The methodology that underpins every SiegePoint engagement. Its organizing idea: published testing frameworks are dynamically-loaded library checklists, bound by the engagement agreement, that pass or fail through defined acceptance & surrender levels. Standards-based, outside-in, and productizable as a service.
Verified Confirmed against a primary / authoritative sourceContested Accurate but with a documented limitation or version-sensitivity
Section 01How the system works — the spine
SiegePoint's methodology is not a single checklist. It is a linker model: the industry frameworks are versioned libraries of checks, the signed agreement is what binds a chosen subset of them to a specific target, and the surrender levels are the assertions that grade the result. This is the organizing principle every later section is an instance of.
Libraries
Methodology modules
PTES phases, OWASP WSTG/MASTG test categories, OSSTMM channels, per-surface MITRE ATT&CK technique sets. Versioned. Load only what scope calls for.
→
Linker
The engagement agreement
Resolves which modules load, against which assets, up to which ceiling. An unbound check is unauthorized access — so binding is the legal firewall, not a formality.
→
Runtime + assertions
Surrender levels
Each loaded check resolves on the S0–S4 ladder. The Pass Threshold decides pass/fail; the Authorization Ceiling is the hard bound the run cannot exceed.
Dynamically loaded. A web-app engagement loads OWASP WSTG plus the relevant ATT&CK techniques; a VoIP engagement loads the OSSTMM telecom channel; a full red-team loads the lot. Nothing runs that scope didn't select.
Bound by agreement. The signed Statement of Work is the linker. It is also the difference between a penetration test and a computer-crime offense — see the guardrail layer (§06).
Graded by surrender level. Every result is scored on a common ladder, so "did it work?" has one consistent, contractual answer across all surfaces (§05).
Version-pinned. Because frameworks are libraries, each engagement pins their versions in a manifest — a lockfile — so client citations stay stable even as ATT&CK and the standards move underneath.
Section 02Framework comparison — the libraries
The modules SiegePoint composes. PTES is the lifecycle spine, ATT&CK the technique taxonomy, the Cyber Kill Chain the narrative, PCI/NIST the compliance-grade structure, OSSTMM the measurable channel model, and TIBER-EU the threat-led authorization model. OWASP's WSTG page is the canonical index of recognized methodologies.1
3 phases: Preparation, Testing, Closure — live production, full consent9
Threat-led red-team + authorization model
Verified
OWASP WSTG / MASTG
OWASP
Test-category checklists for web (WSTG) & mobile (MASTG) surfaces1
Depth checklists for web & mobile
Verified
CREST
CREST (int'l body)
Accreditation for firms + certification for individuals; recognized by UK NCSC CHECK10
Industry accreditation / trust reference
Verified
ISSAF
OISSG
Assessment framework linking pentest steps to tools; last updated 2006, no longer maintained11
Historical reference only — not a live standard
Contested
Two libraries carry currency caveats. ISSAF has not been updated since 2006 — use as reference, never as the governing standard.11 The Cyber Kill Chain is accurate as its authors intended but widely criticized as linear and perimeter/malware-centric, weak on insider threats and lateral movement6 — use it for narrative; prefer ATT&CK as the authority for lateral movement and post-exploitation.
Section 03The unified phase model
PTES supplies the master spine (most complete lifecycle1); ATT&CK tactics overlay each execution phase so every action carries a citable ID; NIST's four-phase model2 is the compliance-grade compression of the same shape. The engagement runs outside-in.
On sequencing: PTES presents phases in order, but engagements iterate — exploitation loops back to intelligence gathering as new surface appears.4 Treat the spine as a control structure, not a strict waterfall.
The same spine, drawn as an operating flow — an authorized siege that escalates avenue by avenue and halts the moment the objective is reached. Social engineering is deliberately the last bastion: it carries the highest collateral risk and so sits at the top consent rung.
Figure — The attack methodology: escalate avenue by avenue, halt the moment the objective falls.
Section 04Technique taxonomy — outside-in
The categorized technique set, phase by phase, with verified ATT&CK IDs. Tactic-level IDs (TA####) are stable; technique-level IDs (T####) are cited from the live ATT&CK Enterprise matrix (see version note, §08).
1
Reconnaissance & OSINT
ATT&CK TA0043
"The adversary is trying to gather information they can use to plan future operations" — active and passive.3
Active Scanning T1595Direct probing of the target's public ranges to map live services.
Gather Victim Identity Info T1589Emails, employee names, roles that seed phishing and password attacks.
Search Victim-Owned Websites T1594Mining the client's own web presence for technology and structure.
2
Scanning & enumeration
bridges Recon → Access
Turning the map into a service inventory. PCI draws the line here: a scan identifies & ranks; a pentest attempts to exploit.12
Network Service Discovery T1046Port and service enumeration across the in-scope external range.
Content / path discoveryEnumerating hidden web paths, virtual hosts, and API endpoints.
3
Vulnerability analysis
PTES phase 4
Correlating discovered services against known weaknesses, prioritizing by exploitability and impact — before any exploit fires.
Automated assessment + manual validationTool-driven identification, then hands-on validation to strip false positives.
Business-logic analysisLogic flaws scanners cannot see — the pentest's real value-add.
4
Gaining access — exploitation by surface
ATT&CK TA0001
Exploitation, organized by attack surface. Each is a scope opt-in.
Denial of Service T1498 / T1499Network & endpoint resource-exhaustion (ATT&CK Impact tactic) — authorized only, caps low.14
DoS, telecom, and social engineering carry the highest collateral and legal risk. Each is a scope opt-in, never a default; social-engineering targets must be individually consented and allowlisted.
