NIST (US) · us
NIST SP 800-115: pen test requirements 2026
The Technical Guide to Information Security Testing and Assessment. Defines four phases: planning, discovery, attack, reporting. Older (2008) but still the standard structured-test reference in US federal contexts.
Required
Voluntary
Region
US
Publisher
NIST
Applies to
- Network pen testing
- External + internal infrastructure
- US federal supplier engagements
Budget impact
Day count impact
Neutral — provides methodology, not duration
Rate impact
Neutral
Source
↗ https://csrc.nist.gov/publications/detail/sp/800-115/finalVerified 2026-06-02.
Other standards