{"id":30922,"date":"2023-07-05T19:32:01","date_gmt":"2023-07-05T19:32:01","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=30922"},"modified":"2023-10-16T23:59:36","modified_gmt":"2023-10-16T23:59:36","slug":"pentest-framework","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/","title":{"rendered":"What Is a Pentest Framework? Top 7 Frameworks Explained"},"content":{"rendered":"\n<p>A pentest framework, or penetration testing framework, is a standardized set of guidelines and suggested tools for structuring and conducting effective pentests across different networks and security environments.<\/p>\n\n\n\n<p>While it\u2019s certainly possible to construct your own pentest framework that meets the specific security and compliance requirements of your organization, a number of existing methodologies and frameworks can be built upon to make the job easier for you. In fact, it\u2019s generally more effective to use one of these comprehensive and peer-reviewed solutions in order to keep your pentests on track.<\/p>\n\n\n\n<p>Read on to learn more about how pentest frameworks are used, how they\u2019re set up, and some of the top pentest frameworks that are available today.<\/p>\n\n\n\n<p><strong>Jump ahead to:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#mechanics\">How Pentest Frameworks Work<\/a><\/li>\n\n\n\n<li><a href=\"#categories\">10 Categories in a Pentest Framework<\/a><\/li>\n\n\n\n<li><a href=\"#applications\">How Penetration Test Frameworks Are Used<\/a><\/li>\n\n\n\n<li><a href=\"#top-frameworks\">7 Top Pentest Frameworks<\/a><\/li>\n\n\n\n<li><a href=\"#bottom-line\">Bottom Line: Pentest Frameworks<\/a><\/li>\n<\/ul>\n\n\n\n<p><strong>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing\/\">What Is Penetration Testing? Complete Guide &amp; Steps<\/a><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"mechanics\">How Pentest Frameworks Work<\/h2>\n\n\n\n<p>In simple terms, a pentest framework works by guiding pentesters to the right tools and methodologies to use for a penetration test, depending on the <a href=\"https:\/\/www.esecurityplanet.com\/networks\/types-of-penetration-testing\/\">pentest type<\/a> and the scope of the test they\u2019re planning to run. Once a pentester gets started with the penetration testing and ethical hacking process, they should reference the pentest framework for the tactical categories they should assess during their tests.<\/p>\n\n\n\n<p>Once the pentest is complete, the pentester should continue using the framework to help them further evaluate and report on their findings, especially as they relate to those primary tactical categories. It\u2019s also important to return the environment to its pre-pentest settings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The Steps of a Typical Pentest Framework<\/h3>\n\n\n\n<p>Pentest frameworks work in slightly different ways, depending on which pentest framework you use, but most follow similar steps that help organizations efficiently and comprehensively move through their pentesting programs.<\/p>\n\n\n\n<p>These are some of the most <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-phases\/\">common steps<\/a> a pentest framework follows:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Initial planning and preparation:<\/strong> The framework instructs organizations to determine who their pentester(s) will be, what pentest framework and methodology\/methodologies they\u2019ll be following, expectations for the test and reported results, any legal or compliance requirements, and any tools or resources that are needed in order to conduct a successful test.<\/li>\n\n\n\n<li><strong>Intelligence and information gathering:<\/strong> Information that should be gathered early in the pentest framework development and selection process includes the scope of asset ownership, <a href=\"https:\/\/www.esecurityplanet.com\/networks\/network-security\/\">network<\/a> targets, exploits, any involved third parties, network ports, IP addresses, relevant employees&#8217; names, and property locations. In some cases, this phase is also called the discovery, testing, scanning, or assessment phase.<\/li>\n\n\n\n<li><strong>Attack phase:<\/strong> The pentester begins their attack and evaluates the system based on how it performs against the framework\u2019s predefined tactic categories.<\/li>\n\n\n\n<li><strong>Post-attack phase:<\/strong> The pentester, or a team of cybersecurity experts, makes sure the testing environment\u2019s assets and features are returned to their original state.<\/li>\n\n\n\n<li><strong>Reporting results:<\/strong> The pentest framework is used to frame results based on tools used, tactic category performance, and more.