| Attribute | Value |
|---|---|
| Project Name | OWASP Autonomous Penetration Testing Standard (APTS) |
| Version | 0.1.0 |
| Release Date | April 2026 |
| License | Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) |
| Repository | https://github.com/OWASP/APTS |
| Contact | [email protected] |
See ACKNOWLEDGEMENTS.md for the full list of contributors.
This standard uses RFC 2119 language:
| Term | Meaning |
|---|---|
| MUST | Mandatory requirement. Non-compliance means the requirement is not met. |
| MUST NOT | Absolute prohibition. |
| SHOULD | Recommended. Deviation requires documented justification. |
| SHOULD NOT | Not recommended. Deviation is acceptable with documented justification. |
| MAY | Optional. Implementation is at the organization's discretion. |
| OPTIONAL | Truly discretionary. May be included based on organizational needs. |
Requirements follow the format: APTS-[DOMAIN]-[NUMBER]
| Domain | Prefix | Section |
|---|---|---|
| Scope Enforcement | SE | 1 |
| Safety Controls & Impact Management | SC | 2 |
| Human Oversight & Intervention | HO | 3 |
| Graduated Autonomy Levels | AL | 4 |
| Auditability & Reproducibility | AR | 5 |
| Manipulation Resistance | MR | 6 |
| Third-Party & Supply Chain Trust | TP | 7 |
| Reporting | RP | 8 |
Copyright 2026 The OWASP Foundation.
Licensed under CC BY-SA 4.0. You may share and adapt this material for any purpose, including commercial, provided you give attribution and distribute under the same license.
| Version | Date | Notes |
|---|---|---|
| 0.1.0 | April 2026 | Initial release. Eight domains, 173 tier-required requirements across three compliance tiers, plus 10 advisory practices in the appendix. |