A pentest framework, or penetration testing framework, is a standardized set of guidelines and suggested tools for structuring and conducting effective pentests across different networks and security environments.
While it’s certainly possible to construct your own pentest framework that meets the specific security and compliance requirements of your organization, a number of existing methodologies and frameworks can be built upon to make the job easier for you. In fact, it’s generally more effective to use one of these comprehensive and peer-reviewed solutions in order to keep your pentests on track.
Read on to learn more about how pentest frameworks are used, how they’re set up, and some of the top pentest frameworks that are available today.
Jump ahead to:
- How Pentest Frameworks Work
- 10 Categories in a Pentest Framework
- How Penetration Test Frameworks Are Used
- 7 Top Pentest Frameworks
- Bottom Line: Pentest Frameworks
Also read: What Is Penetration Testing? Complete Guide & Steps
How Pentest Frameworks Work
In simple terms, a pentest framework works by guiding pentesters to the right tools and methodologies to use for a penetration test, depending on the pentest type and the scope of the test they’re planning to run. Once a pentester gets started with the penetration testing and ethical hacking process, they should reference the pentest framework for the tactical categories they should assess during their tests.
Once the pentest is complete, the pentester should continue using the framework to help them further evaluate and report on their findings, especially as they relate to those primary tactical categories. It’s also important to return the environment to its pre-pentest settings.
The Steps of a Typical Pentest Framework
Pentest frameworks work in slightly different ways, depending on which pentest framework you use, but most follow similar steps that help organizations efficiently and comprehensively move through their pentesting programs.
These are some of the most common steps a pentest framework follows:
- Initial planning and preparation: The framework instructs organizations to determine who their pentester(s) will be, what pentest framework and methodology/methodologies they’ll be following, expectations for the test and reported results, any legal or compliance requirements, and any tools or resources that are needed in order to conduct a successful test.
- Intelligence and information gathering: Information that should be gathered early in the pentest framework development and selection process includes the scope of asset ownership, network targets, exploits, any involved third parties, network ports, IP addresses, relevant employees’ names, and property locations. In some cases, this phase is also called the discovery, testing, scanning, or assessment phase.
- Attack phase: The pentester begins their attack and evaluates the system based on how it performs against the framework’s predefined tactic categories.
- Post-attack phase: The pentester, or a team of cybersecurity experts, makes sure the testing environment’s assets and features are returned to their original state.
- Reporting results: The pentest framework is used to frame results based on tools used, tactic category performance, and more.
Also read: How to Implement a Penetration Testing Program in 10 Steps
10 Categories in a Pentest Framework
The typical pentest framework clearly outlines tactic categories that pentesters should use to evaluate cybersecurity performance on multiple fronts during their penetration testing efforts. Every framework uses its own terminology and approach to tactic categories, but these are some of the most frequently found categories in a pentest framework:
- Collection: As an ethical hacker, what kinds of information and security intelligence are you able to collect during your attack? How valuable would this information be to future attack vectors and plans?
- Command and control: What kinds of backdoors and covert forms of communication are you able to set up in the enterprise network’s servers or apps during your simulated attack? Are these backdoors easily detected? Do they stay open even after cybersecurity tools step in to mitigate risk?
- Credential/information access: What tools, users, and hardware can access what kinds of information? What credentials and controls are in place and how effective are they at stopping unauthorized user access during your simulated attack?
- Defense evasion capabilities and strategies: How does your cybersecurity infrastructure handle threat detection and how does it respond to an attacker’s defense evasion strategies? How effectively does your infrastructure identify and avoid various types of threats, and how quickly does it pivot when initial lines of defense aren’t enough?
- Discovery and information gathering: How quickly and comprehensively does your cybersecurity setup gather and sift through relevant security incident information after the simulated attack begins?
- Execution: How do your cybersecurity tools respond when handling an unauthorized user or other suspicious activity in the network? What tools go into action, what are their response timelines, and what gets mitigated by tools versus security professionals? Additionally, how does your cybersecurity infrastructure respond to attack types like remote code execution?
- Exfiltration: Can data be stolen from any part of your network? If so, what data is accessible, in what quantities can it be taken, and how much defense (if any) goes up against data exfiltration operations?
- Lateral movement: During the simulated attack, are you able to easily move from your initial point of access into another app, database, or component of the network? How difficult is lateral movement between grouped apps versus parts of the network that are in separate segments or departments?
- Persistence: What misconfigurations, backdoors, implants, or other components of your attack persist even after cybersecurity tools respond to your attack? Over what time frame can these features continue to deploy discreet attacks?
- Privilege escalation: Can attackers change their own credentials or steal the credentials of another user in order to elevate their access levels and user permissions in the network or specific applications? How difficult is privilege escalation for an internal bad actor versus an external bad actor?