<\/li>\n<\/ol>\n\n\n\n<p><strong>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\">How to Implement a Penetration Testing Program in 10 Steps<\/a><\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"categories\">10 Categories in a Pentest Framework<\/h2>\n\n\n\n<p>The typical pentest framework clearly outlines tactic categories that pentesters should use to evaluate cybersecurity performance on multiple fronts during their penetration testing efforts. Every framework uses its own terminology and approach to tactic categories, but these are some of the most frequently found categories in a pentest framework:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Collection: <\/strong>As an ethical hacker, what kinds of information and security intelligence are you able to collect during your attack? How valuable would this information be to future attack vectors and plans?<\/li>\n\n\n\n<li><strong>Command and control: <\/strong>What kinds of backdoors and covert forms of communication are you able to set up in the enterprise network\u2019s servers or apps during your simulated attack? Are these backdoors easily detected? Do they stay open even after cybersecurity tools step in to mitigate risk?<\/li>\n\n\n\n<li><strong>Credential\/information access: <\/strong>What tools, users, and hardware can access what kinds of information? What credentials and controls are in place and how effective are they at stopping unauthorized user access during your simulated attack?<\/li>\n\n\n\n<li><strong>Defense evasion capabilities and strategies: <\/strong>How does your cybersecurity infrastructure handle threat detection and how does it respond to an attacker\u2019s defense evasion strategies? How effectively does your infrastructure identify and avoid various types of threats, and how quickly does it pivot when initial lines of defense aren\u2019t enough?<\/li>\n\n\n\n<li><strong>Discovery and information gathering: <\/strong>How quickly and comprehensively does your cybersecurity setup gather and sift through relevant security incident information after the simulated attack begins?<\/li>\n\n\n\n<li><strong>Execution: <\/strong>How do your cybersecurity tools respond when handling an unauthorized user or other suspicious activity in the network? What tools go into action, what are their response timelines, and what gets mitigated by tools versus security professionals? Additionally, how does your cybersecurity infrastructure respond to attack types like remote code execution?<\/li>\n\n\n\n<li><strong>Exfiltration:<\/strong> Can data be stolen from any part of your network? If so, what data is accessible, in what quantities can it be taken, and how much defense (if any) goes up against data exfiltration operations?<\/li>\n\n\n\n<li><strong>Lateral movement: <\/strong>During the simulated attack, are you able to easily move from your initial point of access into another app, database, or component of the network? How difficult is lateral movement between grouped apps versus parts of the network that are in separate segments or departments?<\/li>\n\n\n\n<li><strong>Persistence: <\/strong>What misconfigurations, backdoors, implants, or other components of your attack persist even after cybersecurity tools respond to your attack? Over what time frame can these features continue to deploy discreet attacks?<\/li>\n\n\n\n<li><strong>Privilege escalation:<\/strong> Can attackers change their own credentials or steal the credentials of another user in order to elevate their access levels and user permissions in the network or specific applications? How difficult is privilege escalation for an internal bad actor versus an external bad actor?<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"applications\">How Penetration Test Frameworks Are Used<\/h2>\n\n\n\n<p>Generally speaking, penetration test frameworks are used to make pentesting efforts more comprehensive and effective. However, pentests are used for a variety of reasons, and pentest frameworks have a few different use cases as well. Here are some of the most common ways penetration test frameworks are used:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.esecurityplanet.com\/networks\/vulnerability-assessment\/\">Vulnerability assessment<\/a> and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/vulnerability-management\/\">management<\/a><\/li>\n\n\n\n<li>Ethical hacking for offensive cybersecurity improvements<\/li>\n\n\n\n<li>Defensive cybersecurity evaluations<\/li>\n\n\n\n<li>Discovery, probing, and reconnaissance<\/li>\n\n\n\n<li>Enumeration and information gathering<\/li>\n\n\n\n<li>Cybersecurity and compliance audits<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"top-frameworks\">7 Top Pentest Frameworks Explained<\/h2>\n\n\n\n<p>Below, you will find some of the most commonly used pentest frameworks and methodologies, both in a chart and a more detailed discussion. It\u2019s important to note that many of the frameworks you see listed here \u2014 such as the Open Source Security Testing Methodology Manual (OSSTMM) \u2014 started out as simple pentesting frameworks but have since evolved into methodologies upon which other pentesting frameworks have been developed.<\/p>\n\n\n<figure class=\"wp-block-table\">\n<table style=\"width: 100%;\">\n<thead>\n<tr>\n<th style=\"width: 30%;\">Pentest framework<\/th>\n<th style=\"width: 30%;\">Provider<\/th>\n<th style=\"width: 40%;\">Focus areas and noteworthy features<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Cobalt Strike<\/td>\n<td>Fortra<\/td>\n<td>\n<ul>\n<li>Adversary simulations<\/li>\n<li>Red Team operations<\/li>\n<li>Support for general security operations and incident response<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>Metasploit Framework<br \/>Metasploit Pro<\/td>\n<td>Rapid7<\/td>\n<td>\n<ul>\n<li>More than 1,500 exploits<\/li>\n<li>Network data scan imports<\/li>\n<li>Advanced automations in Pro version.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>NIST Cybersecurity Framework (CSF)<\/td>\n<td>National Institute of Standards and Technology (NIST)<\/td>\n<td>\n<ul>\n<li>Outcome-based approach; no step-by-step checklist<\/li>\n<li>Designed for U.S. critical infrastructure but can be used by various company types<\/li>\n<li>Mapping to existing cybersecurity management efforts<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>Open Source Security Testing Methodology Manual (OSSTMM)<\/td>\n<td>Institute for Security and Open Methodologies (ISECOME)<\/td>\n<td>\n<ul>\n<li>Security test scoping<\/li>\n<li>Rules of engagement and error handling<\/li>\n<li>Support for results disclosures<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>Penetration Testing Execution Standard (PTES)<\/td>\n<td>A collection of information security experts from various organizations<\/td>\n<td>\n<ul>\n<li>Intelligence gathering and threat modeling<\/li>\n<li>Vulnerability research<\/li>\n<li>Exploitation and post-exploitation support<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>OWASP Continuous Penetration Testing Framework<\/td>\n<td>Open Web Application Security Project (OWASP)<\/td>\n<td>\n<ul>\n<li>AppSec pentesting standardization<\/li>\n<li>Focus on agility and shift left principles<\/li>\n<li>Explanation of relevant methodologies, tools, guidelines, and more<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>PenTesters Framework (PTF)<\/td>\n<td>TrustedSec<\/td>\n<td>\n<ul>\n<li>Based on PTES<\/li>\n<li>Efficient packaging and installation<\/li>\n<li>Compatible with internally developed repos<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n\n\n<h3 class=\"wp-block-heading\">Cobalt Strike<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.cobaltstrike.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Cobalt Strike<\/a> is a red team command and operations framework that is one of the most popular frameworks for pentesting. The tool includes <a href=\"https:\/\/www.esecurityplanet.com\/networks\/red-team-vs-blue-team-vs-purple-team\/\">adversary simulations<\/a>, <a href=\"https:\/\/www.esecurityplanet.com\/networks\/incident-response-how-to-prepare-for-attacks-and-breaches\/\">incident response<\/a> guidance, <a href=\"https:\/\/www.esecurityplanet.com\/threats\/social-engineering-attacks\/\">social engineering<\/a> capabilities, and more. Users have the option to alter Cobalt Strike to their specific needs with the Community Kit repository, and they can further extend its capabilities by using it in combination with Core Impact, the pentesting software offered by Fortra.<\/p>\n\n\n\n<p><strong>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/threats\/how-cobalt-strike-became-a-favorite-tool-of-hackers\/\">How Cobalt Strike Became a Favorite Tool of Hackers<\/a><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Metasploit<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.metasploit.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Metasploit<\/a> is a collaboratively-designed penetration testing framework that comes from Rapid7 and the open-source community. Some of its most important features include 1,500 exploits, network discovery, MetaModules for tasks like <a href=\"https:\/\/www.esecurityplanet.com\/networks\/microsegmentation-is-catching-on-as-key-to-zero-trust\/\">network segmentation<\/a> testing, automated tests, baseline audits and reports, and manual exploitation and credential brute forcing options. Users can choose between the free, open-source version of Metasploit or Metasploit Pro for additional features.