Further Reading: Penetration Testing Methodology and Standards

Books

The Penetration Testing Execution Standard (PTES) Documentation PTES Technical Guidelines, available at pentest-standard.readthedocs.io. The complete PTES methodology documentation, including technical guidelines for each phase. Essential reference for any professional penetration tester seeking to implement a structured methodology.

OSSTMM 3: The Open Source Security Testing Methodology Manual Pete Herzog, ISECOM, 2010. The full OSSTMM version 3, including the rav calculation methodology and channel-based testing framework. Available from isecom.org. Dense but rewarding reading for testers who want to bring quantitative rigor to their assessments.

The Web Application Hacker's Handbook, 2nd Edition Dafydd Stuttard and Marcus Pinto, Wiley, 2011. While focused on web application testing rather than methodology per se, this book's structured approach to web application assessment aligns closely with the OWASP Testing Guide and provides excellent practical guidance for implementing web testing methodology.

Penetration Testing: A Hands-On Introduction to Hacking Georgia Weidman, No Starch Press, 2014. An accessible introduction to penetration testing that follows a structured methodology throughout. Excellent for practitioners who want to see methodology applied to real scenarios.

The Art of Network Penetration Testing Royce Davis, Manning Publications, 2020. Demonstrates how professional penetration tests are planned, executed, and documented. Particularly strong on the planning and scoping aspects of methodology.

Red Team: How to Succeed By Thinking Like the Enemy Micah Zenko, Basic Books, 2015. While not a technical manual, this book explores the strategic thinking behind adversarial testing. Valuable for understanding why methodology matters at an organizational level.

Standards and Frameworks

OWASP Testing Guide v4.2 Available at owasp.org/www-project-web-security-testing-guide/. The definitive reference for web application security testing methodology. Version 4.2 contains 91 test cases across 11 categories with detailed instructions for each.

OWASP Application Security Verification Standard (ASVS) v4.0 Available at owasp.org/www-project-application-security-verification-standard/. Complementary to the Testing Guide, ASVS defines security requirements at three verification levels. Useful for mapping test cases to security requirements.

NIST SP 800-115: Technical Guide to Information Security Testing and Assessment National Institute of Standards and Technology, 2008. The US government's standard reference for security testing methodology. Required reading for anyone working in government or defense sectors.

PCI DSS v4.0 and Penetration Testing Guidance PCI Security Standards Council, 2022. The current version of PCI DSS (especially Requirement 11.4) and the supplemental penetration testing guidance document. Essential for any tester conducting PCI assessments.

CREST Penetration Testing Procurement Guide Available at crest-approved.org. Guidance for organizations procuring penetration testing services, including what to look for in methodology, qualifications, and deliverables. Useful from both the tester and the client perspective.

Articles and Online Resources

PTES Pre-Engagement Wiki pentest-standard.readthedocs.io/en/latest/preengagement.html. Detailed guidance on scoping, rules of engagement, and pre-engagement interactions. The most comprehensive free resource for engagement planning.

The Coalfire Courthouse Arrest Incident Various reporting (search "Coalfire Iowa courthouse penetration test arrest"). The 2019 incident where authorized penetration testers were arrested during a physical assessment. An essential case study in the importance of proper authorization and scope documentation.

TIBER-EU Framework Documentation European Central Bank, available at ecb.europa.eu. The complete TIBER-EU framework documentation for threat intelligence-led penetration testing. Required reading for testers working in European financial services.

DORA Regulation Text Regulation (EU) 2022/2554, available at eur-lex.europa.eu. The full text of the Digital Operational Resilience Act, particularly Chapter IV on digital operational resilience testing. Essential for understanding the European financial sector testing requirements.

CREST Exam Preparation Resources Available at crest-approved.org. Exam syllabi, practice materials, and preparation guidance for CPSA, CRT, and CCT certifications. Critical for anyone pursuing CREST accreditation.

Podcasts and Video Content

Darknet Diaries, Episode 59: "The Courthouse" Jack Rhysider's podcast episode on the Coalfire incident. Provides a narrative account of what happens when penetration testing authorization fails. Excellent for understanding the real-world consequences of inadequate RoE documentation.

SANS Institute Webcasts on Penetration Testing Methodology Available at sans.org/webcasts. Regular webinars covering various aspects of testing methodology, often presented by SANS instructors who are active practitioners.

IPPSEC YouTube Channel youtube.com/@ippsec. While focused on Hack The Box walkthroughs, IPPSEC demonstrates methodical penetration testing approaches that illustrate structured testing in practice.

Professional Organizations

  • CREST (crest-approved.org): Accreditation body for penetration testing professionals and companies
  • OWASP (owasp.org): Open community producing web application security standards and tools
  • ISECOM (isecom.org): Publishers of OSSTMM and related security testing research
  • PCI SSC (pcisecuritystandards.org): Develops and maintains PCI DSS and related standards
  • NCSC (ncsc.gov.uk): UK government cybersecurity authority, manages the CHECK scheme