How Penetration Test Frameworks Are Used
Generally speaking, penetration test frameworks are used to make pentesting efforts more comprehensive and effective. However, pentests are used for a variety of reasons, and pentest frameworks have a few different use cases as well. Here are some of the most common ways penetration test frameworks are used:
- Vulnerability assessment and management
- Ethical hacking for offensive cybersecurity improvements
- Defensive cybersecurity evaluations
- Discovery, probing, and reconnaissance
- Enumeration and information gathering
- Cybersecurity and compliance audits
7 Top Pentest Frameworks Explained
Below, you will find some of the most commonly used pentest frameworks and methodologies, both in a chart and a more detailed discussion. It’s important to note that many of the frameworks you see listed here — such as the Open Source Security Testing Methodology Manual (OSSTMM) — started out as simple pentesting frameworks but have since evolved into methodologies upon which other pentesting frameworks have been developed.
| Pentest framework | Provider | Focus areas and noteworthy features |
|---|---|---|
| Cobalt Strike | Fortra |
|
| Metasploit Framework Metasploit Pro |
Rapid7 |
|
| NIST Cybersecurity Framework (CSF) | National Institute of Standards and Technology (NIST) |
|
| Open Source Security Testing Methodology Manual (OSSTMM) | Institute for Security and Open Methodologies (ISECOME) |
|
| Penetration Testing Execution Standard (PTES) | A collection of information security experts from various organizations |
|
| OWASP Continuous Penetration Testing Framework | Open Web Application Security Project (OWASP) |
|
| PenTesters Framework (PTF) | TrustedSec |
|
Cobalt Strike
Cobalt Strike is a red team command and operations framework that is one of the most popular frameworks for pentesting. The tool includes adversary simulations, incident response guidance, social engineering capabilities, and more. Users have the option to alter Cobalt Strike to their specific needs with the Community Kit repository, and they can further extend its capabilities by using it in combination with Core Impact, the pentesting software offered by Fortra.
Also read: How Cobalt Strike Became a Favorite Tool of Hackers
Metasploit
Metasploit is a collaboratively-designed penetration testing framework that comes from Rapid7 and the open-source community. Some of its most important features include 1,500 exploits, network discovery, MetaModules for tasks like network segmentation testing, automated tests, baseline audits and reports, and manual exploitation and credential brute forcing options. Users can choose between the free, open-source version of Metasploit or Metasploit Pro for additional features.
Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial
NIST Cybersecurity Framework
NIST’s Cybersecurity Framework (CSF) is a slightly broader framework option that focuses on standards, best practices, and guidelines for all kinds of cybersecurity risks. The five functions that this framework focuses on are: Identify, Protect, Detect, Respond, and Recover. Because this is a broader framework and comes from the U.S. Department of Commerce, this standardized framework can be used as guidelines for a variety of cybersecurity tests and compliance audits.
Open Source Security Testing Methodology Manual (OSSTMM)
The OSSTMM framework from the Institute for Security and Open Methodologies (ISECOME) has moved past basic framework features into a full methodology for security testing and analysis. Among other topics covered in its detailed guide, the Open Source Security Testing Methodology Manual gives users information about how to define and scope a security test, rules of engagement, error handling, and disclosure of results.
Penetration Testing Execution Standard (PTES)
The Penetration Testing Execution Standard, or PTES, is another pentesting framework that has evolved into a full methodology. Its main sections cover penetration test communication and rationale, intelligence gathering, threat modeling, vulnerability research, exploitation and post-exploitation, and reporting. The guidelines in the official PTES do not discuss how to conduct a pentest; the team has developed a technical guidelines document to instruct and support in this area. A second, updated version of PTES is currently in the works.
Open Web Application Security Project (OWASP)
OWASP’s Continuous Penetration Testing Framework is an in-the-works framework that focuses on standards, guidelines, and tools for information security and application security penetration tests. OWASP offers a transparent roadmap to users who are interested in learning more about the release timeline and features of this framework.
PenTesters Framework (PTF)
TrustedSec’s PenTesters Framework (PTF) is based heavily on the Penetration Testing Execution Standard. It is designed to make installation and packaging more streamlined and is considered highly customizable and configurable. Users can either download PTF with a Linux command or directly through Git.
Also read:
- Best Open-Source Distributions for Pentesting and Forensics
- Top Open Source Penetration Testing Tools
Featured Cybersecurity Software
Bottom Line: Pentest Frameworks
Your penetration testing efforts won’t be as successful if you don’t rely on a pentest framework to structure your processes, the tools you use, and the tactical areas you target. It’s important for pentesting procedures to be both repeatable and scalable, especially as your organization and its attack surface grow. Pentest frameworks take the guesswork out of pentesting, allowing you to focus on improving other areas of vulnerability management while still conducting successful tests and research.
Further reading:
