StrikePoint · Methodology Architecture Guide

Penetration Testing Methodology — Framework, Taxonomy & Guardrails

The methodology that underpins every StrikePoint engagement. Its organizing idea: published testing frameworks are dynamically-loaded library checklists, bound by the engagement agreement, that pass or fail through defined acceptance & surrender levels. Standards-based, outside-in, and productizable as a service.

Scope: Methodology architecture — not exploit code Verification: Primary-source cited throughout Revised: 2026-07-06
Verified Confirmed against a primary / authoritative source Contested Accurate but with a documented limitation or version-sensitivity

Section 01How the system works — the spine

StrikePoint's methodology is not a single checklist. It is a linker model: the industry frameworks are versioned libraries of checks, the signed agreement is what binds a chosen subset of them to a specific target, and the surrender levels are the assertions that grade the result. This is the organizing principle every later section is an instance of.

Libraries

Methodology modules

PTES phases, OWASP WSTG/MASTG test categories, OSSTMM channels, per-surface MITRE ATT&CK technique sets. Versioned. Load only what scope calls for.

Linker

The engagement agreement

Resolves which modules load, against which assets, up to which ceiling. An unbound check is unauthorized access — so binding is the legal firewall, not a formality.

Runtime + assertions

Surrender levels

Each loaded check resolves on the S0–S4 ladder. The Pass Threshold decides pass/fail; the Authorization Ceiling is the hard bound the run cannot exceed.

Section 02Framework comparison — the libraries

The modules StrikePoint composes. PTES is the lifecycle spine, ATT&CK the technique taxonomy, the Cyber Kill Chain the narrative, PCI/NIST the compliance-grade structure, OSSTMM the measurable channel model, and TIBER-EU the threat-led authorization model. OWASP's WSTG page is the canonical index of recognized methodologies.1

FrameworkOwnerPhase / structureRole in StrikePointStatus
PTESPen Testing Execution Standard7 phases: Pre-engagement, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation, Post-Exploitation, Reporting1Master engagement lifecycleVerified
MITRE ATT&CKMITREMatrix of tactics (TA####) × techniques (T####), outside-in from Reconnaissance to Impact5Technique taxonomy & citable ID systemVerified
NIST SP 800-115NIST (Sept 2008)4 phases: Planning, Discovery, Attack, Reporting; written authorization required before testing2US federal baseline; authorization gateVerified
OSSTMM 3ISECOM5 channels (Human, Physical, Wireless, Telecommunications, Data Networks) + RAV metric (exposure/visibility/trust/controls)7Measurable channel & attack-surface scoringVerified
Cyber Kill ChainLockheed Martin7 stages: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives6Adversary-progression narrative for reportsContested
PCI DSS Pentest GuidancePCI SSC3-phase lifecycle: Pre-engagement, Engagement, Post-engagement8Compliance structure for cardholder-data clientsVerified
TIBER-EUEuropean Central Bank3 phases: Preparation, Testing, Closure — live production, full consent9Threat-led red-team + authorization modelVerified
OWASP WSTG / MASTGOWASPTest-category checklists for web (WSTG) & mobile (MASTG) surfaces1Depth checklists for web & mobileVerified
CRESTCREST (int'l body)Accreditation for firms + certification for individuals; recognized by UK NCSC CHECK10Industry accreditation / trust referenceVerified
ISSAFOISSGAssessment framework linking pentest steps to tools; last updated 2006, no longer maintained11Historical reference only — not a live standardContested
Two libraries carry currency caveats. ISSAF has not been updated since 2006 — use as reference, never as the governing standard.11 The Cyber Kill Chain is accurate as its authors intended but widely criticized as linear and perimeter/malware-centric, weak on insider threats and lateral movement6 — use it for narrative; prefer ATT&CK as the authority for lateral movement and post-exploitation.

Section 03The unified phase model

PTES supplies the master spine (most complete lifecycle1); ATT&CK tactics overlay each execution phase so every action carries a citable ID; NIST's four-phase model2 is the compliance-grade compression of the same shape. The engagement runs outside-in.

StrikePoint phasePTESNIST 800-115ATT&CK tactic(s)
0 · AuthorizePre-engagementPlanning— (guardrail layer, §06)
1 · ReconIntelligence GatheringDiscoveryTA0043 Reconnaissance
2 · ModelThreat ModelingDiscoveryTA0042 Resource Development
3 · AnalyzeVulnerability AnalysisDiscovery(pre-access assessment)
4 · AccessExploitationAttackTA0001 Initial Access, TA0002 Execution
5 · AdvancePost-ExploitationAttackTA0004 PrivEsc, TA0008 Lateral Movement, TA0003 Persistence, TA0010 Exfil
6 · ReportReportingReporting— (remediation & retest)
On sequencing: PTES presents phases in order, but engagements iterate — exploitation loops back to intelligence gathering as new surface appears.4 Treat the spine as a control structure, not a strict waterfall.

