OWASP Autonomous Penetration Testing Standard (APTS)
What is OWASP APTS?
A governance standard for autonomous penetration testing platforms. It defines what these systems must do to operate safely, transparently, and within defined boundaries, whether they are delivered by vendors, operated as a service, or built in-house by enterprise security teams for testing their own organization.
APTS is not a testing methodology. It complements PTES, OWASP WSTG, and OSSTMM by addressing the problems unique to autonomous operation: scope enforcement, safe autonomy, manipulation resistance, and accountability.
173 Tier-Required Requirements Across 8 Domains
| Domain | Prefix | Requirements | Description |
|---|---|---|---|
| Scope Enforcement | SE | 26 | Defining, validating, and enforcing testing boundaries |
| Safety Controls | SC | 20 | Impact classification, blast radius, kill switches, rollback, execution sandbox |
| Human Oversight | HO | 19 | Approval gates, dashboards, escalation, operator qualifications |
| Graduated Autonomy | AL | 28 | Four autonomy levels (L1 Assisted through L4 Autonomous) |
| Auditability | AR | 20 | Logging, decision trails, evidence integrity, audit trail isolation |
| Manipulation Resistance | MR | 23 | Prompt injection, adversarial inputs, scope widening defense |
| Supply Chain Trust | TP | 22 | AI provider trust, data handling, multi-tenancy isolation, foundation model disclosure |
| Reporting | RP | 15 | Finding validation, confidence scoring, coverage disclosure |
Compliance Tiers
- Tier 1 (Foundation): 72 requirements. The platform will not test outside scope, can be stopped immediately, and provides an audit trail.
- Tier 2 (Verified): 85 additional (157 cumulative). Full transparency, tamper-proof audit trails, and independently verifiable findings.
- Tier 3 (Comprehensive): 16 additional (173 cumulative). Highest assurance for critical infrastructure and L4 autonomous operations.
Eighteen additional advisory practices live exclusively in the Advisory Requirements appendix under the APTS-<DOMAIN>-A0x identifier pattern. Advisory practices are not counted toward any tier and do not affect conformance.
APTS has no certification body, no mandatory third-party audit, and no fee. Platforms are assessed against the requirements and conformance is documented. The standard does not prescribe who performs the assessment; internal self-assessment, independent internal review, and external third-party assessment are all valid approaches, and the choice is left to the reader.
How to Reference
Requirements use the format APTS-XX-NNN where XX is the domain prefix and NNN is the requirement number (for example, APTS-SE-001). For versioned references in contracts or evaluations, use APTS-v0.1.0-SE-001.
Quick Start: Where to Begin
Use this reader path to choose the shortest route through APTS based on your role and goal after reviewing the framework overview, domains, and tier structure above.
| Role | Start with | Then use | Outcome |
|---|---|---|---|
| New to APTS | Introduction, Glossary | Getting Started guide | Understand the framework and scope |
| Vendor or platform builder | Introduction, Glossary, then Checklists for target tier | Domain READMEs, Implementation Guides, Conformance Claim Template, Evidence Package Manifest | Documented conformance and evidence package |
| Enterprise internal team | Introduction, Glossary, then Getting Started | Core domains (SE, SC, HO, AR), templates | Internal governance baseline |
| CISO or procurement lead | Introduction, Glossary, then Vendor Evaluation Guide | Evidence Request Checklist, Evidence Package Manifest, conformance claim | Vendor evaluation decision |
| Security reviewer or auditor | Introduction, Glossary, then claimed tier and Checklists | Domain verification sections, Customer Acceptance Testing | Independent review findings |
| Contributor | CONTRIBUTING.md | Existing issues and PRs | Small, reviewable PR |
This orientation aid is informative and does not create or modify APTS requirements.
The full standard with all requirements, verification procedures, checklists, and appendices is in the standard/ folder.
Contributing
This standard is open for community contributions. Whether it is improving requirement clarity, adding implementation examples, fixing errors, or translating the standard, all contributions are welcome. See CONTRIBUTING.md to get started and GOVERNANCE.md for project roles and decision-making. Translations are maintained in standard/translations/.
Report sensitive content issues (incorrect security guidance, documentation of insecure patterns) via SECURITY.md.
Join the discussion on OWASP Slack in the #project-apts channel.
Project Leads
License
CC BY-SA 4.0. Copyright 2026 The OWASP Foundation.
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don't use tabs at all.
Project Lead
| Name | Affiliation | Links |
|---|---|---|
| Jinson Varghese Behanan | Astra Security | Website, Twitter, LinkedIn |
| Shikhil Sharma | Astra Security | Twitter, LinkedIn |
Technical Reviewers
Individuals appointed to review changes for technical accuracy and consistency. See GOVERNANCE.md for the process.
| Name | Affiliation | Links |
|---|---|---|
| Ananda Krishna | Astra Security | Twitter, LinkedIn |
Contributors
Individuals who made a significant contribution to the project:
| Name | Affiliation | Links |
|---|---|---|
| Ramshath MM | Astra Security | |
| Chia Min Jun Lennon | Ernst & Young (EY) | GitHub, LinkedIn |
| Josh Kotrous | Pensar | |
| Ihor Sasovets | TechMagic | GitHub, LinkedIn |
All discussions take place on the OWASP Autonomous Penetration Testing Standard GitHub repository.
We welcome contributions from the security community. If you have suggestions, feedback, or want to help improve the standard, open an issue or submit a pull request on GitHub.
You can read our contributing guidelines here.