NIST SP 800-115
the federal technical guide to security testing and assessment

NIST SP 800-115: the federal reference for technical security testing

NIST Special Publication 800-115, the Technical Guide to Information Security Testing and Assessment, is the United States National Institute of Standards and Technology reference for how to plan, execute, and report on technical security testing. The publication covers review techniques, target identification, target vulnerability validation, security assessment planning, execution, and reporting in eight numbered sections. NIST SP 800-115 is widely cited in federal contracts, FedRAMP authorisations, CMMC scopes, and the statements of work that flow through the Defense Industrial Base, because it gives compliance reviewers a stable definition of what a technical security assessment looks like.

NIST SP 800-115 sits comfortably alongside more specific catalogues. The OWASP Top 10 and OWASP ASVS cover the web-application phase in depth. The MITRE ATT&CK framework is the language for tagging what attackers do during the engagement. Compliance frameworks like FedRAMP, NIST SP 800-53, and CMMC require penetration testing as a control, and NIST SP 800-115 is the technical methodology most commonly cited by reference to satisfy that requirement.

The four assessment phases

NIST SP 800-115 frames a technical security assessment as four phases: planning, discovery, attack, and reporting. The phases run in order, and each one feeds the next. The standard is unambiguous that an attack phase that is not preceded by a defensible discovery record, or that is not followed by a structured report, is not a 800-115 aligned assessment.

Section 3: review techniques (the cheapest findings)

Review techniques are non-intrusive, evidence-driven, and frequently produce more findings per hour than active testing. Section 3 of NIST SP 800-115 names six review techniques that should be in scope before any active scan is launched. The matching review record lives on the engagement itself so the assessor can show what was reviewed, by whom, and when.

Section 4: target identification and analysis

Section 4 covers active target identification: network discovery, port and service identification, vulnerability scanning, and wireless scanning. NIST SP 800-115 treats this as a discrete phase from validation, so unverified scanner output never becomes a published finding. The external scanning capability and attack surface management produce the asset, subdomain, and exposed-service inventory the section expects, and retain the raw output per scan window for evidence purposes.

Section 5: target vulnerability validation

Section 5 covers password cracking, penetration testing, and social engineering. The standard breaks penetration testing into four sub-phases (planning, discovery, attack, reporting) that mirror the overall assessment structure, and is explicit that the attack sub-phase is preceded by validated discovery and followed by structured reporting. The findings management feature carries CVSS 3.1 scoring, 300+ remediation templates, and Nessus or Burp Suite imports so validation output flows in without manual re-entry. Authenticated workflows live in the authenticated scanning capability which covers configuration and patch evidence behind login.

For deeper background on retesting and validating fixes after the attack phase, see the pentest retesting workflow, which keeps the original validated finding paired to the retest evidence so the post-test mitigation record stays complete.

Section 6: the Security Assessment Plan (SAP)

Section 6 is the part of NIST SP 800-115 that decides whether the rest of the engagement is defensible. The Security Assessment Plan captures objectives, scope, rules of engagement, schedule, deliverables, and the named contacts on both sides. The matching free rules of engagement template provides the operational ROE document that 800-115 expects to be signed before any active testing starts, and the pentest statement of work template gives a drop-in clause set covering most of the SAP scope and deliverables in writing.

Section 8: reporting and post-test activities

NIST SP 800-115 treats reporting as a structured deliverable, not a wrap-up. The executive summary is written for an audience that will not read the technical body; the technical body is for the engineers and architects who will fix the findings. Both have to exist, and both have to tie back to the assessment objectives agreed in the SAP. Mitigation tracking, lessons learned, and any retests run after the report should attach to the same engagement record so the audit trail is continuous rather than scattered across attachments.

For a deeper write-up on report structure and how to balance executive and technical sections, see how to write a pentest report and the matching pentest executive summary guide. The AI report generation feature composes the Section 8 deliverable from the underlying engagement, discovery, validation, and exploitation evidence rather than from a blank page.

Where NIST SP 800-115 turns up in federal compliance

NIST SP 800-115 is rarely the only standard cited in a federal assessment. It is, more often, the technical reference that other compliance regimes point to when they need a stable definition of how testing is performed. The four cases below cover the most common citations a service provider sees in commercial proposals and contracts.

How NIST SP 800-115 compares to PTES, OWASP, OSSTMM, and ATT&CK

NIST SP 800-115 is rarely used in isolation. The strongest pentest programmes layer it with at least one operator-shaped methodology and one threat-informed catalogue. The contrast below is a working view, not a buyer comparison: the practitioner question is which standard to combine with 800-115, not which to pick instead of it. For a broader side-by-side view of the major pentest methodologies, see the penetration testing methodology guide.

For a full operator-first read of the Penetration Testing Execution Standard alongside 800-115, see the PTES framework page. For the UK and European equivalent that bundles methodology with assessor accreditation, see the CREST penetration testing framework, which leaves the methodology choice to the CREST member firm and is often satisfied by a 800-115 aligned approach.

Where SecPortal fits in a NIST SP 800-115 aligned engagement

SecPortal is the operating layer for a NIST SP 800-115 aligned assessment. The platform handles the SAP, the rules of engagement, the discovery record, validated findings, exploitation evidence, and the Section 8 deliverable so the engagement runs as a single workflow rather than a long email thread with attachments. For consultancies running federally aligned engagements on behalf of multiple clients, the security consultants workspace bundles that with branded client portals and findings deduplication across engagements.

Looking for the engagement workflow itself, end-to-end? The penetration testing use case captures how SecPortal turns a NIST SP 800-115 shaped engagement into a structured record covering scope, methodology, validated findings, retests, and the deliverable.

Need to scope a federal engagement before writing the SAP? The free pentest scoping calculator and the penetration testing RFP template give buyers and providers a shared starting point that maps cleanly onto the NIST SP 800-115 SAP structure.