What are the penetration testing standards?

An appropriate security framework should include ongoing security training for all developers, threat models for the entire system, regular code reviews, and scheduled penetration testing. Predictability and consistency are among the basic principles of penetration testing. In order for a penetration test to be consistently applied, it must have standards.

Some standards are set for penetration testing and security audits. OWASP (Open Web Application Security Project), OSSTMM (The Open Source Security Testing Methodology Manual), ISSAF (Information Systems Security Assessment Framework), NIST SP800-115,  PTES (Penetration Testing Execution Standard), Fedramp (The Federal Risk and Authorization Management) Program) is one of the best known of these standards.

  1. OWASP

Web security is a very broad concept. OWASP is an open source project to secure web applications. OWASP has made life easier for security professionals by creating a Test Guide.


The main purpose of OSSTMM is to provide a scientific process in the correct characterization of operational safety that can be used for penetration / penetration testing, ethical hacking and other security tests. For example, checking packet loss on the way to the target network, measuring the response time to a packet, measuring the response rate over the target network, measuring the number of packets lost and errors received while communicating with the target network are scaled according to certain standards.

  1. ISSAF

The Information Systems Security Assessment Framework is designed to evaluate the network, system and application controls in Penetration testing methodology. It consists of a three-stage approach and a nine-step evaluation. The approach includes the following three stages:

Stage – I: Planning and Preparation

Stage – II: Evaluation

Stage – III: Reporting, Cleaning and Elimination of Artifacts

The Information System Security Assessment Framework (ISSAF) methodology is supported by the Open Information Systems Security Group (OISSG).

  1. NIST SP800-115

NIST is a set of standards with quality principles that can be used by organizations to develop secure information security applications and to perform security tests. NIST SP 800-115 provides an overview of the essentials of security testing. It is not a comprehensive guide, but guides organizations in planning and conducting technical information security tests, analyzing findings, and developing improvement strategies.


PTES are technical guidelines that help define specific procedures to follow during a penetration test. Guidelines are just situations that will guide and assist you in one direction in certain scenarios, but are not a comprehensive set of instructions on how to perform a penetration test.

  1. Fedramp

The Federal Risk and Authorization Management Program (FedRAMP) provides a framework for security assessment and continuous monitoring of cloud-based services. Thanks to this guide, various standards are set for the analysis and reporting of the findings regarding the planning and execution of the Penetration Test.

Our penetration tests are reliable, effective and rigorous because they are conducted to the best standards in the industry. At SecroMix, we use the international standards listed above and well-known penetration testing frameworks to ensure the highest quality in our penetration tests.

Why SecroMix?

Our team includes researchers who participated in the most prestigious CTF hacking competitions (“Capture the Flag”) with penetration testing experience and required certificates (CEH, LPT,…) and successful participants in bug award programs according to standards (BRSAGDPR, TSE, PCI DSSISO 27001).

As a company, we offer detailed recommendations and special plans to reduce risks, help fix all security gaps and support your information security process.
Remember, system penetration tests are a necessary element of information security for any organization.

Special for the Pandemic Period,

You can contact for Pentest / Penetration test, SIEM, DLP (BRSA, GDPR Compliant DLP), information security consultancy, cyber security price offer and Free Cyber Security Awareness Analysis