<\/p>\n\n\n\n<p><strong>Also read: <a href=\"https:\/\/www.esecurityplanet.com\/networks\/metasploit-framework-tutorial\/\">Getting Started With the Metasploit Framework: A Pentesting Tutorial<\/a><\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">NIST Cybersecurity Framework<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.nist.gov\/cyberframework\" target=\"_blank\" rel=\"noreferrer noopener\">NIST\u2019s Cybersecurity Framework (CSF)<\/a> is a slightly broader framework option that focuses on standards, best practices, and guidelines for all kinds of cybersecurity risks. The five functions that this framework focuses on are: Identify, Protect, Detect, Respond, and Recover. Because this is a broader framework and comes from the U.S. Department of Commerce, this standardized framework can be used as guidelines for a variety of cybersecurity tests and compliance audits.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Open Source Security Testing Methodology Manual (OSSTMM)<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.isecom.org\/OSSTMM.3.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">The OSSTMM framework<\/a> from the Institute for Security and Open Methodologies (ISECOME) has moved past basic framework features into a full methodology for security testing and analysis. Among other topics covered in its detailed guide, the Open Source Security Testing Methodology Manual gives users information about how to define and scope a security test, rules of engagement, error handling, and disclosure of results.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Penetration Testing Execution Standard (PTES)<\/h3>\n\n\n\n<p><a href=\"http:\/\/www.pentest-standard.org\/index.php\/Main_Page\" target=\"_blank\" rel=\"noreferrer noopener\">The Penetration Testing Execution Standard<\/a>, or PTES, is another pentesting framework that has evolved into a full methodology. Its main sections cover penetration test communication and rationale, intelligence gathering, threat modeling, vulnerability research, exploitation and post-exploitation, and reporting. The guidelines in the official PTES do not discuss how to conduct a pentest; the team has developed a technical guidelines document to instruct and support in this area. A second, updated version of PTES is currently in the works.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Open Web Application Security Project (OWASP)<\/h3>\n\n\n\n<p><a href=\"https:\/\/owasp.org\/www-project-continuous-penetration-testing-framework\/\" target=\"_blank\" rel=\"noreferrer noopener\">OWASP\u2019s Continuous Penetration Testing Framework<\/a> is an in-the-works framework that focuses on standards, guidelines, and tools for information security and application security penetration tests. OWASP offers a transparent roadmap to users who are interested in learning more about the release timeline and features of this framework.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">PenTesters Framework (PTF)<\/h3>\n\n\n\n<p><a href=\"https:\/\/www.trustedsec.com\/tools\/pentesters-framework\/\" target=\"_blank\" rel=\"noreferrer noopener\">TrustedSec\u2019s PenTesters Framework (PTF)<\/a> is based heavily on the Penetration Testing Execution Standard. It is designed to make installation and packaging more streamlined and is considered highly customizable and configurable. Users can either download PTF with a Linux command or directly through Git.<\/p>\n\n\n\n<p><strong>Also read:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/open-source-distros-for-pentesting-and-forensics\/\"><strong>Best Open-Source Distributions for Pentesting and Forensics<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.esecurityplanet.com\/applications\/open-source-penetration-testing-tools\/\"><strong>Top Open Source Penetration Testing Tools<\/strong><\/a><\/li>\n<\/ul>\n\n\n<!-- ICP Plugin: Start --><div class=\"icp-list icp-list-main icp-list-body-top3 row\">\n    \n        <!--\n            ICP Plugin - body top3\n            ----------\n            Category: \n            Country: HK\n        -->\n    <\/div>\n<!-- ICP Plugin: End -->\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bottom-line\">Bottom Line: Pentest Frameworks<\/h2>\n\n\n\n<p>Your penetration testing efforts won\u2019t be as successful if you don\u2019t rely on a pentest framework to structure your processes, the tools you use, and the tactical areas you target. It\u2019s important for pentesting procedures to be both repeatable and scalable, especially as your organization and its attack surface grow. Pentest frameworks take the guesswork out of pentesting, allowing you to focus on improving other areas of <a href=\"https:\/\/www.esecurityplanet.com\/products\/vulnerability-management-software\/\">vulnerability management<\/a> while still conducting successful tests and research.