Penetration Testing Methodology: The Complete Guide for Buyers and Testers

#The methodology questions I ask every pentest firm before hiring them

Most pentest RFPs arrive with a boilerplate scope and no methodology requirement. The buyer doesn't know what to ask. The vendor sends back a standard statement of work full of checklists and certifications. The engagement runs. A report arrives. The buyer has no way to tell whether the test was rigorous, theatrical, or somewhere in between.

Methodology is the single most important factor in whether a penetration test produces real security value. A competent firm running a formal methodology finds things no scanner catches. A sloppy firm running "whatever comes to mind" produces a glorified vulnerability scan with a cover page. Same price. Different output. Buyer usually can't tell the difference until the next pentest, or worse, until the real breach happens.

This post is the complete penetration testing methodology guide. What formal methodologies exist. How they differ. What a real pentest actually tests. How to evaluate a pentest firm's methodology before signing. And what our own methodology looks like.

#Who this is for

• CISOs and security leaders evaluating pentest firms
• Compliance officers managing PCI / HIPAA / SOC 2 / CMMC pentest requirements
• Engineering leaders sponsoring pentest programs
• Startup founders buying their first pentest
• Security professionals transitioning into offensive work

#The formal methodologies that matter

Four recognized methodologies cover the legitimate pentest market. Anyone selling a pentest should be following one, preferably more.

#PTES (Penetration Testing Execution Standard)

The most widely-cited formal pentest methodology. Open, maintained by the community, technically detailed. Seven phases:

1. Pre-engagement interactions (scope, authorization, rules of engagement)
2. Intelligence gathering (passive + active reconnaissance)
3. Threat modeling (which attackers, which goals, which paths)
4. Vulnerability analysis (scanning, manual review)
5. Exploitation (proof that findings are exploitable)
6. Post-exploitation (what an attacker would do after gaining access)
7. Reporting (findings, business impact, remediation)

PTES is the skeleton most mature pentest firms actually use, whether or not they cite it explicitly.

#OWASP Testing Guide

Web application and API focused. Comprehensive coverage of injection classes, authentication issues, authorization flaws, session management, business logic, cryptographic weaknesses.

OWASP Top 10 is the summary output most people know. The Testing Guide itself is a 400-page document covering how to test each Top 10 category and dozens of additional concerns.

Best for: web application and API pentests specifically.

#NIST SP 800-115 (Technical Guide to Information Security Testing)

US government standard. Less prescriptive than PTES. Covers:

• Technical assessment planning
• Vulnerability scanning
• Penetration testing
• Social engineering testing
• Password cracking
• Log review
• File integrity checking
• Phishing simulation

Federal agencies + many regulated industries reference NIST 800-115 as their testing authority.

#MITRE ATT&CK framework

Not a methodology per se. A framework that catalogs known adversary tactics, techniques, and procedures. Pentest firms increasingly align their testing to ATT&CK to produce reports that map findings to real-world attack patterns.

The enterprise standard for describing what an attacker could actually do in an environment.

#OSSTMM, CREST, CAPEC

Other frameworks exist with narrower adoption. OSSTMM for operational testing. CREST for certification + methodology framework (UK origin, global recognition). CAPEC for attack pattern enumeration.

#The pentest types and what each actually tests

#External network pentest

What an attacker from the internet sees and can do.

Scope: every internet-facing asset (web apps, VPN endpoints, email servers, cloud public resources, marketing sites, dev environments exposed by accident).

Phases:

• Passive reconnaissance (OSINT, subdomain enumeration, certificate transparency, GitHub leaks)
• Active enumeration (port scanning, service identification, version detection)
• Vulnerability identification (CVE matching plus manual verification)
• Exploitation of found vulnerabilities
• Privilege escalation if initial access achieved
• Report

What it catches: misconfigured services, outdated software on public infrastructure, credential stuffing vulnerabilities, exposed admin panels, cloud misconfigurations.

