PTES Penetration Testing Providers
Penetration Testing Execution Standard · Published by PTES Community
The Penetration Testing Execution Standard (PTES) provides a comprehensive framework that defines the entire penetration testing engagement lifecycle from start to finish. Developed by a group of information security practitioners, PTES covers seven distinct phases: pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. Each phase is defined with detailed technical guidelines that help both testers and clients understand what a professional penetration test should include.
PTES is particularly valuable because it addresses not just the technical testing itself but also the business and communication aspects of an engagement, including scoping, rules of engagement, legal considerations, and report structure. The standard includes a technical guidelines supplement that provides specific techniques, tools, and procedures for each testing phase, making it practical for testers to implement.
PTES is methodology-agnostic regarding specific tools, focusing instead on the objectives and outcomes of each phase. Many penetration testing providers reference PTES alongside other frameworks to ensure their engagements follow a structured, professional process that delivers consistent, repeatable results across different testing scenarios and client environments.
Key Features
- —Seven-phase engagement lifecycle
- —Pre-engagement through reporting coverage
- —Technical guidelines supplement
- —Tool-agnostic approach
- —Business and communication guidance
Best For
- —Full-scope penetration testing
- —Engagement lifecycle management
- —Network penetration testing
- —Structured testing methodology
- —Client communication frameworks
Providers using PTES (58)
NCC Group
Global cybersecurity consultancy with CREST, CHECK, and CBEST accreditation, renowned for deep technical research and comprehensive penetration testing services.
Nettitude
CREST, CHECK, and CBEST accredited UK consultancy within Lloyd's Register, delivering premium penetration testing for government and critical infrastructure.
NetSPI
Leading penetration testing firm with the Resolve platform for continuous attack surface management, trusted by nine of the top ten US banks.
Pen Test Partners
The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.
Trustwave
Global managed security provider with the elite SpiderLabs penetration testing team and deep PCI DSS compliance expertise.
Secarma
Manchester-based independent cybersecurity consultancy with over 20 years of experience delivering CREST and CHECK-accredited penetration testing, red teaming, and compliance certification services.
Bridewell
Fast-growing CREST and CHECK-accredited UK cybersecurity consultancy with deep expertise in critical national infrastructure sectors.
Pentest People
CREST and CHECK-accredited UK penetration testing firm with an innovative SecurePortal platform and transparent pricing for mid-market organizations.
JUMPSEC
Full-service London-based cybersecurity consultancy with CREST, CHECK, and NCSC accreditations delivering offensive testing, managed detection, and strategic advisory services.
Mandiant
World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.
Bulletproof
CREST-accredited UK cybersecurity and compliance provider offering penetration testing, managed security services, and regulatory consultancy to over 2,000 customers from its Stevenage headquarters.
PTES FAQs
What are the seven phases of PTES?+
The seven PTES phases are: Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting. Each phase has defined objectives and deliverables.
How does PTES differ from OWASP?+
OWASP focuses specifically on application security testing with detailed test cases. PTES covers the entire penetration testing engagement lifecycle including scoping, communication, and reporting, making it broader in scope but less application-specific.
Is PTES still actively maintained?+
PTES was published as a community standard and remains widely referenced, though updates have been infrequent. Many providers use PTES as a foundational framework supplemented by more frequently updated resources like OWASP.