Section 04Technique taxonomy — outside-in

The categorized technique set, phase by phase, with verified ATT&CK IDs. Tactic-level IDs (TA####) are stable; technique-level IDs (T####) are cited from the live ATT&CK Enterprise matrix (see version note, §08).

1

Reconnaissance & OSINT

ATT&CK TA0043

"The adversary is trying to gather information they can use to plan future operations" — active and passive.3

  • Active Scanning T1595Direct probing of the target's public ranges to map live services.
  • Gather Victim Identity Info T1589Emails, employee names, roles that seed phishing and password attacks.
  • Search Victim-Owned Websites T1594Mining the client's own web presence for technology and structure.
2

Scanning & enumeration

bridges Recon → Access

Turning the map into a service inventory. PCI draws the line here: a scan identifies & ranks; a pentest attempts to exploit.12

  • Network Service Discovery T1046Port and service enumeration across the in-scope external range.
  • Content / path discoveryEnumerating hidden web paths, virtual hosts, and API endpoints.
3

Vulnerability analysis

PTES phase 4

Correlating discovered services against known weaknesses, prioritizing by exploitability and impact — before any exploit fires.

  • Automated assessment + manual validationTool-driven identification, then hands-on validation to strip false positives.
  • Business-logic analysisLogic flaws scanners cannot see — the pentest's real value-add.
4

Gaining access — exploitation by surface

ATT&CK TA0001

Exploitation, organized by attack surface. Each is a scope opt-in.

  • External network / firewall evasion T1190Exploit Public-Facing Application; testing WAF/firewall rule efficacy and evasion.
  • Web application (OWASP Top 10)Injection, broken access control, SSRF — depth-tested against OWASP WSTG.
  • Valid Accounts T1078 / External Remote Services T1133Using or abusing legitimate credentials and remote-access services to enter.
  • Wireless T1669Wi-Fi network attacks, rogue APs, weak encryption, guest/corporate segmentation.
  • Telecom / phone-phreaking & VoIPOSSTMM telecom channel: PBX/VoIP misconfig, toll fraud, voice-path weaknesses.7
  • Phishing T1566 & social engineering T1598Bulk/spear phishing; vishing, pretexting, tailgating — consent-based, allowlisted only.
  • Denial of Service T1498 / T1499Network & endpoint resource-exhaustion (ATT&CK Impact tactic) — authorized only, caps low.14
DoS, telecom, and social engineering carry the highest collateral and legal risk. Each is a scope opt-in, never a default; social-engineering targets must be individually consented and allowlisted.
5

Post-exploitation — escalate, move sideways, persist, exfiltrate

ATT&CK TA0008

Demonstrating real impact by moving inward and laterally. MITRE defines Lateral Movement (TA0008) as "the adversary is trying to move through your environment."15

  • Privilege Escalation TA0004"Gain higher-level permissions" — 13 techniques incl. Exploitation for PrivEsc T1068, Abuse Elevation Control T1548.16
  • Lateral Movement TA0008Remote Services T1021, Exploitation of Remote Services T1210, Use Alternate Auth Material T1550, Internal Spearphishing T1534.15
  • Persistence TA0003"Maintain their foothold" — 22 techniques incl. Boot/Logon Autostart T1547, Create Account T1136.17
  • Exfiltration TA0010"Steal data" — 9 techniques incl. Exfil Over C2 T1041, Over Alternative Protocol T1048. Controlled proof-of-impact only.18
Living off the land: MITRE notes adversaries may use legitimate credentials with native OS/network tools rather than their own, "which may be stealthier."15 StrikePoint mirrors this to assess real detection capability.
6

Reporting & remediation

PTES 7 · NIST Reporting

Findings ranked by risk, mapped to ATT&CK IDs, with a prioritized remediation list and a retest — where PTES and the PCI post-engagement phase converge.8

  • Risk-ranked, evidence-backed findingsEach issue rated by impact and exploitability.
  • ATT&CK-mapped attack narrativeThe path retold by tactic/technique ID for defender alignment.
  • Prioritized remediation + retestActionable fixes, then verified — "fix list, not just findings."

Section 05Acceptance & surrender levels

A methodology says how we test; it does not say what counts as a win. StrikePoint closes that with a pre-agreed, contractual threshold of customer surrender — the depth of compromise at which a control is deemed to have failed. Crucially, the agreed level is both the success bar and the authorization stop-line: acceptance criteria and rules of engagement are one dial.

S0Reachable

The vector exists & is reachable. No interaction.

S1Susceptible

Would-surrender proven — clicked / exploitable — nothing taken.