#Internal network pentest

What happens after an attacker gets inside. Post-initial-access scenarios.

Scope: the internal network as seen from a compromised user workstation or a rogue device on the corporate LAN.

Phases:

• Credential-less reconnaissance from a standard user VLAN
• Network mapping, service identification
• Active Directory enumeration (BloodHound, CrackMapExec)
• Kerberoasting, AS-REP roasting
• Privilege escalation attempts
• Lateral movement
• Domain admin compromise
• Data access to identified crown jewels
• Report

What it catches: AD misconfigurations, privilege escalation paths, lateral movement, data access control gaps.

#Web application pentest

Deep testing of a specific web application end-to-end.

Scope: authentication, authorization, business logic, session management, data handling, API endpoints consumed by the web app, admin interfaces.

Phases:

• Mapping the application (crawl, enumerate endpoints, identify roles)
• Authentication testing (password policies, MFA, session handling)
• Authorization testing (RBAC, IDOR / BOLA, privilege escalation)
• Input validation testing (injection classes, XSS, SSRF)
• Business logic testing (race conditions, workflow bypasses, discount abuse)
• Session + state management
• Cryptographic testing
• Report

What it catches: OWASP Top 10 + business logic vulnerabilities specific to the application.

#API pentest

Focused web API testing. Overlaps with web application but has distinct patterns (see our API security guide).

Scope: REST, GraphQL, gRPC, WebSocket endpoints consumed by mobile, web, or server-to-server clients.

Phases:

• Authentication matrix (unauthenticated, user role, admin role)
• Authorization testing (BOLA, BFLA, property-level)
• Rate limiting, resource consumption
• Business logic abuse
• Injection classes
• Report

#Cloud pentest

AWS, Azure, or GCP environment as scope.

Phases:

• IAM review (overly permissive policies, role trust relationships, unused permissions)
• Public asset enumeration (S3 buckets, public snapshots, public machine images)
• Service-specific attack patterns (Lambda abuse, IMDSv1 SSRF, KMS key abuse)
• Configuration drift from baseline
• Cross-account trust relationship abuse
• Report

#Red team engagement

Objective-driven, multi-week, adversary-simulation testing. Distinct from pentest in that the goal is to demonstrate specific outcomes (exfiltrate specific data, compromise specific role, deploy specific capability) via any means necessary within rules of engagement.

Phases:

• Goal definition with client leadership
• Extended reconnaissance
• Multi-vector initial access attempts (phishing, external exploitation, physical, social engineering)
• Long-term persistence
• Stealth emphasis
• Goal achievement
• Blue team interaction tracking
• Report

#Wireless pentest

WiFi security assessment.

Scope: corporate WiFi, guest network, IoT/OT network segments.

Phases:

• Wireless survey (visible networks, signal analysis)
• Authentication mechanism testing (WPA2/WPA3, EAP methods)
• Rogue AP detection/setup
• Client-side attacks (evil twin, Karma)
• Network segmentation validation
• Report

#Physical pentest

Physical facility security assessment.

Scope: office access, server room access, workstation security, network port access.

Phases:

• Reconnaissance
• Tailgating attempts
• Badge cloning attempts
• Pretext entry
• After-hours entry attempts
• Rogue device placement
• Report

#Social engineering

Phishing, vishing, smishing, pretext calls.

Scope: employee population, with emphasis on specific roles (executive assistants, finance, help desk).

Phases:

• Target enumeration
• Pretext development
• Campaign execution
• Response measurement
• Report

#The 7 phases in detail

#Phase 1. Pre-engagement interactions

The phase that determines whether the engagement will produce value.

