Defining Penetration Testing

I have been fortunate enough to be working with a group of peers from the security industry over the past few months (since November 2010) on finally creating a solid definition of what a penetration testing is.

It has been a topic that has been abused, cannibalized, and lowered to a level where we (as in people in the industry) could not relate to it anymore. It was time to get the fake stuff out, and focus on content. We were all getting tired of “penetration tests” that were nothing more than a Nessus scan printed out and slapped on with the “security consultancy” logo.

Enter – the Penetration Testing Execution Standard.

This is our attempt to define what a penetration test should include – both from the tester side (vendors) as well as from the client side (the business/organization being tested).

It is the fruit of a huge collaborative effort from people who I consider to be some of the best in the industry. Getting together people who on their day-jobs often compete with each other, and come from different areas of the industry, all together and working on something as big as this has been a humbling experience. For that – you guys all ROCK!

Onwards to the content – remember that this is pre-alpha, and is aimed mainly to get feedback from everyone. A lot of branches do not appear in their full glory there, and some will surely not make it to the final edition. We welcome everyone to take a close look at this, contribute, criticize, assist, comment and generally get involved. Some of you may have been watching this and thinking we are holding back – could not have been further from the truth… In order to get to something as big as this we had to cap the number of participants in this revision in order to keep things somewhat organized, so this is a chance to get back in and offer your assistance – we promise to keep this as open as possible.

This is really exciting – for me at least. Hope some of you will be able to share this enthusiasm and weed out the industry from the bad form we got into.


5 responses to “Defining Penetration Testing”

  1. Nikhil Mittal Avatar
    Nikhil Mittal

    Great Initiative.. Finally a standard for pen test. Till now, everything we do (or not do) is part of Penetration test. Definitely will improve the quality of services we provide to clients.
    BTW, I cannot find a way on the Wiki page to contribute to it, is it closed to restricted persons right now? Do I need to mail someone to get access?

    1. Nikhil,

      Thanks for the feedback. Regarding contributing – just catch one of the people listed on the FAQ page. We are arranging contributor account access over the weekend, and we should be able to process all contribution requests during the week.

  2. Just catching up with this… looks really nice….

    Is there a mailing list for this project to keep up to date with developments and discussions?

    1. Everything on PTES will be published on the official website at
      We do have a mailing list but it is internal and used in the discussions surrounding the development of the standard.

  3. […] these days is mandatory, but this post actually has a good reason to do so. If you look back just one post in the past, we were discussing the new initiative to define “Penetration Testing”. The post, and […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.