NaviSec Penetration Testing Methodology – Penetration Testing Execution Standard (PTES)

As more and more organizations began employing penetration testing methodologies to sustain a secure cyber domain, there was a need for a proper framework to guide pentesters. A well-defined standard helps prevent chaos and confusion for both testers and the relevant entities undergoing pen-testing. Exemplar standards like the penetration testing execution standard (PTES) can come as an aid to avoid such situations.

What do you mean by the penetration testing execution standard?

The PTES denotes a culmination of seven key phases that elaborate the necessary procedures to complete a penetration test. This standard results from eminent cybersecurity experts’ efforts to help pentesters across the world carry out successful penetration testing projects. The standard also assists different organizations in understanding the nitty-gritty of penetration testing and the expected process that one must follow in any testing engagement.

Prior to that, there was an absence of a suitable benchmark to help professional pentesters to carry out proper penetration testing. But, when PTES came into being in 2009, it proved pretty revolutionary. Many testers and ethical hackers have come to regard this standard as a constructive guide to maintaining coherence in the penetration testing domain. Thus, cybersecurity mavens like NaviSec utilize PTES as a baseline to create world-class pentesting strategies and ensure a robust virtual environment for various entities.

One can call the current edition of PTES as v1.0. A more elaborate and upgraded version, v2.0, is in the pipeline and will come into the public domain for usage soon. It shall come with appropriate guidelines for pentesters to determine the intensity or “levels” of pentesting as per a given entity’s security needs.

A glimpse of the seven stages of PTES

Stage-1 Pre-engagement interactions
Stage-2 Intelligence Gathering
Stage-3 Threat Modeling
Stage-4 Vulnerability Analysis
Stage-5 Exploitation
Stage-6 Post Exploitation
Stage-7 Reporting 
Let us proceed with a closer look at each of the stages that should form part of a penetration testing project as per PTES.

The pre-engagement interactions stage

As per PTES, testers can lay grounds for successful pentesting with comprehensive pre-engagement interactions. This stage can act as crucial to sustaining a solid alliance between pentesters and their client organization. Prior to the official agreement for any pentesting arrangement, the pre-engagement interactions should comprise the following aspects:

  • Setting the goals of the penetration testing

    Often many testers overlook the relevance of proper planning and preparation to ensure a fitting implementation of a pentesting mission. You cannot move forward with the penetration testing arrangement without understanding the aim. Every entity has some unique set of targets that it wants to attain by employing pentesting. Both the client entity and the tester should duly specify the objective of the penetration testing. The PTES recommends categorizing the testing goals into two according to their priorities- primary goals and secondary goals. Primary goals are those focus elements directly associated with fulfilling the client’s cybersecurity needs. On the flip side, secondary goals must emphasize maintaining legal compliance.

  • Determining the scope of work

    Unambiguous drafting of the scope of penetration testing can ensure efficiency and clarity. It can also assist in preventing legal issues, scope creep, and client dissatisfaction. The scope of work outlines what has to be tested. Further, it mainly talks about the methods of penetration testing the given client wants to utilize, the expectations, testing duration, along with the range of the proposed testing. Testers can use the general questionnaire that PTES provides to frame the scope of work. The questionnaire covers questions regarding different types of penetration testing. It even comprises questions for the client entity’s system administrators and business unit managers.

  • Preparation of the engagement rules

    Once you decide the goals and scope of the pentesting arrangement, the rules of engagement document are prepared between the client and the pentesters. The rules explicitly state the “do’s and don’t” of the testing engagement. It mentions the resources that are out of bounds for the testing team and the limits of any possible.

The intelligence-gathering stage

Intelligence gathering or the reconnaissance stage involves compiling necessary details for pentesting as available in the public domain. The testers must collect all the information after performing an adequate search in line with the terms of the engagement. The Open-source intelligence gathering”process lists out three levels of intelligence gathering-

First level: This information collection phase is the primary one that is usually just driven to maintain compliance. It is easily automatable as it involves assimilating the most elementary details about the client entity’s cybersecurity posture.

Second level: Testers use this reconnaissance level to know about the best practices that the client follows over and above minimal compliance needs. It involves more in-depth scrutiny of the entity’s security.