<\/p>\n\n\n\n<p><strong>Further reading:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-cost\/\"><strong>How Much Does Penetration Testing Cost? 11 Pricing Factors<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/best-penetration-testing\/\"><strong>Best Penetration Testing Tools<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.esecurityplanet.com\/networks\/vulnerability-scanning-tools\/\"><strong>Best Vulnerability Scanning Tools<\/strong><\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/breach-and-attack-simulation-bas-vendors\/\"><strong>Top Breach and Attack Simulation (BAS) Tools<\/strong><\/a><\/li>\n<\/ul>\n\n\n<div id=\"ta-campaign-widget-66d6fcdf63155-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6fcdf63155\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6fcdf63155\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6fcdf63155\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6fcdf63155\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6fcdf63155\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6fcdf63155\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A pentest framework sets up standardized guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.<\/p>\n","protected":false},"author":328,"featured_media":30932,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[14],"tags":[3790,3414,4296,31708,730,22929,23182,5277],"b2b_audience":[33],"b2b_industry":[],"b2b_product":[382,386,378,395,31780,380,31775,392],"class_list":["post-30922","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networks","tag-cybersecurity","tag-network-security","tag-penetration-testing","tag-pentesting","tag-security","tag-vulnerability-management","tag-web-application-security","tag-web-security","b2b_audience-awareness-and-consideration","b2b_product-application-security-vulnerability-management","b2b_product-consulting-services","b2b_product-endpoint-security","b2b_product-firewalls-and-intrusion-prevention-and-detection","b2b_product-patch-management","b2b_product-policy-compliance","b2b_product-web-applications-security","b2b_product-web-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>What Is a Pentest Framework? Top 7 Frameworks Explained<\/title>\n<meta name=\"description\" content=\"A pentest framework sets guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What Is a Pentest Framework? Top 7 Frameworks Explained\" \/>\n<meta property=\"og:description\" content=\"A pentest framework sets guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-05T19:32:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-16T23:59:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1400\" \/>\n\t<meta property=\"og:image:height\" content=\"910\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Shelby Hiter\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Shelby Hiter\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\"},\"author\":{\"name\":\"Shelby Hiter\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/51431ee32bfc3fa2279f6919ce5cbde5\"},\"headline\":\"What Is a Pentest Framework? Top 7 Frameworks Explained\",\"datePublished\":\"2023-07-05T19:32:01+00:00\",\"dateModified\":\"2023-10-16T23:59:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\"},\"wordCount\":1914,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png\",\"keywords\":[\"cybersecurity\",\"network security\",\"penetration-testing\",\"pentesting\",\"security\",\"Vulnerability Management\",\"web application security\",\"Web security\"],\"articleSection\":[\"Networks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\",\"name\":\"What Is a Pentest Framework? Top 7 Frameworks Explained\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png\",\"datePublished\":\"2023-07-05T19:32:01+00:00\",\"dateModified\":\"2023-10-16T23:59:36+00:00\",\"description\":\"A pentest framework sets guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png\",\"width\":1400,\"height\":910,\"caption\":\"3D rendering of a virtual lock icon with Penetration Test label on a binary coded background.