UNCLASSIFIED
The PenTest+ Frameworks Cheat Sheet
A concise guide to the methodologies you need to memorize for the CompTIA PenTest+ Exam.
============================================================
1. THE "BIG FOUR" GENERAL FRAMEWORKS
(Know the difference between these based on their focus and origin)
============================================================
NIST SP 800-115 (The Government Standard)
* Focus: Technical Guide to Information Security Testing and Assessment.
* Key Traits: Formal, structured, and widely used by US Federal agencies.
* The Process: Planning -> Discovery -> Attack -> Reporting.
* Exam Trigger: If the question mentions "Federal," "Government," or "Formal Compliance," choose NIST.
OSSTMM (The Scientific Standard)
* Creator: ISECOM.
* Focus: Operational Security (OpSec).
* Key Traits: Open Source, Scientific, and Measurable.
* The 5 Channels: Human, Physical, Wireless, Telecommunications, Data Networks.
* Exam Trigger: If the question mentions "Metrics," "Measuring," or "Telecommunications testing," choose OSSTMM.
PTES (The Practical Standard)
* Focus: The end-to-end process (workflow) of a penetration test.
* Key Traits: Practical, community-driven, and holistic.
* The 7 Stages (Memorize Order):
1. Pre-engagement Interactions (Scoping)
2. Intelligence Gathering (OSINT)
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post-Exploitation
7. Reporting
* Exam Trigger: If the question asks about workflow stages (e.g., "What comes after exploitation?"), choose PTES.
CREST (The Professional Standard)
* Focus: Accreditation for individuals and companies.
* Key Traits: Global, ethical, and high-quality assurance.
* Exams: CPSA (Entry), CRT (Mid), CCNIA (Network).
* Exam Trigger: If the question mentions "Quality Assurance," "Code of Ethics," or "Accredited Firms," choose CREST.
# ============================================================
2. SPECIALIZED FRAMEWORKS
(Know which framework fits which technology)
MITRE ATT&CK (The Adversary Playbook)
* Focus: Adversary Behavior (TTPs - Tactics, Techniques, Procedures).
* Key Use: Red Teaming, Threat Emulation, and identifying gaps in defense.
* The Matrix: Columns represent goals (Tactics) like Initial Access, Persistence, Privilege Escalation.
* Exam Trigger: If the question asks about "Simulation," "APT Behavior," or "Post-Compromise TTPs," choose MITRE ATT&CK.
OWASP Top 10 (The Web Standard)
* Focus: Critical Web Application Security Risks.
* Key Risks (2021 Version):
-- A01 Broken Access Control: (IDOR, forced browsing).
-- A03 Injection: (SQLi, XSS, Command Injection).
-- A05 Security Misconfiguration: (Default passwords, verbose errors).
-- A10 SSRF: (Server-Side Request Forgery).
* Exam Trigger: If the question involves Web Apps or SQL/XSS, choose OWASP.
OWASP MASVS (The Mobile Standard)
* Focus: Mobile App Security Requirements (iOS/Android).
* Profiles:
-- L1: Essential (Standard apps).
-- L2: Advanced (Banking/Healthcare apps).
-- R: Resiliency (Anti-tamper/Anti-reverse engineering).
* Exam Trigger: If the question involves APK, IPA, Local Storage, or Mobile Encryption, choose MASVS.
The Purdue Model (The Industrial Standard)
* Focus: ICS/SCADA Network Segmentation.
* The Layers:
-- Level 0: Physical (Sensors, Actuators).
-- Level 1/2: Control (PLCs, HMIs).
-- Level 4/5: Enterprise (Corporate IT, Email, Internet).
* Exam Trigger: If the question involves Factories, Power Grids, PLCs, or OT Security, choose Purdue.
# ============================================================
3. THREAT MODELING MODELS
(How do we define and rank the danger?)
STRIDE (Categorizing Threats)
* S: Spoofing (Authenticity)
* T: Tampering (Integrity)
* R: Repudiation (Non-repudiation)
* I: Info Disclosure (Confidentiality)
* D: DoS (Availability)
* E: Elevation of Privilege (Authorization)
* Purpose: Used to CATEGORIZE types of threats (The "What").
DREAD (Rating Threats)
* D: Damage
* R: Reproducibility
* E: Exploitability
* A: Affected Users
* D: Discoverability
* Purpose: Used to RATE/SCORE the severity of threats (0-10 scale).
OCTAVE (Strategic Risk)
* Focus: Business-focused and Risk-based.
* Phases:
1. Organizational View
2. Technological View
3. Strategy/Plan Development
* Purpose: Used for organizational/strategic risk management (The "Business Context").
# ============================================================
4. QUICK-FIRE SCENARIO MATCH
Scenario: "We need to measure our operational security metrics."
Answer: OSSTMM
Scenario: "We need to simulate a Russian APT group."
Answer: MITRE ATT&CK
Scenario: "We are testing a banking app on Android."
Answer: OWASP MASVS (L2)
Scenario: "We need to categorize this attack where logs were deleted."
Answer: STRIDE (Repudiation)
Scenario: "We need to ensure our testers are ethically certified."
Answer: CREST
Scenario: "We are testing a water treatment plant controller."
Answer: Purdue Model (Level 1)
Scenario: "We need a structured workflow for the whole engagement."
Answer: PTES
============================================================
1. THE "BIG FOUR" GENERAL FRAMEWORKS
(Know the difference between these based on their focus and origin)
============================================================
NIST SP 800-115 (The Government Standard)
* Focus: Technical Guide to Information Security Testing and Assessment.
* Key Traits: Formal, structured, and widely used by US Federal agencies.
* The Process: Planning -> Discovery -> Attack -> Reporting.
* Exam Trigger: If the question mentions "Federal," "Government," or "Formal Compliance," choose NIST.
OSSTMM (The Scientific Standard)
* Creator: ISECOM.
* Focus: Operational Security (OpSec).
* Key Traits: Open Source, Scientific, and Measurable.
* The 5 Channels: Human, Physical, Wireless, Telecommunications, Data Networks.
* Exam Trigger: If the question mentions "Metrics," "Measuring," or "Telecommunications testing," choose OSSTMM.
PTES (The Practical Standard)
* Focus: The end-to-end process (workflow) of a penetration test.
* Key Traits: Practical, community-driven, and holistic.
* The 7 Stages (Memorize Order):
1. Pre-engagement Interactions (Scoping)
2. Intelligence Gathering (OSINT)
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post-Exploitation
7. Reporting
* Exam Trigger: If the question asks about workflow stages (e.g., "What comes after exploitation?"), choose PTES.
CREST (The Professional Standard)
* Focus: Accreditation for individuals and companies.
* Key Traits: Global, ethical, and high-quality assurance.
* Exams: CPSA (Entry), CRT (Mid), CCNIA (Network).
* Exam Trigger: If the question mentions "Quality Assurance," "Code of Ethics," or "Accredited Firms," choose CREST.
# ============================================================
2. SPECIALIZED FRAMEWORKS
(Know which framework fits which technology)
MITRE ATT&CK (The Adversary Playbook)
* Focus: Adversary Behavior (TTPs - Tactics, Techniques, Procedures).
* Key Use: Red Teaming, Threat Emulation, and identifying gaps in defense.
* The Matrix: Columns represent goals (Tactics) like Initial Access, Persistence, Privilege Escalation.
* Exam Trigger: If the question asks about "Simulation," "APT Behavior," or "Post-Compromise TTPs," choose MITRE ATT&CK.
OWASP Top 10 (The Web Standard)
* Focus: Critical Web Application Security Risks.
* Key Risks (2021 Version):
-- A01 Broken Access Control: (IDOR, forced browsing).
-- A03 Injection: (SQLi, XSS, Command Injection).
-- A05 Security Misconfiguration: (Default passwords, verbose errors).
-- A10 SSRF: (Server-Side Request Forgery).
* Exam Trigger: If the question involves Web Apps or SQL/XSS, choose OWASP.
OWASP MASVS (The Mobile Standard)
* Focus: Mobile App Security Requirements (iOS/Android).
* Profiles:
-- L1: Essential (Standard apps).
-- L2: Advanced (Banking/Healthcare apps).
-- R: Resiliency (Anti-tamper/Anti-reverse engineering).
* Exam Trigger: If the question involves APK, IPA, Local Storage, or Mobile Encryption, choose MASVS.
The Purdue Model (The Industrial Standard)
* Focus: ICS/SCADA Network Segmentation.
* The Layers:
-- Level 0: Physical (Sensors, Actuators).
-- Level 1/2: Control (PLCs, HMIs).
-- Level 4/5: Enterprise (Corporate IT, Email, Internet).
* Exam Trigger: If the question involves Factories, Power Grids, PLCs, or OT Security, choose Purdue.
# ============================================================
3. THREAT MODELING MODELS
(How do we define and rank the danger?)
STRIDE (Categorizing Threats)
* S: Spoofing (Authenticity)
* T: Tampering (Integrity)
* R: Repudiation (Non-repudiation)
* I: Info Disclosure (Confidentiality)
* D: DoS (Availability)
* E: Elevation of Privilege (Authorization)
* Purpose: Used to CATEGORIZE types of threats (The "What").
DREAD (Rating Threats)
* D: Damage
* R: Reproducibility
* E: Exploitability
* A: Affected Users
* D: Discoverability
* Purpose: Used to RATE/SCORE the severity of threats (0-10 scale).
OCTAVE (Strategic Risk)
* Focus: Business-focused and Risk-based.
* Phases:
1. Organizational View
2. Technological View
3. Strategy/Plan Development
* Purpose: Used for organizational/strategic risk management (The "Business Context").
# ============================================================
4. QUICK-FIRE SCENARIO MATCH
Scenario: "We need to measure our operational security metrics."
Answer: OSSTMM
Scenario: "We need to simulate a Russian APT group."
Answer: MITRE ATT&CK
Scenario: "We are testing a banking app on Android."
Answer: OWASP MASVS (L2)
Scenario: "We need to categorize this attack where logs were deleted."
Answer: STRIDE (Repudiation)
Scenario: "We need to ensure our testers are ethically certified."
Answer: CREST
Scenario: "We are testing a water treatment plant controller."
Answer: Purdue Model (Level 1)
Scenario: "We need a structured workflow for the whole engagement."
Answer: PTES