Scope definition:

• Asset inventory with specific IP ranges, domains, apps, cloud accounts
• Whitelist vs. blacklist approach
• Business hours for testing
• Escalation procedures for critical findings
• Communication cadence
• Stop-test criteria

Rules of engagement:

• Permitted techniques (social engineering yes/no, DoS yes/no, physical yes/no)
• Escalation authority
• Third-party authorization if any scope touches vendor-managed assets
• Legal authorization letter

Testing model:

• Black box (no internal info)
• Gray box (some info, typically credentials)
• White box (full source code + architecture access)

Deliverables expected:

• Executive summary format
• Technical report format
• Findings prioritization methodology
• Retest policy

#Phase 2. Intelligence gathering

Collect information about the target without interacting with it offensively.

OSINT sources:

• Certificate transparency logs (crt.sh, Censys)
• DNS history (SecurityTrails, DNSdumpster)
• GitHub / GitLab exposed code and secrets
• Stack Overflow, forum posts by developers
• LinkedIn profiles of staff
• Job listings (reveal tech stack)
• Archive.org of historical versions
• Pastebin, criminal forums
• Data breach databases (HaveIBeenPwned)

Active enumeration:

• Subdomain enumeration (amass, subfinder)
• DNS zone walking
• Port scanning (nmap, masscan)
• Service identification (nmap -sV, specific probes)
• Content discovery (directory brute forcing)

#Phase 3. Threat modeling

Based on intelligence gathered, identify:

• Most likely attackers (opportunistic, targeted, state actor, insider)
• Most valuable targets (crown jewels, regulated data, admin access)
• Most plausible attack paths (based on identified attack surface)
• Priority order for exploitation attempts

A good threat model prioritizes testing. Without it, the pentester tests randomly.

#Phase 4. Vulnerability analysis

Identify vulnerabilities through combination of automated scanning and manual review.

Automated scanning:

• Nessus, Burp Suite Pro, ZAP, Nuclei, specific tools per technology
• Output: candidate findings for verification

Manual review:

• Review scanner output for false positives
• Test findings scanners missed
• Verify authentication and authorization flows
• Explore business logic
• Code review if source available

#Phase 5. Exploitation

Prove that findings are exploitable. Not just theoretical.

• Safe proof of concept preferred (demonstrate access without destruction)
• Document exactly what worked
• Avoid irreversible actions (don't delete data, don't modify production)
• Escalate stop-test if critical finding that needs immediate remediation

#Phase 6. Post-exploitation

Demonstrate impact. What would an attacker do after gaining access?

• Lateral movement
• Privilege escalation
• Data access (prove access to crown jewels)
• Persistence mechanisms (documented, not installed)
• Clean up (don't leave backdoors)

The quality of post-exploitation separates experienced pentesters from newer ones. Initial access is often easy. Chaining findings into real impact is the skill.

#Phase 7. Reporting

The deliverable that captures value.

Structure:

• Executive summary (non-technical, 1-2 pages)
• Methodology statement
• Scope confirmation
• Finding summary with severity counts
• Detailed findings (per finding):

- Title

- Severity (Critical / High / Medium / Low / Informational)

- Risk rating (CVSS + business impact)

- Location

- Description

- Proof of concept

- Impact

- Recommendation

- References

• Attack path narratives (how findings chained)
• Positive observations (what's working well)
• Appendices (technical detail, tool output)

A good report is usable by:

• Executives (executive summary alone)
• Developers (specific remediation guidance)
• Operations teams (infrastructure fixes)
• Compliance / audit (evidence of testing)

A bad report is a CVE dump with no business context.

#How to evaluate a pentest firm's methodology

Questions to ask before signing:

1. Which methodology framework do you follow? Can you cite specific phases?
2. How do you structure the intelligence gathering phase? What tools?
3. How do you approach threat modeling for our environment?
4. What percentage of your findings come from automated scanning vs. manual testing?
5. How do you handle false positives?
6. Can you show me a redacted sample report from a similar engagement?
7. Who specifically will conduct the test? Can I see their certifications and experience?
8. What's your process when you find something critical during testing?
9. How do you handle scope expansion mid-engagement?
10. What's your retest policy? Is it included?

