PTES is a seven-phase methodology that codifies the lifecycle of a real-world penetration test. CyberFortify uses PTES as the structural backbone of every offensive engagement, augmented with framework-specific overlays (OWASP Top 10 for web, MITRE ATT&CK for adversary simulation).
// 01 What PTES actually is
A seven-phase methodology for the execution of a penetration test, originally drafted by senior offensive security practitioners as a vendor-neutral baseline. PTES is community-maintained, freely available, and aligned with NIST SP 800-115.
It is not a checklist. It is a lifecycle model - the structural backbone that ensures a pen test is reproducible, audit-defensible and consistent across customer engagements.
Most modern offensive security companies, including CyberFortify, use PTES as the foundation and overlay framework-specific testing standards on top: OWASP Top 10 and ASVS for web, OWASP MASVS for mobile, OWASP API Security Top 10 for APIs, MITRE ATT&CK for adversary simulation. PTES gives the engagement its shape; the overlay frameworks give it depth.
// 02 The seven PTES phases
Pre-engagement interactions
Scope, rules of engagement, in-scope and out-of-scope assets, test windows, emergency contacts, payment, NDA, authorisation letter. Half of every engagement's value is decided here.
AuthorisationIntelligence gathering
OSINT, infrastructure enumeration, certificate transparency, subdomain discovery, breached-credential corpora, GitHub leaks, employee profiling. Both passive and active.
ReconThreat modelling
Translate the gathered intelligence into a prioritised list of likely attacker objectives and the assets that protect them. STRIDE, attack trees, ATT&CK overlays.
PrioritisationVulnerability analysis
Manual identification combined with carefully tuned automation. False-positive elimination is deliberate, not implied.
Hand-validatedExploitation
Confirmed weaknesses exploited under controlled conditions. Critical findings reported within 24 hours of validation.
ControlledPost-exploitation
Privilege escalation, lateral movement, persistence and exfiltration validation - demonstrating real impact rather than speculative risk.
Real impactReporting
Executive summary, technical findings (CVSS-scored), remediation playbook, compliance evidence pack - followed by a free remediation retest.
Audit-ready// 03 How CyberFortify operationalises PTES
PTES alone does not produce a great pen test. The methodology must be paired with senior tester judgement, strong tradecraft and an operating culture that treats reporting as a first-class deliverable rather than a paperwork tax. Three principles distinguish how CyberFortify executes PTES:
Manual primary, automation supporting
Tools like Burp Pro, Caido, BloodHound, sqlmap and CrackMapExec are used selectively to amplify human judgement - never as a substitute. Every finding is hand-validated.
Lifecycle continuity
Findings flow through PTES phases without re-discovery. Intelligence gathered in phase 2 informs threat modelling in phase 3 and exploitation in phase 5 - nothing is dropped on the floor.
Reporting as deliverable
Phase 7 is half the engagement, not the leftover. Reports are written for three audiences: leadership, engineering and audit - with cross-references that satisfy each.
// 04 Frequently asked questions
Is PTES required by any compliance framework?
Not directly. However, PCI DSS Requirement 11.4 explicitly requires "industry-accepted methodologies" and PTES is universally recognised as one. ISO 27001 Annex A.8.29 and SOC 2 CC7.1 also expect documented methodology adherence.
How is PTES different from OWASP testing guides?
PTES is a lifecycle methodology covering the entire engagement; OWASP Top 10 and ASVS are application-specific risk taxonomies and verification frameworks. CyberFortify uses PTES as the lifecycle backbone and OWASP standards as the depth overlay for application engagements.
Does CyberFortify follow NIST SP 800-115 too?
Yes - PTES and NIST SP 800-115 are largely aligned. CyberFortify reports include 800-115 references for federal-adjacent customers (CMMC, FedRAMP) where 800-115 is the explicitly required methodology reference.