A penetration testing methodology is the manner in which a penetration test is organized and executed. Penetration testing methodologies help to methodically identify security vulnerabilities in an organization. Think of this type of testing as your live-fire exercise for a Cyber-attack.

These methodologies outline the process a company may take to discover those vulnerabilities across the vertical of their IT critical assets, offerings, and processed. While companies can use their own custom processes, there are many readily established, industry-recognized methodologies that can be a great starting point for organizations. Some organizations use these developed methods as an “out of the box” solution, while others use them as a baseline to build on.

The top four penetration testing methodologies that are industry-recognized and respected are:

  • NIST
  • PTES


The Open Source Security Testing Methodology Manual, or OSSTMM, is one of the most recognizable penetration testing methodologies in the industry. It is a peer-reviewed methodology maintained by the Institute for Security and Open Methodologies (ISECOM). OSSTMM allows companies to tailor their penetration tests to their specific needs while providing developers accessibility to more secure portions of their environment for development. OSSTMM contains checks to ensure adherence to regulations and laws. With a combination of technical direction, customizability for several environments, and broad support for several organization types, OSSTMM is a universal go-to among penetration testing methodologies.

What Is OWASP?

OWASP, or Open Web Application Security Project, is a set of standards and guidelines for the security of web applications, and is often the starting point for IT personnel when initially venturing into the realm of penetration testing. OWASP provides several resources on its own to improve the security posture of both internal and external web applications by providing companies with a comprehensive list of vulnerability categories for web applications, as well as ways to mitigate or remediate them.

What Is PTES?

PTES is the Penetration Testing Execution Standard, and provides a high-level overview of a penetration test, consisting of the following seven steps:

Pre-engagement Interactions
Intelligence Gathering
Threat Modeling
Vulnerability Analysis
Post Exploitation

What Is NIST?

NIST stands for the National Institute of Standards and Technology. Generally speaking, NIST is more of a security framework than a penetration testing methodology. NIST provides companies with baseline standards for configuring technologies and stacks within their environment, which can be applied to penetration testing. In relation to penetration testing, NIST Special Publication 800-115 contains standards and best practices for conducting an internal security assessment.

Why Are Penetration Methodologies Important?

Penetration testing methodologies are a great way for companies to implement regular security assessments into their organization. Following the established methodologies described above, allows for an easier implementation at companies where knowledge and experience with penetration tests may be limited, or where existing infrastructure within a company has made penetration testing difficult in the past. As with any solution to security threats, care should be taken to ensure that the methodology used fits the needs of the organization without adding unnecessary work for developers and other personnel.

The four methodologies referenced above have been sufficiently tested and refined to be broadly applicable to most organizations. While there is occasionally a need for newly designed methodologies in companies with niche or esoteric software necessities, the creation of an independent methodology should be used as a last resort so as to avoid unnecessary research and work for IT personnel.

Caution should be taken when it comes to selecting a framework for penetration testing. While each of these frameworks can provide structure and organization to daily technological operations, if implemented poorly, they can use up too much time and effort, creating an unnecessary workload for what should be a simple process. To avoid this, BrillianSe Group urges companies not to regard penetration testing as a standard project with daily standups and updates. Flexibility within these methodologies is fundamental to success within implementation, as each organization will have individual and independent needs surrounding these tests.

Feedback from security assessments allows an organization to change and adapt according to results. Reports should never contain the same information twice, as an organization should update the security posture following every completed assessment. Penetration testing is no exception. When followed flexibly and updated regularly, penetration testing methodologies work for those who use them and bring simplicity and success to an organization’s process of cyber security assessment.

how can we help you?

Let’s continue discussion on how we can help you implement a done-for-you holistic Cybersecurity Management Posture.


    Cybersecurity threats are causing a lot of losses for SMBs in 2021. As these organizations address cybersecurity in 2021, they need to understand what they are facing. Here are five top cybersecurity challenges faced by SMBs in 2021 as well as downloadable 5 tips to protection.

    October 20, 2021
  • How to Prevent a Data Breach

    A Data Breach is a multi-headed beast, and this beast is growing strong by leaps and bounds in its capability to cause monetary damage as well at the ways it can attack the most sensitive of data. There is no silver bullet solution for this is problem, furthermore, there are no one-set of controls to keep this beast at bay.

    March 29, 2022

    The fast changing and popular cryptocurrency investing market is attracting much attention from cyber attackers to prey on investors. Here are details on some of the prevalent scams that are popping up, for any investor in crypto to be aware of.

    November 4, 2021
  • Why point solutions in Cybersecurity won’t protect against a data breach, but holistic posture can.

    With the rise of ransomware, phishing mails, vishing (voice phishing), DDoS attacks, data breaches, nation state sponsored cyber attacks, it is becoming more important than ever before to have strong holistic Cybersecurity protection. Point solutions are not enough anymore to handle complex cyberattacks. Let’s look at why holistic cybersecurity instead is better than point solutions.

    November 10, 2021
  • Phishing Attacks come in many forms, learn more about each form and how to prevent them

    Phishing is one of the oldest and yet still prevalent form of Cyberattack. It comes in many forms and often come with combination of forms. In this post, let us learn more about each of the numerous types of Phishing attacks and how to prevent them.

    November 17, 2021
  • What every CEO needs to know to prevent Ransomware

    In this session we look at 4 foundational layers of proven management approach that every C-Suite leader needs to know to implement better than adequate controls in Cybersecurity protection and posture to prevent Ransomware.

    March 29, 2022
  • Strengthening Web Application Security and why it is 2nd most vulnerable threat vector in 2021 according to Forrester Research

    Forrester’s State of Application Security Report for 2021 shows that applications are still a major attack vector. Here are critical and practical steps you can take to strengthen security of your Web Application security.

    December 16, 2021

    A Data Breach is a multi-headed beast, and this beast is growing strong by leaps and bounds in its capability to cause monetary damage as well at the ways it can attack the most sensitive of data. In this podcast we detail 4 favorite attack areas in 2021 that cyber-attackers prefer to use to breach data and what can IT leaders do about it.

    March 29, 2022

    Here are some of the worst cybersecurity strategies, unfortunately, followed and adopted by many organizations. Such practice has repeatedly lead the companies to disastrous results in loss of business, reputation, and monetary fines.

    November 9, 2021