When buyers search for penetration testing frameworks compared, they are often comparing two things at once: formal testing methodologies such as PTES, OWASP WSTG, MITRE ATT&CK, and NIST SP 800-115, and hands-on tools such as Metasploit, Nuclei, Burp Suite, and Cobalt Strike. That distinction matters because a tool can find or validate a weakness, but a framework determines scope, sequence, evidence, reporting, and auditability.
For enterprise security teams, the best answer is rarely “pick one.” The research consistently shows that mature teams combine methodologies and tools: PTES for engagement structure, OWASP WSTG for application depth, MITRE ATT&CK for adversary behavior, and specialized tools for scanning, exploitation, web testing, command-and-control simulation, and reporting.
1. What Counts as a Penetration Testing Framework?
A penetration testing framework is a structured methodology that tells testers what to test, in what order, under what scope, and how to document the results. Secure.com describes it as the blueprint for a security assessment, while tools such as Nmap, Burp Suite, and Metasploit are the instruments used during the work.
That distinction is important for procurement. Buying a tool does not automatically create a repeatable testing program. Without a documented framework, two testers can assess the same target and produce inconsistent results that are difficult to defend in a board meeting or audit.
A scanner or exploit kit can produce findings. A penetration testing framework produces repeatable, comparable, and auditable security evidence.
Most professional penetration test lifecycles include the same core phases:
- Pre-engagement: Define scope, rules of engagement, legal authorization, and success criteria.
- Reconnaissance: Gather information about the target environment.
- Vulnerability analysis: Identify and prioritize likely weaknesses.
- Exploitation: Safely attempt to validate vulnerabilities.
- Post-exploitation: Determine how far access could extend in a real attack.
- Reporting: Document severity, evidence, business impact, and remediation guidance.
- Remediation validation: Retest fixes before closing findings.
The most cited enterprise methodologies in the research are PTES, OWASP WSTG, MITRE ATT&CK, and NIST SP 800-115. Other recognized frameworks include OSSTMM, ISSAF, OWASP MASTG, PCI DSS Penetration Testing Guidelines, CSA Cloud Controls Matrix, WASC Threat Classification, and CBEST.
Frameworks vs. Tools: The Practical Difference
| Category | Examples from the research | Primary purpose | Best enterprise use |
|---|---|---|---|
| Methodology frameworks | PTES, OWASP WSTG, NIST SP 800-115, OSSTMM | Define how testing is planned, executed, and reported | Repeatable engagements, audits, compliance evidence |
| Adversary knowledge bases | MITRE ATT&CK | Map real attacker tactics, techniques, and procedures | Red team and detection gap testing |
| Testing tools | Metasploit, Burp Suite, Nmap, Nessus, OWASP ZAP, Wireshark, Kali Linux | Execute scanning, exploitation, web testing, or analysis tasks | Technical validation and evidence collection |
| C2/red team platforms | Cobalt Strike, Sliver, Havoc | Simulate post-exploitation and adversary operations | Advanced red team and purple team engagements |
| Template/scanning tools | Nuclei | Template-based vulnerability scanning | Automation-oriented validation, where supported by templates |
For enterprise buyers comparing penetration testing frameworks, the main decision is not whether Metasploit is “better” than Burp Suite. They solve different problems. The better question is: which combination supports your engagement type, compliance requirements, staff skill level, and reporting needs?
2. Evaluation Criteria for Enterprise Security Teams
Enterprise security teams should evaluate penetration testing frameworks and tools using criteria that map directly to operational outcomes. The source data points to five major categories: methodology fit, technical coverage, automation, detection profile, and reporting.
Core Evaluation Criteria
| Criterion | What to evaluate | Why it matters |
|---|---|---|
| Engagement goal | Compliance validation, web app testing, red team simulation, vulnerability validation | The goal determines the framework and toolset |
| Scope coverage | Web apps, APIs, internal networks, cloud, wireless, human factors, physical controls | No single framework covers every domain equally |
| Team skill level | Beginner-friendly workflows vs. expert tradecraft | MITRE ATT&CK and C2 frameworks require higher maturity |
| Detection profile | Whether default payloads or traffic patterns are easily detected | Critical for red team engagements against mature SOCs |
| Reporting capability | Evidence capture, timelines, CVE mapping, remediation guidance | Reports drive remediation and audit outcomes |
| Compliance alignment | PCI DSS, SOC 2, ISO 27001, FedRAMP, HIPAA | Regulated industries need defensible methodology |
| Enterprise readiness | Multi-user workflows, integrations, repeatability, documentation | Scaling pen testing requires process, not only tooling |
| Community and maintenance | Updates, modules, plugins, templates, ecosystem support | Active tools keep pace with changing attack surfaces |
Secure.com’s guidance is especially clear: start with the goal, not the tool. NIST SP 800-115 fits compliance-heavy environments. OWASP WSTG fits web applications and APIs. MITRE ATT&CK fits adversary simulation and detection validation. PTES fits full-scope enterprise engagements where lifecycle discipline matters.
Compliance Fit Matters
| Requirement or environment | Frameworks identified in the research |
|---|---|
| PCI DSS | OWASP WSTG, NIST SP 800-115 |
| ISO 27001 | PTES, NIST SP 800-115, OWASP WSTG |
| SOC 2 | Documented methodology is required; PTES and MITRE ATT&CK can support testing and detection evidence |
| FedRAMP | NIST SP 800-115 alignment is effectively required for federal cloud programs |
| HIPAA / healthcare | NIST SP 800-115 is highlighted for regulated sectors |
The most common mistake is choosing tools before choosing the framework. The framework defines what must be tested; tools only help perform the work.
Secure.com also highlights operational pitfalls: testing too infrequently, treating reports as the finish line, and skipping methodology documentation. The same source notes that critical applications should receive quarterly coverage, and AI/LLM penetration test findings had a 50-day median remediation time in the cited Cobalt data. For enterprise teams, that makes ownership, deadlines, and retesting part of the framework decision.
3. Metasploit: Exploitation and Validation Strengths
Metasploit remains one of the most important tools when penetration testing frameworks are compared for exploitation and vulnerability validation. DecryptionDigest describes Metasploit Framework as the foundational tool for vulnerability exploitation, with over 2,000 modules covering exploits, payloads, auxiliary functions, and post-exploitation capabilities.
Its strongest fit is not stealthy adversary simulation. Its strongest fit is reliable exploit validation in structured engagements.
Where Metasploit Fits Best
| Use case | Metasploit fit |
|---|---|
| Vulnerability validation | Strong fit; broad exploit module coverage |
| Compliance-driven penetration tests | Strong fit; useful for proving exploitability |
| Defined-scope assessments | Strong fit; database integration helps manage hosts, services, and collected evidence |
| Advanced red team stealth | Limited fit with default payloads due to detection profile |
| Non-expert exploit operation | Stronger fit than custom exploit development, based on documented modules |
DecryptionDigest notes that when a critical CVE is published, a Metasploit module often follows within days. That makes it valuable for teams that need proven exploit implementations without writing exploit code from scratch.
Metasploit also supports structured engagement work through database integration for managing hosts, services, and “loot.” For consulting firms delivering compliance-driven reports, the same source says Metasploit’s built-in reporting engine can produce structured output compatible with many pentest report templates.
Metasploit Limitations
Metasploit’s biggest limitation is detection. DecryptionDigest warns that Meterpreter payloads and standard shellcode patterns are well-known to endpoint detection and response vendors. Mature endpoint security platforms can detect common Metasploit payload behavior.
That does not make Metasploit obsolete. It means enterprises should use it for the right job.
Use Metasploit for vulnerability validation and compliance testing. Use a dedicated command-and-control framework when the objective is advanced adversary simulation against mature defenders.
4. Nuclei: Template-Based Vulnerability Scanning
Nuclei appears in the provided search data as one of the penetration testing tools commonly compared alongside Metasploit, Burp Suite, Nmap, and Cobalt Strike. The article brief identifies it as a template-based vulnerability scanning tool, which places it in a different category from exploitation frameworks and interactive web testing suites.
At the time of writing, the provided research set does not include detailed Nuclei specifications such as template counts, pricing, licensing terms, performance benchmarks, integrations, or enterprise reporting features. That limits how far a grounded comparison can go.
What Can Be Said from the Available Data
| Attribute | Nuclei position based on available research |
|---|---|
| Primary role | Template-based vulnerability scanning |
| Best comparison category | Automation-oriented vulnerability checks |
| Direct replacement for Metasploit? | No; Metasploit is positioned as exploitation and validation |
| Direct replacement for Burp Suite? | No; Burp Suite is positioned as web application testing workflow tooling |
| Enterprise data available in sources | Limited; no sourced pricing, benchmark, or integration details provided |
Nuclei is best understood as part of the automation layer in a broader toolkit. In enterprise use, template-based scanning can help teams standardize repeatable checks, especially when paired with a formal methodology such as PTES or OWASP WSTG.