Third level: involves extensive uncurtaining information about the varied operational intricacies that need more profound research and investigation. This process of intelligence gathering is generally state-sponsored.

The threat modeling stage

This section of PTES recommends that pentesters develop a suitable model to represent the probable threats to the critical assets of the client entity and the means available to them to assault such support during the testing process. Testers can use this prepared model to carry out different testing maneuvers in the future. At this stage, the penetration testing team should utilize the information accumulated in the reconnaissance stage in line with the terms agreed upon during the pre-engagement interactions.
The process of threat modeling covers the following four steps:

  • Collection of necessary documents
  • Identification and categorization of assets into primary and secondary categories
  • Identification and categorization of threats and the relevant threat communities
  • Mapping the threat communities to the identified assets

Testers can complete the threat modeling process with various high-level tools that can help spot targets and correspondingly map them to attacking vectors. The high-level modeling tools concentrate on both the business assets and business processes. Thus, it allows for determining the assets of interest to target and the appropriate way to attack these assets. While unearthing and categorizing the threat communities, you should analyze and classify them into relevant criteria like internal and external threats. Once you have identified the vulnerable assets and most probable threats, you can move on to the next stage.

The vulnerability analysis stage

Under the vulnerability analysis stage, the testers detect defects in the cybersecurity posture of the client entity, which the exploiters can use. The pentesters employ the information gathered in the previous intelligence-gathering stage to evaluate the weak zones. PTES has listed two modes for vulnerability analysis.

Passive analysis

The testers have to put in little effort to carry out the passive form of vulnerability analysis. It is almost wholly computerized. Traffic monitoring and metadata analysis fall under this mode of vulnerability evaluation.

Active analysis

While using the active mode for vulnerability detection, the pentesters showcase direct interaction with security components and conduct a detailed evaluation. The active vulnerability analysis method includes components like automated scanners, general application scanners, directory listing, voice network scanners, and service-based vulnerability scanners.

The exploitation stage

The exploitation stage is where the real action begins. In this stage, the pentesting team starts with the process of gaining access by surpassing the cybersecurity barriers. The testers wield the data amassed in the preceding steps to initiate one or more strikes. They must pick out the high-worth targets and unveil the significant access avenues. Exploiters should try to stay undetected throughout the attack. They should have the required speed, depth, and coverage to unmask all loopholes in the security posture. Thus, testers can strategize their onslaughts using the following pointers:

  • The extent of penetration- The testers must pre-determine the depth up to which he wants to trespass into the security infrastructure.
  • The pace of infiltration- The testing team should retain a sustainable and effective speed throughout the attack for a practical pentesting project.
  • Coverage of the exploitation- Pentesters need to decide on the total range of the exploitation beforehand to ensure a more straightforward implementation of the testing process.

If pentesters adhere to these guiding points, they can ensure a more successful exploitation endeavor and get increased clarity about the state of the client’s security system.

The post-exploitation stage

Once the pentesting team has garnered access during the exploitation phase, it is time for some real ambush. The testers must try to gauge the extent of siege that they can carry out. PTES has specified the below-mentioned tactics for this stage:

  • Estimate the worth and functionalities of the business resources exploited
  • Seek opportunities for more exploitations
  • Ensure continual monitoring of resources under control
  • Prevent cognizance of the attacking team during the exit phase

It is best to carry out the entire stage as per the expectations specified in the rules of engagement. The findings from the testing team are finally passed on to the client in the next stage.

The reporting stage

Reporting is the penultimate task for the pentesting team before concluding their penetration testing arrangement. It involves documenting all procedures involved in the various phases of pentesting. The final report prepared should consist of elements related to the different categories of risks, risk ranking, the status of security posture, and corrective course of action.

The penetration testing execution standard has acted as a guiding compass for pentesters globally. We have discussed each of the interconnected stages for the implementation of penetration testing. Eminent pentesters like NaviSec have employed the guiding points available with PTES to give life to productive penetration tests.


NaviSec’s penetration testing services can help you develop an enduring cybersecurity framework for your entity!

NaviSec is a reputed name with the skills and experience to undertake multiple penetration testing missions for various organizations. We believe in invigorating your defense strategies against many destructive attempts from adversaries. We can be your trusted partners in your journey to create a cutting-edge cybersecurity posture. Join us for a free call today!

Urgent Contact