Red flag answers:

• "We use automated tools" (without mentioning manual testing)
• "Our methodology is proprietary" (without explaining what it is)
• "Our testers don't need certifications" (for a professional firm)
• "We'll find whatever is there" (no structure)
• "Sample reports are confidential" (every firm should have redacted samples)

#The tools pentesters actually use

Not every pentester uses every tool. The categories:

#Reconnaissance

• amass, subfinder, assetfinder (subdomain discovery)
• nmap, masscan, rustscan (port scanning)
• httpx, httprobe (HTTP enumeration)
• WhoIs, passive DNS (SecurityTrails, DNSdb)
• Sherlock (username enumeration)

#Web testing

• Burp Suite Professional (gold standard)
• OWASP ZAP (free)
• Nuclei (template-based scanning)
• ffuf, gobuster (directory brute forcing)
• Custom Python/Go scripts

#Network exploitation

• Metasploit Framework
• Impacket suite
• CrackMapExec / netexec
• Responder
• BloodHound + SharpHound

#Password attacks

• Hashcat (GPU-based)
• John the Ripper
• Hydra (online brute force)

#Cloud

• AWS Pacu
• ScoutSuite (multi-cloud)
• CloudSploit
• Cloud provider CLI tools

#Post-exploitation

• Cobalt Strike (commercial)
• Sliver (open source C2)
• Mythic (open source C2)
• Custom implants

#Reporting

• Custom templates (Markdown + pandoc typical)
• Dradis, Serpico (report automation)

Firms that do only automated scanning have a much shorter toolkit list. Firms that do real manual testing have broader, frequently-updated toolkits.

#Pricing transparency

What pentest engagements actually cost in 2026 US market:

• External network pentest, small: $6K-$15K
• External network pentest, medium: $15K-$30K
• External network pentest, large: $30K-$60K
• Internal network pentest, medium: $20K-$40K
• Web app pentest, standard SaaS: $12K-$25K
• Web app pentest, complex platform: $25K-$60K
• Cloud pentest, single account: $10K-$25K
• Red team, focused: $40K-$100K
• Red team, comprehensive: $100K-$300K

Below market is usually a scanner with branding. Above market is either enterprise depth or prestige pricing.

#Certification honesty

Certifications signal competence but aren't universal proxies for skill.

Meaningful certifications:

• OSCP (Offensive Security Certified Professional) — hands-on practical, 24-hour exam
• OSWE (Web Expert) — harder, web app focus
• OSEP (Experienced Penetration Tester) — advanced
• GPEN (GIAC Penetration Tester) — SANS, respected
• GWAPT (GIAC Web App Pentester) — web focus
• CRTO / CRTL (Certified Red Team Operator / Lead) — red team specific
• OSCE^3 / OSEE (advanced Offensive Security) — rare
• CREST CPT / CCT / CCSAS — European origin, global recognition

Entry-level / less meaningful:

• CEH (Certified Ethical Hacker) — multiple choice, low bar
• CompTIA PenTest+ — entry level

What matters more than certifications:

• Prior engagement experience
• Published research / CVEs discovered
• Bug bounty track record
• Continuous learning (new cert rotation every few years)

#Our methodology

We follow PTES as the structural baseline. We integrate OWASP Testing Guide for web + API work. We use MITRE ATT&CK to describe findings in enterprise-relevant language. We augment with NIST SP 800-115 where federal / regulated clients expect alignment.

Every engagement covers:

• Formal pre-engagement scoping
• Intelligence gathering with the toolset above
• Threat modeling specific to the client's environment
• Manual testing at minimum 60% of engagement time (scanning is < 40%)
• Exploitation proof for critical findings
• Post-exploitation demonstrating real impact
• Report with executive summary + technical detail + specific remediation

Every report includes:

• CVSS scoring plus business impact rating
• Attack path narratives
• Positive observations
• Retest scope for follow-up engagements

We're happy to share redacted sample reports under NDA. The only thing that varies between engagements is the specific findings. The methodology is the same.

Valtik Studios, valtikstudios.com.