What is a Penetration Testing Methodology?

Penetration testing means that a penetration tester or an ethical hacker is testing the logical flaws or the vulnerabilities of an endpoint, machines, external and internal network in the organisation. The penetration tester uses pen testing methodology to determine the flaws and exploit them to get the critical information of the organisation. When the process of penetration testing is completed, a complete report of the flaws found on the machines or networks etc., including the criticality levels with the remediation to stop them are submitted by the penetration tester.

Penetration Testing Life Cycle

Penetration Testing life cycle consists of 4 stages:

  • Recon
  • Mapping
  • Discovery and
  • Exploitation


The recon phase includes the information gathering process using OSINT tools and techniques on the client for which the penetration testing is being done. All the data is gathered by the penetration tester such as the Domain Name System records, Domain Names and Sub Domain Names, what kind of technology is being used by the organisation and its versions. This information will help to enumerate the vulnerabilities to the penetration tester with the help of penetration testing.


The mapping stage will help the penetration testers to focus on the most important and most critical elements. All the functionalities of the client are listed when the penetration tests are conducted.


The discovery stage is also referred to as the attack phase. The penetration testers have to do a detailed analysis of the infrastructure to find the vulnerabilities with the help of automated tools such as Nessus, Bloodhound etc. Sometimes automated tools do not give promising results; therefore, they need to do the manual discovery of the target. The purpose of the discovery stage is to identify the vulnerabilities and find their exploit. 


The exploitation stage is the last stage of the penetration testing lifecycle. It includes checking the future exploitation of the defects found in the last phase. In order to discover new weaknesses, the found vulnerabilities are taken into consideration and using penetration testing methodology, the penetration tester starts the exploitation process. The exploitation of security issues enables the evaluation of their actual effect and thus of their level of criticality of the organisation’s infrastructure.

What is Penetration Testing? | Pen Testing Methodologies and Tools | Edureka
source: Edureka

3 types of penetration testing (types of test)

There are primarily 3 types of pen test, which are as follows:

1. White Box Penetration Testing

In White Box Penetration Testing, the penetration tester is familiar with the details of the organisation’ infrastructure such as the CMS platform of the website, the internal network details, detailed information about the devices being used in the organisation etc., for which the penetration testing is being done.

2. Black Box Penetration Testing

The penetration tester doesn’t know any details about the details such as the internal network, infrastructure etc. of the organisation or the target. This is called Black Box Penetration testing technique. The penetration tester will use different types of network penetration testing.

3. Grey Box Penetration Testing

Grey Box Penetration Testing is the combination of White Box and Black Box Penetration Testing methods. The penetration tester uses the different methodology with the limited known information about network infrastructure and does the penetration testing.

Penetration Testing Methodology:

It is very important for the penetration tester to opt the correct methodology and the standards which they can leverage. Following are the pen testing methodology which can be used by the testers:


NIST stands for National Institute of Standards and Technology and provides more detailed instructions for penetration testers to follow, unlike many other information security standards and manuals. A manual is issued by the NIST that is ideally suited to enhancing an organization’s overall cyber security.

With this structure, NIST has set its sights on ensuring the security of information in various industries, including banking, communications and electricity. Both large and small enterprises will adapt the requirements to suit their individual needs.

Organisation mostly conduct penetration tests on their software’s and on their networks in order to meet the requirements set by NIST. This American standard of information technology protection ensures that businesses meet their responsibilities to monitor and analyse cyber security, minimizing the risks of a data breach in every possible way.


A scientific methodology for network risk and vulnerability assessment is provided by the OSSTMM system, one of the most accepted standards in the industry. OSSTMM stands for Open Source Security Testing Methodology Manual. 

OSSTMM provides a detailed guide for penetration testers to discover security flaws from different possible vulnerabilities inside a network.

To understand the found vulnerabilities and their possible effect within the infrastructure, this approach relies on the in-depth skills and experience of the penetration tester, as well as human intelligence.

The methodology of OSSTMM enables testers to tailor their evaluation to suit the company’s unique requirements or technical background.

The penetration tester will receive an accurate description of the cyber security of your network with this set of guidelines, as well as reliable solutions customized to your technical background to help your stakeholders make the right decisions to protect the network infrastructure. [2]


The Open Web Application Protection Project (OWASP) is the most accepted in the real world standards for all aspects of software safety. Driven by a very well-versed group that remains on top of the latest innovations, this approach has helped numerous companies mitigate vulnerabilities in applications.

