Framework B.03 · Penetration Testing Execution Standard

PTES - the seven-phase methodology behind every CyberFortify engagement.

The Penetration Testing Execution Standard (PTES) is the most widely adopted vendor-neutral methodology for offensive security engagements. CyberFortify's web, network and cloud penetration testing services are grounded in PTES - producing reproducible, audit-defensible engagements that consistently deliver value across customer maturity levels.

Phases: 7 Maintainer: Open community Used in: Most pen testing methodologies
7
Phases
100%
Manual exploitation
NIST
SP 800-115 aligned
OPEN
Vendor-neutral
PTES Phases: 1. Pre-engagement · 2. Intelligence Gathering · 3. Threat Modelling · 4. Vulnerability Analysis · 5. Exploitation · 6. Post-Exploitation · 7. Reporting PTES Phases: 1. Pre-engagement · 2. Intelligence Gathering · 3. Threat Modelling · 4. Vulnerability Analysis · 5. Exploitation · 6. Post-Exploitation · 7. Reporting
// Executive summary

PTES is a seven-phase methodology that codifies the lifecycle of a real-world penetration test. CyberFortify uses PTES as the structural backbone of every offensive engagement, augmented with framework-specific overlays (OWASP Top 10 for web, MITRE ATT&CK for adversary simulation).

// 01 What PTES actually is

// DefinitionPTES

A seven-phase methodology for the execution of a penetration test, originally drafted by senior offensive security practitioners as a vendor-neutral baseline. PTES is community-maintained, freely available, and aligned with NIST SP 800-115.

It is not a checklist. It is a lifecycle model - the structural backbone that ensures a pen test is reproducible, audit-defensible and consistent across customer engagements.

Most modern offensive security companies, including CyberFortify, use PTES as the foundation and overlay framework-specific testing standards on top: OWASP Top 10 and ASVS for web, OWASP MASVS for mobile, OWASP API Security Top 10 for APIs, MITRE ATT&CK for adversary simulation. PTES gives the engagement its shape; the overlay frameworks give it depth.

// 02 The seven PTES phases

01

Pre-engagement interactions

Scope, rules of engagement, in-scope and out-of-scope assets, test windows, emergency contacts, payment, NDA, authorisation letter. Half of every engagement's value is decided here.

Authorisation
02

Intelligence gathering

OSINT, infrastructure enumeration, certificate transparency, subdomain discovery, breached-credential corpora, GitHub leaks, employee profiling. Both passive and active.

Recon
03

Threat modelling

Translate the gathered intelligence into a prioritised list of likely attacker objectives and the assets that protect them. STRIDE, attack trees, ATT&CK overlays.

Prioritisation
04

Vulnerability analysis

Manual identification combined with carefully tuned automation. False-positive elimination is deliberate, not implied.

Hand-validated
05

Exploitation

Confirmed weaknesses exploited under controlled conditions. Critical findings reported within 24 hours of validation.

Controlled
06

Post-exploitation

Privilege escalation, lateral movement, persistence and exfiltration validation - demonstrating real impact rather than speculative risk.

Real impact
07

Reporting

Executive summary, technical findings (CVSS-scored), remediation playbook, compliance evidence pack - followed by a free remediation retest.

Audit-ready

// 03 How CyberFortify operationalises PTES

PTES alone does not produce a great pen test. The methodology must be paired with senior tester judgement, strong tradecraft and an operating culture that treats reporting as a first-class deliverable rather than a paperwork tax. Three principles distinguish how CyberFortify executes PTES:

M

Manual primary, automation supporting

Tools like Burp Pro, Caido, BloodHound, sqlmap and CrackMapExec are used selectively to amplify human judgement - never as a substitute. Every finding is hand-validated.

L

Lifecycle continuity

Findings flow through PTES phases without re-discovery. Intelligence gathered in phase 2 informs threat modelling in phase 3 and exploitation in phase 5 - nothing is dropped on the floor.

R

Reporting as deliverable

Phase 7 is half the engagement, not the leftover. Reports are written for three audiences: leadership, engineering and audit - with cross-references that satisfy each.

// 04 Frequently asked questions

Is PTES required by any compliance framework?

Not directly. However, PCI DSS Requirement 11.4 explicitly requires "industry-accepted methodologies" and PTES is universally recognised as one. ISO 27001 Annex A.8.29 and SOC 2 CC7.1 also expect documented methodology adherence.

How is PTES different from OWASP testing guides?

PTES is a lifecycle methodology covering the entire engagement; OWASP Top 10 and ASVS are application-specific risk taxonomies and verification frameworks. CyberFortify uses PTES as the lifecycle backbone and OWASP standards as the depth overlay for application engagements.

Does CyberFortify follow NIST SP 800-115 too?

Yes - PTES and NIST SP 800-115 are largely aligned. CyberFortify reports include 800-115 references for federal-adjacent customers (CMMC, FedRAMP) where 800-115 is the explicitly required methodology reference.

Ready for a PTES-aligned penetration test?

Schedule a 30-minute scoping call. CyberFortify's offensive security team will recommend the right service and quote a fixed-price engagement - usually within 48 hours.

Schedule scoping call → Back to CyberFortify home →