement for more information.
Subscribe
What is penetration testing?
A penetration test, or “pen test,” is a security test that is run to mock a cyberattack in action. A cyberattack may include a phishing attempt or a breach of a network security system. There are different types of penetration testing available to an organization depending on the security controls needed. The test can be run manually or with automated tools through the lens of a specific course of action, or pen testing methodology.
Why penetration testing and who is involved?
The terms “ethical hacking” and “penetration testing” are sometimes used interchangeably, but there is a difference. Ethical hacking is a broader cybersecurity field that includes any use of hacking skills to improve network security. Penetration tests are just one of the methods ethical hackers use. Ethical hackers may also provide malware analysis, risk assessment, and other hacking tools and techniques to uncover and fix security weaknesses rather than cause harm.
IBM’s Cost of a Data Breach Report 2023 found the global average cost of a data breach in 2023 to be USD 4.45 million, a 15% increase over 3 years. One way to mitigate these breaches is by performing accurate and pointed penetration testing.
Companies hire pen testers to launch simulated attacks against their apps, networks, and other assets. By staging fake attacks, penetration testers help security teams uncover critical security vulnerabilities and improve overall security posture. These attacks are often performed by red teams, or offensive security teams. The red team simulates a real attackers’ tactics, techniques and procedures (TTPs) against the organization’s own system as a way to assess security risk.
There are several penetration testing methodologies to consider as you get into the pen testing process. The organization’s choice will depend on the category of the target organization, the goal of the pen test and the scope of the security test. There is no one-size-fits-all approach. It requires an organization to understand its security issues and security policy for there to be a fair vulnerability analysis prior to the pen testing process.
5 top penetration testing methodologies
One of the first steps in the pen testing process is deciding on which methodology to follow.
Below, we’ll dive into five of the most popular penetration testing frameworks and pen testing methodologies to help guide stakeholders and organizations to the best method for their specific needs and ensure it covers all required areas.
1. Open-Source Security Testing Methodology Manual
Open-Source Security Testing Methodology Manual (OSSTMM) is one of the most popular standards of penetration testing. This methodology is peer-reviewed for security testing and was created by the Institute for Security and Open Methodologies (ISECOM).
The method is based on a scientific approach to pen testing with accessible and adaptable guides for testers. The OSSTMM includes key features, such as an operational focus, channel testing, metrics and trust analysis in its methodology.
OSSTMM provides a framework for network penetration testing and vulnerability assessment for pen testing professionals. It is meant to be a framework for providers to find and resolve vulnerabilities, such as sensitive data and issues surrounding authentication.
2. Open Web Application Security Project
OWASP, short for Open Web Application Security Project, is an open-source organization dedicated to web application security.
The non-profit organization’s goal is to make all its material free and easily accessible for anyone who wants to improve their own web application security. OWASP has its own Top 10 , which is a well-maintained report outlining the biggest security concerns and risks to web applications, such as cross-site scripting, broken authentication and getting behind a firewall. OWASP uses the top 10 list as a basis for its OWASP Testing Guide.
The guide is divided into three parts: OWASP testing framework for web application development, web application testing methodology and reporting. The web application methodology can be used separately or as a part of the web testing framework for web application penetration testing, mobile application penetration testing, API penetration testing, and IoT penetration testing.
3. Penetration Testing Execution Standard
PTES, or Penetration Testing Execution Standard, is a comprehensive penetration testing method.
PTES was designed by a team of information security professionals and is made up of seven main sections covering all aspects of pen testing. The purpose of PTES is to have technical guidelines to outline what organizations should expect from a penetration test and guide them throughout the process, starting at the pre-engagement stage.
The PTES aims to be the baseline for penetration tests and provide a standardized methodology for security professionals and organizations. The guide provides a range of resources, such as best practices in each stage of the penetration testing process, from start to finish. Some key features of PTES are exploitation and post exploitation. Exploitation refers to the process of gaining access to a system through penetration techniques such as social engineering and password cracking. Post exploitation is when data is extracted from a compromised system and access is maintained.
4. Information System Security Assessment Framework
Information System Security Assessment Framework (ISSAF) is a pen testing framework supported by the Information Systems Security Group (OISSG).
This methodology is no longer maintained and is likely not the best source for the most up-to-date information. However, one of its main strengths is that it links individual pen testing steps with specific pen testing tools. This type of format can be a good foundation for creating an individualized methodology.
5. National Institute of Standards and Technology
NIST, short for the National Institute of Standards and Technology, is a cybersecurity framework that provides a set of pen testing standards for the federal government and outside organizations to follow. NIST is an agency within the U.S. Department of Commerce and should be considered the minimum standard to follow.
NIST penetration testing aligns with the guidance sent by NIST. To comply with such guidance, organizations must perform penetration tests following the pre-determined set of guidelines.
