Penetration Testing: Methods and Industry Standards

Penetration testing is a structured security assessment practice in which qualified practitioners simulate adversarial attacks against an organization's systems, networks, or applications to identify exploitable vulnerabilities before malicious actors can. The practice operates within a defined legal authorization boundary, follows recognized methodology frameworks, and produces documented findings that inform remediation priorities. This reference describes the service landscape, the structured phases that govern engagements, the principal scenario categories in active professional use, and the qualification and regulatory context that shapes how engagements are scoped and contracted.

Definition and scope

Penetration testing — abbreviated as pen testing — is formally characterized by the National Institute of Standards and Technology as a probing technique used to identify weaknesses in a system that could be exploited by an adversary (NIST SP 800-115, Technical Guide to Information Security Testing and Assessment). It is distinct from vulnerability scanning, which passively enumerates known weaknesses without attempting exploitation, and from red team operations, which replicate full adversary campaigns with broader scope and longer timeframes.

The professional scope of penetration testing spans three foundational knowledge domains, each with its own methodology and toolset:

1. Network penetration testing — assessment of infrastructure including firewalls, routers, VPNs, and internal segmentation controls
2. Web application penetration testing — examination of application-layer vulnerabilities such as injection flaws, broken authentication, and insecure direct object references, typically referenced against the OWASP Testing Guide
3. Physical and social engineering testing — evaluation of facility access controls and human-layer susceptibility to manipulation, including phishing simulations

Three engagement models define the information asymmetry between tester and target:

• Black-box — the tester receives no prior knowledge of the target environment, simulating an external attacker
• White-box — the tester has full access to architecture diagrams, source code, and credentials, enabling comprehensive coverage
• Gray-box — the tester operates with partial knowledge, such as a standard user account, simulating an insider threat or compromised credential scenario

Regulatory frameworks that mandate or strongly encourage penetration testing include the Payment Card Industry Data Security Standard (PCI DSS v4.0, Requirement 11.4), which requires penetration testing at least once every 12 months and after significant infrastructure changes, and the Health Insurance Portability and Accountability Act Security Rule, which the Department of Health and Human Services references as requiring periodic technical and non-technical evaluation of security safeguards (45 CFR §164.308(a)(8)).

The information security providers on this domain include practitioners and firms operating across these engagement categories.

How it works

Penetration testing engagements follow a structured lifecycle. NIST SP 800-115 identifies four primary phases that form the baseline methodology recognized across the profession:

1. Planning — Scope, rules of engagement, legal authorization, and testing windows are documented. A formal written authorization agreement is a prerequisite; testing without authorization exposes practitioners to liability under the Computer Fraud and Abuse Act (18 U.S.C. §1030).

2. Discovery — Practitioners gather intelligence about the target through passive reconnaissance (open-source intelligence, DNS enumeration, certificate transparency logs) and active scanning (port sweeping, service fingerprinting, OS identification). This phase produces the attack surface map.

3. Attack execution — Testers attempt to exploit identified weaknesses. This includes credential attacks, vulnerability exploitation using publicly documented CVEs, privilege escalation attempts, and lateral movement within the network. Exploitation is governed strictly by the agreed scope.

4. Reporting — Findings are categorized by severity — commonly using the Common Vulnerability Scoring System (CVSS), maintained by FIRST.org — and documented with evidence, reproduction steps, business impact assessments, and prioritized remediation guidance.

The Penetration Testing Execution Standard (PTES) provides an independently developed framework that extends NIST's phases with detailed technical guidance on intelligence gathering, threat modeling, exploitation, and post-exploitation. PTES is not a regulatory requirement but functions as a de facto professional reference in commercial engagements.

Common scenarios

External network assessment — Targets internet-facing assets including web servers, mail gateways, VPN endpoints, and DNS infrastructure. This is the most commonly contracted engagement type and typically serves PCI DSS or cyber insurance compliance requirements.

Internal network assessment — Conducted from within the organizational perimeter or via VPN access, this scenario tests the assumption that an attacker has already bypassed the network boundary — a scenario consistent with the zero trust model described in NIST SP 800-207.

Web application assessment — Targets a specific application, frequently following the OWASP Top 10 as a reference taxonomy. The OWASP Top 10 2021 edition identifies Broken Access Control as the highest-frequency vulnerability category, appearing in 94% of applications tested in the supporting dataset.

Social engineering campaigns — Phishing, vishing, and physical intrusion attempts. These are often contracted as standalone engagements for organizations subject to workforce security awareness requirements under frameworks such as NIST SP 800-53 (Control AT-2).

Cloud configuration review — Assesses misconfiguration risks in cloud-hosted environments, a practice area shaped significantly by the shared responsibility model documented by major cloud platform providers and referenced in CISA's cloud security guidance.

Decision boundaries

The scope of any penetration testing engagement is legally constrained before it is technically constrained. Authorization documentation must specify the IP ranges, application URLs, testing windows, and prohibited actions — without this, any exploitation activity potentially violates the Computer Fraud and Abuse Act regardless of intent.

Penetration testing is not equivalent to a security audit or compliance assessment. A PCI DSS audit evaluates whether controls are documented and nominally present; a penetration test evaluates whether those controls withstand adversarial pressure. Both are required under PCI DSS v4.0 but serve distinct evidentiary functions.

Practitioner qualification operates through two principal credentialing bodies. The Offensive Security Certified Professional (OSCP) credential, issued by OffSec, requires demonstrated hands-on exploitation capability through a 24-hour practical examination. The Certified Ethical Hacker (CEH) credential, issued by EC-Council, emphasizes knowledge-based assessment and is recognized in U.S. Department of Defense Directive 8570 as an approved baseline certification for Information Assurance Technical Level II roles (DoD 8570.01-M).

Organizations navigating service provider selection can consult the for guidance on how this reference network is structured, or review the broader how to use this information security resource page for context on provider network scope boundaries.