S2Surrendered

Secret / access actually obtained; held, not yet used.

S3Actioned

Access used for a safe, reversible proof-action.

S4Objective

Crown-jewel / flag reached. Full chained impact.

Each in-scope surface is assigned two values in the Statement of Work: a Pass Threshold (the level at which the test authenticates as successful / the control is deemed failed) and an Authorization Ceiling (the maximum level StrikePoint may reach; always ≥ the threshold, and the mandatory stop line). Consent scales with the ceiling — S3–S4 add action-specific written authorization, a named approver, and stop conditions. DoS normally caps at S1.

Full model — the per-surface matrix, the worked social-engineering example, and the contract clause shapes — lives in the companion module, "Acceptance & Surrender Levels" (read it here). This section is the summary that binds it to the methodology spine.

Section 06The guardrail layer — the linker

This layer wraps every phase and is what makes the whole thing lawful. Authorization is the legal dividing line: under the CFAA (18 U.S.C. §1030), accessing a computer "without authorization" or in a way that "exceeds authorized access" is a federal crime — identical technical actions are lawful with explicit permission and criminal without it.19

Guardrail controlWhat it fixesStatus
Signed scope agreementDefines exactly which assets, ranges, and vectors are in-bounds before any packet is sent.Verified
Written authorizationNIST 800-115: "written authorization or rules of engagement should be obtained and documented before testing begins."2Verified
Rules of EngagementTiming windows, permitted exploitation depth (the surrender ceiling), escalation contacts, stop conditions.Verified
Full consent, live-productionTIBER-EU: activities "under a contractual agreement with the full consent of the entity," mitigating legal concerns beforehand.9Verified
CFAA & equivalentsUS CFAA §1030; UK Computer Misuse Act 1990 (unauthorised access); EU Directive 2013/40/EU on attacks against information systems.1920Verified
Do not overstate compliance mandates. Earlier verification refuted the claim that PCI SSC requires documented rules-of-engagement authorization before exploitation. Authorization is StrikePoint's own non-negotiable control and the NIST/TIBER-EU model — not a universal PCI requirement.

Section 07Why outside-in maps to SaaS

The linker model is not just lawful — it is the natural architecture for a productized service. TIBER-EU's Preparation → Testing → Closure, on live systems under consent,9 is effectively a three-stage workflow behind an authorization gate, which a SaaS platform expresses well.

Section 08Version control & sources

Because the frameworks are versioned libraries, the guide manages drift explicitly rather than pretending the standards are static.

ATT&CK version pinning. Tactic and technique counts move between ATT&CK releases. Technique IDs in §04 reflect the live ATT&CK Enterprise matrix as of July 2026. Every engagement must pin the ATT&CK version in its manifest so client citations stay stable.

Sources

  1. OWASP WSTG — Penetration Testing Methodologies (v4.1). owasp.orgPrimary
  2. NIST SP 800-115 — Technical Guide to Information Security Testing & Assessment (Sept 2008). nvlpubs.nist.govPrimary
  3. MITRE ATT&CK — Reconnaissance (TA0043). attack.mitre.orgPrimary
  4. OWASP WSTG — Penetration Testing Methodologies (stable). owasp.orgPrimary
  5. MITRE ATT&CK — Enterprise Matrix & Tactics. attack.mitre.orgPrimary
  6. Lockheed Martin — Cyber Kill Chain. lockheedmartin.comPrimary
  7. ISECOM — OSSTMM 3 (channels + RAV). isecom.orgPrimary
  8. PCI SSC — Penetration Testing Guidance v1.1. pcisecuritystandards.orgPrimary
  9. European Central Bank — TIBER-EU Framework. ecb.europa.euPrimary
  10. CREST — accreditation & certification (recognized by UK NCSC CHECK). crest-approved.orgAuthoritative
  11. ISSAF (OISSG) — last updated 2006, no longer maintained. via OWASP WSTGCorroborated
  12. PCI SSC — Pentest Guidance v1.1 §2.1 (scan vs. pentest). pcisecuritystandards.orgPrimary
  13. MITRE ATT&CK — Impact (TA0040), incl. T1498/T1499 DoS. attack.mitre.orgPrimary
  14. MITRE ATT&CK — Lateral Movement (TA0008). attack.mitre.orgPrimary
  15. MITRE ATT&CK — Privilege Escalation (TA0004). attack.mitre.orgPrimary
  16. MITRE ATT&CK — Persistence (TA0003). attack.mitre.orgPrimary
  17. MITRE ATT&CK — Exfiltration (TA0010). attack.mitre.orgPrimary
  18. 18 U.S.C. §1030 — Computer Fraud and Abuse Act. law.cornell.eduPrimary
  19. UK Computer Misuse Act 1990 & EU Directive 2013/40/EU. legislation.gov.ukPrimary