OSSTMM
What is OSSTMM?
OSSTMMAn open peer-reviewed security testing methodology from ISECOM that defines scientific, repeatable measurements of operational security across five channels.
The Open Source Security Testing Methodology Manual (OSSTMM) is maintained by the Institute for Security and Open Methodologies (ISECOM) and is used by auditors and penetration testers to deliver repeatable, evidence-based assessments. It defines five test channels — Human, Physical, Wireless, Telecommunications, and Data Networks — and produces a quantitative result called the Risk Assessment Value (RAV) based on operational controls, limitations, and trust. OSSTMM emphasizes test rules of engagement, scientific measurement, and ethics rather than tool checklists. It is widely cited in government and regulated audits and complements technical frameworks such as PTES and NIST SP 800-115.
● Examples
- 01
An auditor uses OSSTMM to score the physical and human attack surface of a bank branch.
- 02
A pentester combines OSSTMM RAV scoring with PTES-based technical procedures.
● Frequently asked questions
What is OSSTMM?
An open peer-reviewed security testing methodology from ISECOM that defines scientific, repeatable measurements of operational security across five channels. It belongs to the Compliance & Frameworks category of cybersecurity.
What does OSSTMM mean?
An open peer-reviewed security testing methodology from ISECOM that defines scientific, repeatable measurements of operational security across five channels.
How does OSSTMM work?
The Open Source Security Testing Methodology Manual (OSSTMM) is maintained by the Institute for Security and Open Methodologies (ISECOM) and is used by auditors and penetration testers to deliver repeatable, evidence-based assessments. It defines five test channels — Human, Physical, Wireless, Telecommunications, and Data Networks — and produces a quantitative result called the Risk Assessment Value (RAV) based on operational controls, limitations, and trust. OSSTMM emphasizes test rules of engagement, scientific measurement, and ethics rather than tool checklists. It is widely cited in government and regulated audits and complements technical frameworks such as PTES and NIST SP 800-115.
How do you defend against OSSTMM?
Defences for OSSTMM typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for OSSTMM?
Common alternative names include: Open Source Security Testing Methodology Manual.
● Related terms
- compliance№ 876
PTES
A community-built penetration testing methodology organizing engagements into seven phases from pre-engagement scoping through reporting and remediation guidance.
- compliance№ 768
OSCP
A hands-on offensive security certification from Offensive Security earned by compromising a lab network in a 24-hour proctored practical exam.
- compliance№ 152
CEH
An ethical-hacking certification from EC-Council that teaches attacker tools and techniques across reconnaissance, exploitation, web, wireless, and cloud testing.
- defense-ops№ 813
Penetration Testing
An authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
- compliance№ 735
NIST SP 800-30
A NIST Special Publication that provides guidance for conducting risk assessments of information systems and the missions they support.