Penetration testing has become a critical component of modern cybersecurity compliance and risk management, yet it remains widely misunderstood. A key misconception is that penetration testing follows a single universal process. In reality, every engagement is unique because organisations differ in structure, technology stacks, security maturity, and threat exposure. Each penetration test must therefore be shaped by a methodology that reflects the practical, technical, and regulatory context of the assessment. A penetration testing methodology refers to the structured sequence of steps a tester follows when identifying vulnerabilities and assessing security controls. A practical methodology adapts to the specific target: for instance, the steps suitable for testing a web application would be ineffective for a network-level penetration test. Despite these contextual differences, most industry-recognised frameworks share a consistent set of core stages which form the backbone of any effective penetration testing engagement and are widely referenced in UK cybersecurity standards and international best practice.
Core Stages of a Penetration Test
Information Gathering: The first step in any penetration testing methodology involves collecting publicly available information about the target organisation. This includes OSINT techniques, passive reconnaissance, and research into domains, digital footprints, and third-party associations. Crucially, no active scanning occurs at this stage, making it a foundational but non-intrusive activity.
Enumeration / Scanning: In this stage, the tester actively identifies applications, systems, ports, and services exposed to the internet or internal network. This may involve detecting a web server, exposed API, outdated service, or misconfigured host that may present a security risk. Enumeration reveals a penetration tester’s primary attack surface.
Exploitation: Once vulnerabilities are identified, the exploitation stage begins. This phase involves using public exploits, custom payloads, misconfiguration abuse, or logical flaws to gain unauthorised access. Exploitation is often the most visible component of penetration testing and is essential for demonstrating real-world risk impact.
Privilege Escalation: After gaining a foothold, the penetration tester seeks to elevate access either horizontally (moving to another user account within the same permission group) or vertically (gaining higher-privileged roles such as system administrator). This stage mirrors real attacker behaviour and highlights systemic weaknesses in permission structures and access control.
Post-Exploitation: The final stage analyses the broader implications of the compromise. Post-exploitation includes pivoting to other hosts, extracting additional sensitive information as a privileged user, assessing lateral movement potential, examining business impact, and simulating what a real attacker could achieve. It also includes appropriate track-covering techniques to emulate adversary behaviour and culminates in a detailed penetration testing report with remediation guidance.
These stages form a universal workflow across most security testing engagements. However, professional penetration testing relies on specific frameworks that provide structure, terminology, and industry alignment. The following analysis examines the most widely adopted frameworks: OSSTMM, OWASP, the NIST Cybersecurity Framework, and the NCSC Cyber Assessment Framework (CAF).
OSSTMM – Open Source Security Testing Methodology Manual
OSSTMM is an internationally recognised penetration testing methodology offering comprehensive guidance on systems, applications, networks, telecommunications, and human-factor security. Unlike narrower frameworks, OSSTMM focuses on how systems communicate, making it highly relevant for complex infrastructures. It provides methodologies for telecommunications (such as VoIP and phone systems), wired networks, and wireless technologies. OSSTMM aims to create a universal testing standard that can be applied consistently across varied penetration testing scenarios.
Advantages:
• Provides an extensive and detailed set of testing strategies across multiple categories.
• Includes methodologies for highly specific targets such as telecommunications infrastructure and networking systems.
• Offers substantial flexibility, making it adaptable to organisational needs.
• Seeks to establish a universal penetration testing methodology applicable across systems and applications.
Disadvantages:
• The framework is dense, complex, and uses unique terminology, which may be difficult for organisations to interpret.
• Some sections are intentionally ambiguous or incomplete, requiring specialist understanding to apply correctly.
OWASP – Open Web Application Security Project
OWASP is the most widely used penetration testing methodology for assessing the security of web applications and online services. As a community-driven framework, it is continually updated to reflect emerging attack patterns and vulnerabilities. OWASP is best known for the “OWASP Top Ten”, a globally accepted list of the most critical web application security risks, alongside structured testing approaches and remediation guidance. OWASP is essential for organisations aiming to strengthen application-level security and comply with secure development standards.
Advantages:
• Highly accessible, straightforward, and easy to adopt within development and security teams.
• Actively maintained and frequently updated to reflect modern attack trends.
• Covers the entire lifecycle of a web application security assessment, including reporting and remediation.
• Specialises exclusively in web applications, making it the most relevant framework for SaaS providers, developers, and online platforms.
Disadvantages:
• Vulnerability categories sometimes overlap, making classification less precise.
• Does not endorse or specify secure development life cycle models.
• Lacks accreditation status such as CHECK or CREST alignment.
NIST Cybersecurity Framework 1.1
The NIST Cybersecurity Framework is widely used across both critical infrastructure and commercial organisations to enhance cybersecurity governance, risk management, and operational resilience. Although not solely a penetration testing methodology, NIST provides detailed standards, security controls, and measurement benchmarks used by penetration testers, auditors, and compliance specialists. NIST’s influence is substantial, and the framework is often implemented alongside OSSTMM, OWASP, or sector-specific methodologies.
Advantages:
• Widely adopted: estimated to be used by around half of American organisations by 2020.
• Extremely detailed in setting cybersecurity standards and risk controls.
• Updated frequently to maintain relevance in a rapidly evolving threat landscape.
• Provides accreditation pathways for organisations adhering to the framework.
• Designed to integrate seamlessly with other cybersecurity frameworks and methodologies.
Disadvantages:
• The number of NIST publications can make it difficult for organisations to determine which variant applies to their needs.
• Weak auditing mechanisms make it difficult to identify how breaches occurred.
• Does not sufficiently address cloud computing, despite widespread cloud adoption.
• Some aspects of the framework intentionally lack prescriptive detail.
NCSC CAF – Cyber Assessment Framework
The UK’s National Cyber Security Centre (NCSC) developed the Cyber Assessment Framework to assess organisations delivering essential or “vitally important” services such as utilities, health, banking, and critical national infrastructure. The CAF consists of fourteen principles covering core areas, including data security, system security, identity and access control, monitoring, operational resilience, and incident response and recovery planning. The CAF is increasingly influential in UK cybersecurity compliance and is often referenced in regulated sectors.
Advantages:
• Backed by a government cybersecurity authority, providing credibility and assurance.
• Offers accreditation to organisations implementing the framework.
• Covers a comprehensive set of fourteen principles addressing prevention, detection, resilience, and response.
Disadvantages:
• The framework is relatively new, and many organisations have not yet adapted sufficiently to meet its requirements.
• CAF is principles-based rather than rule-based, which may lead to inconsistent interpretation and implementation.
Conclusion
A robust penetration testing methodology is essential for identifying vulnerabilities, meeting cybersecurity compliance requirements, and strengthening organisational resilience. While the stages of penetration testing—information gathering, enumeration, exploitation, privilege escalation, and post-exploitation—form the universal structure of an engagement, organisations benefit most when these stages are supported by a recognised framework. OSSTMM offers extensive depth for communication-centric environments, OWASP provides unmatched clarity for web applications, the NIST Cybersecurity Framework enhances governance and risk management practices, and the NCSC CAF supports organisations delivering critical services within the UK regulatory ecosystem. By understanding the strengths and limitations of each framework, organisations can select the methodology that best aligns with their systems, regulatory obligations, and cybersecurity objectives. In an era of escalating cyber threats, well-structured penetration testing remains one of the most effective tools for safeguarding digital assets and ensuring legal and technical compliance.