Demonstrating real impact by moving inward and laterally. MITRE defines Lateral Movement (TA0008) as "the adversary is trying to move through your environment."15
Privilege Escalation TA0004"Gain higher-level permissions" — 13 techniques incl. Exploitation for PrivEsc T1068, Abuse Elevation Control T1548.16
Lateral Movement TA0008Remote Services T1021, Exploitation of Remote Services T1210, Use Alternate Auth Material T1550, Internal Spearphishing T1534.15
Exfiltration TA0010"Steal data" — 9 techniques incl. Exfil Over C2 T1041, Over Alternative Protocol T1048. Controlled proof-of-impact only.18
Living off the land: MITRE notes adversaries may use legitimate credentials with native OS/network tools rather than their own, "which may be stealthier."15 SiegePoint mirrors this to assess real detection capability.
6
Reporting & remediation
PTES 7 · NIST Reporting
Findings ranked by risk, mapped to ATT&CK IDs, with a prioritized remediation list and a retest — where PTES and the PCI post-engagement phase converge.8
Risk-ranked, evidence-backed findingsEach issue rated by impact and exploitability.
ATT&CK-mapped attack narrativeThe path retold by tactic/technique ID for defender alignment.
Prioritized remediation + retestActionable fixes, then verified — "fix list, not just findings."
Section 05Acceptance & surrender levels
A methodology says how we test; it does not say what counts as a win. SiegePoint closes that with a pre-agreed, contractual threshold of customer surrender — the depth of compromise at which a control is deemed to have failed. Crucially, the agreed level is both the success bar and the authorization stop-line: acceptance criteria and rules of engagement are one dial.
Secret / access actually obtained; held, not yet used.
S3Actioned
Access used for a safe, reversible proof-action.
S4Objective
Crown-jewel / flag reached. Full chained impact.
Each in-scope surface is assigned two values in the Statement of Work: a Pass Threshold (the level at which the test authenticates as successful / the control is deemed failed) and an Authorization Ceiling (the maximum level SiegePoint may reach; always ≥ the threshold, and the mandatory stop line). Consent scales with the ceiling — S3–S4 add action-specific written authorization, a named approver, and stop conditions. DoS normally caps at S1.
Full model — the per-surface matrix, the worked social-engineering example, and the contract clause shapes — lives in the companion module, "Acceptance & Surrender Levels" (read it here). This section is the summary that binds it to the methodology spine.
The same ladder inverts into a detection-validation instrument. SiegePoint Verify runs authorized attacks on a schedule and grades not the attacker's depth but the defender's response — for each technique: did the client's monitoring catch it, how deep, and how fast (MTTD/MTTR)? Same rungs, opposite protagonist — and unlike an attack run, it loops the whole coverage set rather than halting at the first success.
Figure — The Verify methodology: same ladder, inverted — loop every technique to grade the defender's detection.
Section 06The guardrail layer — the linker
This layer wraps every phase and is what makes the whole thing lawful. Authorization is the legal dividing line: under the CFAA (18 U.S.C. §1030), accessing a computer "without authorization" or in a way that "exceeds authorized access" is a federal crime — identical technical actions are lawful with explicit permission and criminal without it.19
Guardrail control
What it fixes
Status
Signed scope agreement
Defines exactly which assets, ranges, and vectors are in-bounds before any packet is sent.
Verified
Written authorization
NIST 800-115: "written authorization or rules of engagement should be obtained and documented before testing begins."2
TIBER-EU: activities "under a contractual agreement with the full consent of the entity," mitigating legal concerns beforehand.9
Verified
CFAA & equivalents
US CFAA §1030; UK Computer Misuse Act 1990 (unauthorised access); EU Directive 2013/40/EU on attacks against information systems.1920
Verified
Do not overstate compliance mandates. Earlier verification refuted the claim that PCI SSC requires documented rules-of-engagement authorization before exploitation. Authorization is SiegePoint's own non-negotiable control and the NIST/TIBER-EU model — not a universal PCI requirement.
Section 07Why outside-in maps to SaaS
The linker model is not just lawful — it is the natural architecture for a productized service. TIBER-EU's Preparation → Testing → Closure, on live systems under consent,9 is effectively a three-stage workflow behind an authorization gate, which a SaaS platform expresses well.
The authorization gate is a product state. No engagement advances past Phase 0 until a signed scope + RoE exists on file — the guardrail is enforced by the platform, not by trust.
Outside-in means no client-side install. Testing begins from the public attack surface inward, so the service operates remotely against the agreed scope — the same reason external pentest suits a hosted, multi-tenant model.
Phases become pipeline stages. Recon → Analyze → Access → Advance → Report is a tracked workflow, each stage emitting artifacts (scope, findings, ATT&CK-mapped report) that live in the tenant.
ATT&CK IDs are the data model. Stable identifiers make findings structured data — sortable, trend-able across engagements, machine-checkable — not prose. That is what makes the reporting layer a product.
The surrender ceiling is enforced at runtime. Actions above the agreed rung are simply not permitted to proceed — acceptance and authorization enforced by the same gate.
Section 08Version control & sources
Because the frameworks are versioned libraries, the guide manages drift explicitly rather than pretending the standards are static.
ATT&CK version pinning. Tactic and technique counts move between ATT&CK releases. Technique IDs in §04 reflect the live ATT&CK Enterprise matrix as of July 2026. Every engagement must pin the ATT&CK version in its manifest so client citations stay stable.