Penetration testing like any systemic methodology needs to be evaluated to provide useful insights about the reliability of the used methodology. A well-designed pentesting approach and a good evaluation strategy should be based on quantified approved criteria, to quickly determine the depth and the quality of testing. Industry leaders are aware of all well-known penetration testing methodologies, but due to some understanding difficulties, many of these companies are using their own methodologies. An effective penetration testing program assures that the objectives of your penetration testing program were met without creating misunderstandings, misconceptions, or false expectations. A maturity model is needed to assure that the pentesting methodology meets the organization needs; you can build the most suitable maturity model for your organization needs. You can get inspired by a penetration testing model made by voodoo security. It is built to give an idea about such models.

The penetration testing maturity model is based on three main criteria. Each criteria has five questions to answer by yes or no. If yes, the overall score will be added by one point, else, it will add nothing. Based on your responses to all the questions, the overall score will define the evaluation of your penetration test.

This metric is used to evaluate whether the penetration testing is realistic, and it is built to simulate real-world attacks. Answer the following questions in terms of yes or no:

• Did you use the black box approach?
• Did you avoid detection?
• Did you use social engineering?
• Did you use exfiltrated data?
• Did you emulate a malware?

This metric is based on the methodology itself, and the tools are used in every step when conducting the penetration testing. Answer the following questions in terms of yes or no:

• Does the used methodology already exist or is it customized?
• Are all the steps done in a connected way?
• Did you use both manual and automated tools?
• Did you actually exploit the target?
• Is pivoting allowed?

This metric evaluates the resulting report as it is an important step in penetration testing, whereas it is written for multiple audiences. Answer the following questions in terms of yes or no:

• Did you remove false positives?
• Are your steps repeatable?
• Are the vulnerabilities assessed used in contextual risks?
• Do the results align with the business needs?
• Is the remediation plan suitable for the organization?

Based on the obtained score, you can evaluate your penetration testing and rank it using the following scale:

• 0-5: Low maturity level
• 6-10: Medium maturity level
• 11-15: High maturity level

For better presentation, you can use graphical charts: