PTES Penetration Testing Providers

Penetration Testing Execution Standard · Published by PTES Community

The Penetration Testing Execution Standard (PTES) provides a comprehensive framework that defines the entire penetration testing engagement lifecycle from start to finish. Developed by a group of information security practitioners, PTES covers seven distinct phases: pre-engagement interactions, intelligence gathering, threat modelling, vulnerability analysis, exploitation, post-exploitation, and reporting. Each phase is defined with detailed technical guidelines that help both testers and clients understand what a professional penetration test should include.

PTES is particularly valuable because it addresses not just the technical testing itself but also the business and communication aspects of an engagement, including scoping, rules of engagement, legal considerations, and report structure. The standard includes a technical guidelines supplement that provides specific techniques, tools, and procedures for each testing phase, making it practical for testers to implement.

PTES is methodology-agnostic regarding specific tools, focusing instead on the objectives and outcomes of each phase. Many penetration testing providers reference PTES alongside other frameworks to ensure their engagements follow a structured, professional process that delivers consistent, repeatable results across different testing scenarios and client environments.

Key Features

  • Seven-phase engagement lifecycle
  • Pre-engagement through reporting coverage
  • Technical guidelines supplement
  • Tool-agnostic approach
  • Business and communication guidance

Best For

  • Full-scope penetration testing
  • Engagement lifecycle management
  • Network penetration testing
  • Structured testing methodology
  • Client communication frameworks

Providers using PTES (74)

74 providers
Best for Mid-MarketBest for Financial Services
NetSPI logo

NetSPI

Penetration testing firm trusted by nine of the top ten US banks, with the Resolve platform for continuous attack surface management.

Minneapolis, Minnesota, United StatesPremium
Web ApplicationNetworkCloud+8
SOC 2ISO 27001CREST
Verified May 2026
Pen Test Partners logo

Pen Test Partners

The UK's largest independent security testing firm, renowned for IoT/OT research, CBEST red teaming, and CHECK/CREST-accredited penetration testing across all sectors.

Buckingham, United KingdomPremium
Web ApplicationNetworkMobile App+11
CRESTCHECKCBEST+5
Verified Apr 2026
Trustwave logo

Trustwave

Global managed security provider with the elite SpiderLabs penetration testing team and deep PCI DSS compliance expertise.

Chicago, Illinois, United StatesEnterprise
Web ApplicationNetworkMobile App+7
PCI QSAISO 27001SOC 2+1
Verified Apr 2026
Secarma logo

Secarma

Manchester-based independent cybersecurity consultancy with over 20 years of experience delivering CREST and CHECK-accredited penetration testing, red teaming, and compliance certification services.

Manchester, United KingdomMid-Range
Web ApplicationNetworkMobile App+6
CRESTCHECKISO 27001+3
Verified Apr 2026
Bridewell logo

Bridewell

Fast-growing CREST and CHECK-accredited UK cybersecurity consultancy with deep expertise in critical national infrastructure sectors.

Bristol, United KingdomMid-Range
Web ApplicationNetworkCloud+7
CRESTCHECKISO 27001+1
Verified Apr 2026
JUMPSEC logo

JUMPSEC

Full-service London-based cybersecurity consultancy with CREST, CHECK, and NCSC accreditations delivering offensive testing, managed detection, and strategic advisory services.

London, United KingdomMid-Range
Web ApplicationNetworkCloud+6
CRESTCHECKISO 27001+3
Verified May 2026
Pentest People logo

Pentest People

CREST and CHECK-accredited UK penetration testing firm with an innovative SecurePortal platform and transparent pricing for mid-market organizations.

Leeds, United KingdomMid-Range
Web ApplicationNetworkMobile App+7
CRESTCHECKCyber Essentials Plus+1
Verified May 2026
APT Intelligence LeaderTIBER-EU Specialist
Mandiant logo

Mandiant

World-renowned cybersecurity firm now part of Google Cloud, delivering threat intelligence-led penetration testing and red teaming informed by front-line incident response experience.

Reston, Virginia, United StatesEnterprise
Red TeamingPurple TeamingNetwork+6
SOC 2ISO 27001FedRAMP 3PAO
Verified Apr 2026
Bulletproof logo

Bulletproof

CREST-accredited UK cybersecurity and compliance provider offering penetration testing, managed security services, and regulatory consultancy to over 2,000 customers from its Stevenage headquarters.

Stevenage, United KingdomMid-Range
Web ApplicationNetworkMobile App+8
CRESTISO 27001Cyber Essentials+3
Verified Apr 2026
Top US ProviderFedRAMP 3PAO
GuidePoint Security logo

GuidePoint Security

US-headquartered cybersecurity consultancy with 800+ employees, serving ~40% of the Fortune 500. FedRAMP 3PAO, PCI QSA, and HITRUST accreditations.

Reston, United StatesEnterprise
Web ApplicationNetworkMobile App+12
FedRAMP 3PAOPCI QSASOC 2+1
Verified Apr 2026
FedRAMP 3PAOPCI QSA
Coalfire logo

Coalfire

Compliance-focused cybersecurity advisory firm and FedRAMP 3PAO specializing in penetration testing that meets stringent regulatory requirements.

Westminster, Colorado, United StatesEnterprise
Web ApplicationNetworkCloud+5
SOC 2FedRAMP 3PAOPCI QSA+1
Verified May 2026
Best OverallElite Testers
Bishop Fox logo

Bishop Fox

Tempe, Arizona-headquartered offensive security firm and Black Hat / DEF CON regulars, makers of the Cosmos continuous attack surface management platform.

Tempe, Arizona, United StatesEnterprise
Web ApplicationNetworkMobile App+8
SOC 2OSCP Employer
Verified May 2026

PTES FAQs

What are the seven phases of PTES?+

The seven PTES phases are: Pre-engagement Interactions, Intelligence Gathering, Threat Modelling, Vulnerability Analysis, Exploitation, Post-Exploitation, and Reporting. Each phase has defined objectives and deliverables.

How does PTES differ from OWASP?+

OWASP focuses specifically on application security testing with detailed test cases. PTES covers the entire penetration testing engagement lifecycle including scoping, communication, and reporting, making it broader in scope but less application-specific.

Is PTES still actively maintained?+

PTES was published as a community standard and remains widely referenced, though updates have been infrequent. Many providers use PTES as a foundational framework supplemented by more frequently updated resources like OWASP.

Other Methodologies