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What Is a Pentest Framework? Top 7 Frameworks Explained\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/51431ee32bfc3fa2279f6919ce5cbde5\",\"name\":\"Shelby Hiter\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/03\/93f7cf0106609c5bf3f27081f985d574-150x150.jpeg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/03\/93f7cf0106609c5bf3f27081f985d574-150x150.jpeg\",\"caption\":\"Shelby Hiter\"},\"description\":\"eSecurity Planet contributor Shelby Hiter has covered cybersecurity, AI and more in her time at TechnologyAdvice. In addition to eSecurity Planet, she's worked as a technology editor and writer for TechRepublic, LinuxToday, Webopedia, SoftwarePundit, Datamation, Enterprise Networking Planet, CIO Insight, AllBusiness.com, and SiteProNews. Beyond B2B content strategy and editing, she also specializes in marketing and communication strategies and the occasional photo collage of her dog.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/shelby-hiter\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What Is a Pentest Framework? Top 7 Frameworks Explained","description":"A pentest framework sets guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/","og_locale":"en_US","og_type":"article","og_title":"What Is a Pentest Framework? Top 7 Frameworks Explained","og_description":"A pentest framework sets guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.","og_url":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/","og_site_name":"eSecurity Planet","article_published_time":"2023-07-05T19:32:01+00:00","article_modified_time":"2023-10-16T23:59:36+00:00","og_image":[{"width":1400,"height":910,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png","type":"image\/png"}],"author":"Shelby Hiter","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Shelby Hiter","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/"},"author":{"name":"Shelby Hiter","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/51431ee32bfc3fa2279f6919ce5cbde5"},"headline":"What Is a Pentest Framework? Top 7 Frameworks Explained","datePublished":"2023-07-05T19:32:01+00:00","dateModified":"2023-10-16T23:59:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/"},"wordCount":1914,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png","keywords":["cybersecurity","network security","penetration-testing","pentesting","security","Vulnerability Management","web application security","Web security"],"articleSection":["Networks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/","url":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/","name":"What Is a Pentest Framework? Top 7 Frameworks Explained","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png","datePublished":"2023-07-05T19:32:01+00:00","dateModified":"2023-10-16T23:59:36+00:00","description":"A pentest framework sets guidelines and tools for teams conducting penetration tests. Learn about the top pentest frameworks here.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/07\/esp-pentest-framework.png","width":1400,"height":910,"caption":"3D rendering of a virtual lock icon with Penetration Test label on a binary coded background."},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/networks\/pentest-framework\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"What Is a Pentest Framework? Top 7 Frameworks Explained"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/51431ee32bfc3fa2279f6919ce5cbde5","name":"Shelby Hiter","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/03\/93f7cf0106609c5bf3f27081f985d574-150x150.jpeg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2023\/03\/93f7cf0106609c5bf3f27081f985d574-150x150.jpeg","caption":"Shelby Hiter"},"description":"eSecurity Planet contributor Shelby Hiter has covered cybersecurity, AI and more in her time at TechnologyAdvice. In addition to eSecurity Planet, she's worked as a technology editor and writer for TechRepublic, LinuxToday, Webopedia, SoftwarePundit, Datamation, Enterprise Networking Planet, CIO Insight, AllBusiness.com, and SiteProNews. Beyond B2B content strategy and editing, she also specializes in marketing and communication strategies and the occasional photo collage of her dog.","url":"https:\/\/www.esecurityplanet.com\/author\/shelby-hiter\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/30922"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/328"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=30922"}],"version-history":[{"count":3,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/30922\/revisions"}],"predecessor-version":[{"id":32405,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/30922\/revisions\/32405"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/30932"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=30922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=30922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=30922"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=30922"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=30922"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=30922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}