The standard has not been significantly updated since its initial release - Technical guidelines can become outdated as tools and techniques evolve - Less prescriptive about specific test cases than OWASP