OWASP framework includes an application penetration testing methodology and techniques that can detect vulnerabilities commonly found in web and mobile apps.

For each penetration testing technique, the latest guide offers detailed guidance, with over 66 security controls to review in total, enabling testers to recognize vulnerabilities within a broad range of functionalities found in modern applications today.

With the aid of this approach, companies are better prepared to protect their application from common mistakes that can have a potentially critical effect on their business.

In order to avoid common security vulnerabilities, companies looking to build new web and mobile apps should also consider implementing these principles during their development process.[3]


The ISSAF (Information System Security Assessment Framework.) is far more systematic and comprehensive methodology to penetration testing is included in the ISSAF than the previous standard.

If an innovative technique fully tailored to its background is needed for the particular circumstance of your organization, then this manual will prove beneficial for the professionals in charge of penetration test.

These allow a tester to diligently prepare and record every phase of the process for penetration testing, from preparation and evaluation to reporting and artefact destruction.

This norm serves for all phases of the process. ISSAF is particularly crucial for a penetration tester who use a combination of different instruments as they can tie each phase to a specific instrument.

A substantial part of the process is regulated by the evaluation section, which is more detailed. ISSAF includes some complementary information for each vulnerable area of your system, different attack vectors, as well as potential outcomes when a weakness is exploited.

Test involves, finding information on instruments that are widely used by actual attackers to target such places.[4]


The most appropriate methodology to structuring a penetration test is illustrated by the PTES System (Penetration Testing Methodologies and Standards). This norm advises testers on different stages of a penetration test, including initial contact, intelligence gathering, as well as phases of risk analysis.

Following this vulnerability scanning standard, testers familiarize themselves as much as possible with the enterprise and its technical background before concentrating on targeting the potentially vulnerable areas, helping them to recognize the most sophisticated attack scenarios that could be attempted.

Testers are also given instructions to carry out post-exploitation testing if appropriate, enabling them to check that the vulnerabilities previously found were correctly detected.

What tools are used for application penetration testing methodology?

There are plenty of tools available which are used for penetration testing by the penetration tester. With the help of these tools, the process becomes easy, efficient, more reliable and faster. There are many tools available for penetration testing which are both closed source and open source.

Following are the closed source tools that means the penetration tester need to pay to obtain the tools:

Nessus :

Nessus is used to scan the vulnerabilities in a web apps, vulnerabilities in network infrastructure, helps in the detection of the technologies, and it’s version of the device etc.

The following are the open source tools that means the penetration tester can use these tools freely without obtaining any licence:


Metasploit is the most popular open source framework inbuilt in Kali Linux which is used for exploitation. With the help of this tool, the penetration tester can create payloads, generate shell codes etc.


Nmap stands for Network Mapper that scans for the open ports of a machine and detects what version the device is using, helps in device fingerprinting etc.


Nikto is a vulnerability scanner used to scan the web apps or web server with command line interface. It can even detect the cookies received by the end points.


Wireshark is a network protocol analyser tool helping the penetration tester to see the network packets travelling over the internet.


Hydra helps to attack on the login page and is supported by many protocols. With the help of Hydra, the penetration tester can easily gain access remotely of the machines.


The ethical hacker uses different types of pen test methodology such as OWASP, OSSTMM etc., to evaluate the network infrastructure. A penetration testing process is successful if the tester is able to discover the vulnerabilities in the network and exploits them to get the critical data.

Overall, there are three types of penetration testing technique which the hacker can use in black box, white box and grey box testing techniques. There are many automated as well as manual tools which the ethical hacker can use in the investigation process.


1. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf

2. Dalalana Bertoglio, D., Zorzo, A. Overview and open issues on penetration test. J Braz Comput Soc 23, 2 (2017)

3.M. I. Palma Salas, P. L. De Geus and E. Martins, “Security Testing Methodology for Evaluation of Web Services Robustness – Case: XML Injection,” 2015 IEEE World Congress on Services, New York, NY, 2015, pp. 303-310.

4. https://core.ac.uk/download/pdf/16292984.pdf

About Post Author

Leave a Reply