SANS 25 is a list of the top 25 security domains as defined by the SANS Institute. When conducting assessments, it's good to be familiar with this list and understand how your findings pertain to the list. In addition, understanding the top 25 domains can assist in helping increase the breadth of your knowledge of security vulnerabilities. These issues typically extend far beyond what will be discovered through nothing but penetration testing, and understanding these issues may even help you identify additional vulnerabilities or risk trends during your assessments.

In my job opportunities, the employer usually wants to ensure that their penetration tester is familiar with and understands each of these penetration testing frameworks and standards. This information is useful when conducting a security test/audit on an organization of a particular industry.

Now that you have a better understanding of popular penetration testing methodologies, let's dive into the three penetration testing approaches.