The Penetration Testing Execution Standard (PTES) is the industry-standard “roadmap” for how a professional penetration test should be conducted. While MITRE ATT&CK tells you what attackers do, PTES tells you how a security professional should structure an entire engagement from the first meeting to the final report.
1. Understanding PTES
What is the use of this framework?
Standardization: Ensures that every penetration test follows a high-quality, repeatable process.
Expectation Management: Helps clients understand exactly what they are paying for.
Completeness: Prevents testers from “jumping the gun” and skipping critical steps like legal contracting or deep reconnaissance.
2. The 7 Phases of PTES (The Human Deep-Dive)
Phase 1: Pre-engagement Interactions
This is where you act more like a lawyer than a hacker. You’re setting the stage. You need to sit down with the client and ask, “What keeps you up at night?” * The Scope: Be ruthless here. If they say “Test everything,” tell them that’s impossible. You need a list of IPs, URLs, and physical locations. If you hit an IP that isn’t on this list, you could literally go to jail.
Rules of Engagement (RoE): Can I test at 2 AM? Can I social engineer the receptionist? Can I run a DDoS? You need these answers in writing.
Authorization: The “Get Out of Jail Free” card. If the police show up because you’re sniffing the Wi-Fi in a Cork business park, this paper is your only defense.
Phase 2: Intelligence Gathering (The Digital Stakeout)
You are essentially a private investigator. You want to know more about the company than the employees do.
Passive Recon: You’re looking at LinkedIn to see what tech stack the IT manager brags about. You’re using Google Dorks to find accidentally exposed PDF manuals or password reset links.
Active Recon: This is the “light touch.” You might scan their DNS or look for open ports. But be careful—the more “active” you are, the louder you are to their security team.
Phase 3: Threat Modeling
This is the “Strategy Meeting.” You don’t just throw everything at the wall. You look at the info you gathered and ask: “If I were a Russian APT group, how would I get into this Irish bank?” * Asset Identification: You identify the “Crown Jewels” (e.g., the customer database).
Threat Profiling: You decide which vulnerabilities are most likely to be exploited based on who the company’s enemies are.
Phase 4: Vulnerability Analysis
The “Discovery” phase. You’re looking for the cracks in the armor.
Automated vs. Manual: Sure, you’ll run Nessus or OpenVAS, but that only finds the “low-hanging fruit.” The real skill is manual analysis—finding that one weird logic flaw in a custom-coded login portal that a scanner would miss.
Validation: Don’t just report everything. If a scanner says “Critical,” check it yourself. There’s nothing more embarrassing than reporting a “ghost” vulnerability that doesn’t actually exist.
Phase 5: Exploitation
This is the “Hands-on-Keyboard” moment. You’ve found a crack; now you’re prying it open.
Precision: You aren’t trying to crash the server. You want a “low-noise” entry. You’re trying to get a Shell (control of the machine).
Bypassing Controls: You might have to get around an Anti-Virus (AV) or a Web Application Firewall (WAF).
Phase 6: Post-Exploitation
This is where the real value happens. You’re inside. Now what?
Pivoting: Can you use the HR lady’s compromised laptop to jump into the Server Room?
Data Hunting: You look for sensitive files, clear-text passwords in configuration files, or session cookies.
Persistence: You (carefully) see if you could maintain access if the system reboots. Note: Always remove your “backdoors” once the test is over.
Phase 7: Reporting
If you can’t explain what you did, the whole test was a waste of time.
The Executive Summary: Write this for a CEO who doesn’t know what an “SQL Injection” is. Tell them: “We got into the treasury system, and here is the financial risk.”
The Technical Details: Write this for the IT team. Give them the exact commands you ran so they can replicate and fix the issue.
3. 20 Interview Questions & Answers
Q1: What is the main purpose of PTES?
A: To provide a common language and scope for performing a penetration test to ensure a high level of quality and consistency.
Q2: What is the most critical part of the “Pre-engagement” phase?
A: Obtaining written authorization. Never start a test without a signed contract.
Q3: How does PTES define “Scope”?
A: Scope defines the boundaries of the test—what is included, what is excluded, and the timeframe for the engagement.
Q4: What is the difference between Intelligence Gathering and Vulnerability Analysis?
A: Intelligence Gathering is about finding information (emails, IPs); Vulnerability Analysis is about finding weaknesses in those targets.
Q5: Why is Threat Modeling important in a pen test?
A: It allows the tester to prioritize assets that are most likely to be attacked by real-world adversaries, making the test more realistic.
Q6: What should a tester do if they find a “Critical” vulnerability during the Exploitation phase?
A: According to PTES, you should immediately notify the client (emergency contact) before continuing, as it represents an immediate risk to their business.
Q7: What is “Lateral Movement” in the Post-Exploitation phase?
A: The process of using a compromised system to gain access to other systems on the same network.
Q8: What are the two main audiences for a PTES report?
A: Executives (who need to know the business risk) and Technical Staff (who need to know how to fix the flaws).
Q9: What is “OSINT”?
A: Open Source Intelligence—gathering information from publicly available sources like LinkedIn, WHOIS, and Google.
Q10: Why is “Post-Exploitation” considered the most valuable phase for a client?
A: It demonstrates the actual impact of a breach—showing what an attacker could steal or destroy once they are inside.
Q11: What is a “Rules of Engagement” (RoE) document?
A: A document that specifies the technical constraints, such as “No testing after 5 PM” or “Do not touch the Production Database.”
Q12: How does PTES handle “Clean up”?
A: Testers are required to remove all shells, temporary accounts, and tools installed during the test.
Q13: What is “Passive” vs. “Active” Reconnaissance?
A: Passive doesn’t touch the target’s infrastructure (e.g., Google); Active interacts with it (e.g., Nmap scanning).
Q14: What is the difference between a Vulnerability Assessment and a Penetration Test?
A: An assessment finds the flaws; a pen test exploits them to prove they are real and show the impact.
Q15: What is “Persistence” in Post-Exploitation?
A: Ensuring that you can get back into a system even if the computer is rebooted or the initial exploit is patched.
Q16: Can you explain “Pivoting”?
A: Using a compromised machine as a “proxy” or tunnel to attack another network segment that was previously unreachable.
Q17: What should be included in the “Remediation” section of a report?
A: Specific, actionable steps (e.g., “Apply patch KB12345” or “Update the TLS configuration”) to fix the vulnerability.
Q18: What is “Blind” vs. “Double-Blind” testing?
A: In Blind, the tester knows nothing; in Double-Blind, the IT staff doesn’t even know a test is happening.
Q19: What is the “Executive Summary”?
A: A high-level overview of the test results, focusing on business risk and overall security posture, avoiding technical jargon.
Q20: Why is “Intelligence Gathering” the longest phase?
A: Because the better your intel, the easier the exploitation. Most of a pen test is research.
4. 10 Scenario-Based Questions & Answers
Scenario 1: During the test, you accidentally crash a server. What is your first step according to PTES?
Answer: Immediately stop all testing and notify the client’s technical point of contact as defined in the Rules of Engagement.
Scenario 2: A client asks you to test an IP address that is not in the signed scope. What do you do?
Answer: Refuse to test it. Ask the client to update the Scope document and sign a change order before proceeding.
Scenario 3: You find a login page for a payroll system. Which phase are you in?
Answer: Intelligence Gathering (identifying the asset) or Vulnerability Analysis (checking if the page has flaws like SQL injection).
Scenario 4: You have gained access to a standard user’s PC. You use a kernel exploit to become “SYSTEM.” What is this called?
Answer: Post-Exploitation, specifically Privilege Escalation.
Scenario 5: You are writing a report and find a vulnerability that is “unfixable” due to legacy hardware. What do you recommend?
Answer: Recommend Compensating Controls, such as isolating that hardware on a separate VLAN with strict firewall rules.
Scenario 6: The client’s IT team is blocking your IP address every time you scan. What phase is this?
Answer: This happens during Exploitation or Vulnerability Analysis. It shows the client’s Detection & Response capabilities are working.
Scenario 7: You are searching LinkedIn to find the names of IT managers at the target company. What is this?
Answer: Intelligence Gathering (OSINT).
Scenario 8: You use a stolen session cookie to access a web portal without a password. What is this?
Answer: Exploitation.
Scenario 9: You are calculating which systems have the most “Business Critical” data to decide where to focus your attack. What is this?
Answer: Threat Modeling.
Scenario 10: After the test, you provide a list of every command you ran to the client. Why?
Answer: This is part of the Reporting and Clean-up phases, ensuring the client can verify your actions and remove any traces of the test.
Scenario 11: Your report shows 0 “Critical” findings. The client thinks you didn’t work hard enough.
Answer: I would walk them through the “Defense-in-Depth” successes I found. I’d show them all the things their team is doing right, and focus on the “Medium” risks that could be chained together.
Scenario 12: The client wants the final report in 24 hours, but you still have 2 days of testing left.
Answer: Explain that a rushed report is a low-quality report. Offer an “Interim Findings” summary now, but insist on the full time to complete the analysis and remediation steps.
Scenario 13: You’re halfway through the test and realize the client gave you the wrong IP range (it belongs to a different company).
Answer: Stop immediately. You have accidentally “attacked” a third party. Notify your management and the client’s legal team at once.
Scenario 14: The client’s firewall is blocking all your scans. How do you finish the test?
Answer: This is a “Defense Evasion” challenge. I would try slower, fragmented scans, or ask the client to “white-list” my IP so I can test the internal systems (a “Grey Box” approach).
Scenario 15: You’re scanning a network and find a device you suspect is a medical heart monitor. What do you do?
Answer: Immediately stop scanning that IP. Check the Scope document. If it’s in scope, call the client and warn them of the risk of crashing a life-critical device before proceeding.
Conclusion:
PTES is the difference between a “script kiddie” and a trusted security advisor. By following this standard, we ensure that every test is legal, safe, and most importantly useful.