Pen testing stages
Set a scope
Before a pen test begins, the testing team and the company set a scope for the test. The scope outlines which systems will be tested, when the testing will happen, and the methods pen testers can use. The scope also determines how much information the pen testers will have ahead of time.
Start the test
The next step would be to test the scoping plan and assess vulnerabilities and functionality. In this step, network and vulnerability scanning can be done to get a better understanding of the organization’s infrastructure. Internal testing and external testing can be done depending on the organization’s needs. There are a variety of tests the pen testers can do, including a black-box test, white-box test, and gray-box test. Each provides varying degrees of information about the target system.
Once an overview of the network is established, testers can start analyzing the system and applications within the scope given. In this step, pen testers are gathering as much information as possible to understand any misconfigurations.
Report on findings
The final step is to report and debrief. In this step, it is important to develop a penetration testing report with all the findings from the pen test outlining the vulnerabilities identified. The report should include a plan for mitigation and the potential risks if remediation does not occur.
Pen testing and IBM
If you try to test everything, you’ll waste your time, budget and resources. By using a communication and collaboration platform with historical data, you can centralize, manage, and prioritize high-risk networks, applications, devices, and other assets to optimize your security testing program. The X-Force® Red Portal enables everyone involved in remediation to view test findings immediately after vulnerabilities are uncovered and schedule security tests at their convenience.
Author
Teaganne Finn
Staff Writer
IBM Think
Webinar On-demand
Achieve continuous compliance in a hybrid data world with IBM Guardium Data Protection
Register for this webinar to learn how AI governance helps organizations manage risk, meet evolving regulations and build trusted, responsible AI at scale.
Register now
Resources
NEW
Smarter AI governance and security solutions
Learn how to turn governance and security into drivers of resilience, smarter decision-making and confident growth with practical strategies from this buyer’s guide.
Get the guide
TII report
IBM X-Force Threat Intelligence Index 2026
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force® Threat Intelligence Index.
Read the report
Cybersecurity guide
Cybersecurity in the era of generative AI
Learn how today’s security landscape is changing and how to navigate the challenges and tap into the resilience of generative AI.
Read the guide
KuppingerCole report
See why KuppingerCole ranks IBM as a leader
The KuppingerCole data security platforms report offers guidance and recommendations to find sensitive data protection and governance products that best meet clients’ needs.
Read the report
TEI report
The total economic impact (TEI) of Guardium Data Protection
Discover the benefits and ROI of IBM Guardium® Data Protection in this Forrester TEI study.
Read the report
On-demand webinars
Guardium® webinars
Learn how to protect your data across its lifecycle from our webinars.
Explore on-demand webinars
Gartner Market Guide
Gartner® Market Guide for AI TRiSM
Access this Gartner guide to learn how to manage the complete AI inventory and secure your AI workloads with guardrails. It also shows how to reduce risk and manage the governance process to achieve AI trust for all AI use cases in your organization.
Read the guide
Security tutorials
Expand your skills with free security tutorials
Follow clear steps to complete tasks and learn how to effectively use technologies in your projects.
Explore tutorials
IAM explainer
What is identity and access management (IAM)?
Identity and access management (IAM) is a cybersecurity discipline that deals with user access and resource permissions.
Read the article
IBM Guardium®
Protect your most critical data—discover, monitor and secure sensitive information across environments while automating compliance and reducing risk.
Explore IBM Guardium
Enterprise security solutions
Transform your security program with solutions from the largest enterprise security provider.
Explore IBM security solutions
Security services
Transform your business and manage risk with cybersecurity consulting, cloud and managed security services.
Explore IBM security services
Take the next step
Automate data protection, threat detection and compliance to secure your enterprise across cloud and on‑premises environments.
Explore IBM Guardium®
Discover IBM security solutions
Products
Consulting services
Industries
Case studies
Financing
Research
LinkedIn
X
Instagram
YouTube
Podcasts
Business partners
Documentation
Events
Newsletters
Support
TechXchange community
Overview
Careers
Investor relations
Leadership
Newsroom
Security, privacy and trust
Contact IBM
Privacy
Terms of use
Accessibility
ibm.com, ibm.org, ibm-zcouncil.com, insights-on-business.com, jazz.net, mobilebusinessinsights.com, promontory.com, proveit.com, ptech.org, s81c.com, securityintelligence.com, skillsbuild.org, softlayer.com, storagecommunity.org, think-exchange.com, thoughtsoncloud.com, alphaevents.webcasts.com, ibm-cloud.github.io, ibmbigdatahub.com, bluemix.net, mybluemix.net, ibm.net, ibmcloud.com, galasa.dev, blueworkslive.com, swiss-quantum.ch, blueworkslive.com, cloudant.com, ibm.ie, ibm.fr, ibm.com.br, ibm.co, ibm.ca, community.watsonanalytics.com, datapower.com, skills.yourlearning.ibm.com, bluewolf.com, carbondesignsystem.com, openliberty.io