NIST SP 800-115: Technical Guide to Information Security Testing
NIST Special Publication 800-115 (published in September 2008) is an established technical guide for information security testing and assessment. It was developed by the U.S. federal agency National Institute of Standards and Technology (NIST) as technical guidance to provide organizations with a structured methodology for planning, conducting, and evaluating security assessments. The guide is officially available as a PDF directly from the NIST website and replaced the earlier recommendation NIST SP 800-42 (Guideline on Network Security Testing).
More Than Penetration Testing: The Three Core Assessment Methods
A common misconception is that NIST SP 800-115 is purely a penetration testing framework. In fact, the publication is much broader and defines three fundamental methods for conducting comprehensive security assessments. In terms of content, however, the document focuses primarily on technical testing and examination techniques:
-
Testing: The active execution of systems under defined conditions in order to analyze their actual behavior and compare it against security requirements. (Penetration testing falls into this category.)
-
Examination: The passive inspection, review, and analysis of artifacts. This includes reviewing documents such as policies and security concepts, system configurations, log files, or firewall rule sets.
-
Interviewing: Conducting structured discussions with employees, system administrators, or management in order to understand organizational processes, identify knowledge gaps, or obtain evidence of security practices in operation.
The Four-Phase Penetration Testing Methodology
When it comes specifically to penetration testing, Section 5.2 describes an example four-phase methodology (Four-Stage Penetration Testing Methodology). The document emphasizes that there are many accepted ways to group these activities. In practice, these phases often run cyclically:
-
1. Planning: In this initial phase, the conditions and boundaries of the test are defined. This includes defining the objectives, scope, and legal safeguards.
-
2. Discovery: This phase is divided into two parts and forms the foundation for the subsequent attacks:
-
Information Gathering / Scanning: The active and passive collection of data, such as port scans, OS fingerprinting, and service identification.
-
Vulnerability Analysis: Comparing the discovered services against known vulnerability databases and performing manual analysis by an expert. Note: According to NIST, vulnerability analysis is not a separate main phase, but part of Discovery.
-
-
3. Attack / Exploitation: This is the core of the penetration test. Testers attempt to actively and controllably exploit the vulnerabilities identified during the Discovery phase. The goal is to verify the potential impact, escalate privileges, and move deeper into the network through lateral movement. This phase is often iterative with the Discovery phase, as a successful compromise may reveal additional systems.
-
4. Reporting: This phase documents all identified vulnerabilities, successfully executed attacks, and the corresponding risk assessment. A central component of the report is a set of concrete and prioritized recommendations for remediation.
Distinction: Penetration Testing vs. Vulnerability Scanning
NIST SP 800-115 places strong emphasis on the conceptual and functional distinction between an automated vulnerability scan and a true penetration test.
| Criterion | Vulnerability Scanning | Penetration Testing |
|---|---|---|
| Execution | Largely automated using software tools. | Expert-led, with a strong focus on manual analysis. |
| Objective | Identification and listing of potential security weaknesses. | Verification and practical exploitation of vulnerabilities. |
| Validation | No verification; the risk of false positives is present. | High level of validation; filters out false positives through target vulnerability validation. |
| Focus | Broad coverage of all systems in the network. | In-depth analysis; logical chaining of multiple smaller weaknesses into an attack path. |
Core statement of the NIST guide: An automated scan provides only the raw data. It is only through verification, manual exploitation, and contextual assessment by a human expert that it becomes a penetration test according to the principles of the NIST guide.
Practical Aspects and Conditions
For conducting tests, the guidance identifies factors intended to minimize the risk of system outages and ensure quality:
-
Rules of Engagement (RoE): A binding set of rules that defines what may be tested, when testing may take place (such as outside business hours), and who must be contacted in an emergency (such as in the event of a system crash). The document provides a practical template for this in Appendix B. Ideally, these conditions are agreed in detail and documented before testing begins. In its approach to organizational procedures, the guide closely resembles the German Guide for Conducting Penetration Tests published by the BSI (Federal Office for Information Security).
-
Testing Perspectives: A distinction is made between the external perspective, representing an attack from the Internet without prior privileges, and the internal perspective, representing the simulation of an insider threat or an already compromised system.
- Announcement and Visibility (Overt vs. Covert): In NIST terminology, these terms primarily describe the degree to which the test is known within the organization—for example, whether the internal blue team or defenders are informed in order to realistically test incident response. They do not necessarily describe the technical level of information available to the testers.
Limitations and Temporal Context of the Guide
Since the publication dates back to 2008, it only partially reflects the technological shifts in modern IT infrastructure. In professional practice, the following structural gaps are frequently discussed:
-
Lack of Cloud Coverage: The guide focuses primarily on on-premises infrastructures. Modern cloud environments (IaaS, PaaS, and SaaS), serverless architectures, and container technologies (such as Docker or Kubernetes) are not covered by the document.
-
Focus on Traditional Networks: The guide is heavily based on traditional, perimeter-based networks. Newer security concepts such as Zero Trust Architecture or identity-based security (IAM) are not methodically addressed in the text.
-
No Consideration of Modern Software Development: Modern security assessments often include the review of CI/CD pipelines, DevSecOps processes, or automated code analysis (such as SAST and DAST) within the development lifecycle. The NIST guide tends to view security assessments as point-in-time events rather than as a continuous process.
- Outdated Threat Model: The complexity of modern attacks by state-sponsored attackers (Advanced Persistent Threats, or APTs) as well as sophisticated supply chain attacks are not methodically covered in the depth found in newer publications.
Conclusion
For classic infrastructure, network, and organizational assessments, NIST SP 800-115 remains a solid procedural foundation. In German-speaking contexts, it serves as an excellent methodological complement to the more application-oriented BSI penetration testing guide. For modern cloud, web, and DevOps environments, it is typically supplemented in practice by more current technical specifications such as the OWASP Web Security Testing Guide.
Section Navigation
binsec academy GmbH – Advanced Pentest Training Lab
binsec academy GmbH operates the Pentest Training Lab, a highly practical online platform dedicated to real penetration testing. Simulating complex corporate networks and advanced real-world attack scenarios within isolated lab environments, it is engineered to sharpen the skills of aspiring and professional penetration testers. Upon conquering our rigorous, fully practical examination, participants earn the distinguished Binsec Academy Certified Pentest Professional (BACPP) designation — proving their technical capability to methodically uncover and evaluate vulnerabilities in modern IT infrastructures.
Explore the Pentest Training Lab
binsec GmbH – Experts in Penetration Testing
binsec GmbH is a highly specialized penetration testing provider and the operative pentesting core of the binsec group. Since 2013, the company has focused exclusively on high-end, human-led penetration tests (pentests) and advanced red team simulations. Rejecting automated scans, our team of permanently employed, certified senior pentest experts delivers manual deep-dive assessments of critical digital systems: from web applications and APIs to mobile apps, complex network infrastructures, and cloud environments. As a dedicated assessment partner for highly regulated sectors such as Payment, Banking, and Healthcare, binsec GmbH provides clear risk evaluations and actionable reports to effectively secure business-critical systems.
Get Manual Expert Penetration Testing Services