However, teams should avoid treating template-based scanning as a complete penetration test. Secure.com explicitly warns that tools without structure produce scattered results and can miss deeper risks such as privilege escalation paths and business logic flaws.
Nuclei Procurement Consideration
For buyers comparing Nuclei with commercial products, the key questions should be evidence-based:
- Coverage: Which vulnerability classes and technologies are covered by available templates?
- Governance: Who approves templates before they run in production-like environments?
- Reporting: Can results be mapped to owners, severity, remediation deadlines, and retest status?
- Methodology fit: Does it support OWASP WSTG, PTES, or compliance-driven test plans?
- Validation: How are template matches confirmed to reduce false positives?
Because the provided sources do not supply Nuclei-specific enterprise metrics, buyers should request current vendor or project documentation before standardizing on it.
5. Burp Suite: Web Application Testing Workflows
Burp Suite is positioned in the research as a powerful web application testing suite used by individual researchers and enterprise red teams. ACSMI highlights its dynamic scanning, intercepting proxy capabilities, and plugin ecosystem. It also describes Burp Suite Professional as important for testing OWASP Top 10 vulnerability classes.
Burp Suite maps naturally to OWASP WSTG, which Secure.com identifies as the go-to standard for web application and API testing. OWASP WSTG includes test cases for authentication flaws, session management issues, input validation problems, SQL injection, cross-site scripting, and broken access controls.
Where Burp Suite Fits Best
| Use case | Burp Suite fit |
|---|---|
| Web application testing | Strong fit |
| API testing workflows | Strong fit when paired with OWASP WSTG |
| Manual request inspection | Strong fit through intercepting proxy workflows |
| Dynamic application security testing | Strong fit based on dynamic scanning capabilities |
| Network-wide exploitation | Not its primary role in the provided research |
| APT-style simulation | Not positioned as a C2/red team platform |
Burp Suite is especially useful when testers need to understand application behavior, manipulate requests, and validate issues that automated scanners may not fully contextualize. That makes it a natural companion to OWASP WSTG for application-layer depth.
Burp Suite vs. OWASP ZAP
The research also mentions OWASP ZAP, or Zed Attack Proxy, as one of the best free dynamic application security testing tools. ACSMI notes that ZAP includes automated crawlers, attack mode, and custom scripting for web pentests, and that headless scanning makes it useful for CI/CD pipelines.
| Tool | Source-described strengths | Best fit |
|---|---|---|
| Burp Suite | Dynamic scanning, intercepting proxy, plugin ecosystem, OWASP Top 10 testing | Manual and semi-automated web application testing |
| OWASP ZAP | Free DAST, automated crawlers, attack mode, custom scripting, headless scanning | CI/CD-friendly web testing and budget-conscious teams |
The sources do not provide pricing for either tool, so buyers should verify current licensing and enterprise terms directly before procurement.
6. Cobalt Strike and Adversary Simulation Considerations
Cobalt Strike belongs in a different category than Metasploit, Nuclei, or Burp Suite. DecryptionDigest describes it as the de facto standard for professional red team operations simulating advanced persistent threat behavior.
Its core value is not basic vulnerability scanning. It is adversary simulation.
Cobalt Strike Capabilities Identified in the Research
| Capability | Description from the research |
|---|---|
| Beacon C2 agent | Supports command-and-control operations |
| Malleable C2 profiles | Allow operators to make Beacon traffic resemble legitimate application traffic |
| Team server architecture | Supports multi-operator engagements |
| Sleep function | Randomizes callback intervals to defeat time-based behavioral detection |
| Aggressor Script | Provides scripting for custom post-exploitation workflows |
Cobalt Strike is best aligned with MITRE ATT&CK, which is not a traditional testing framework but a knowledge base of real attacker tactics, techniques, and procedures. Secure.com explains that MITRE-informed testing asks a more demanding question: can the organization detect, understand, and stop a realistic attack chain?
The Detection Caveat
The research is explicit that Cobalt Strike is not an out-of-box stealth solution. DecryptionDigest warns that leaked cracked versions have been extensively analyzed by major EDR vendors. Default configurations and common modifications are detected with high fidelity by mature endpoint security tools.
For professional teams, that means Cobalt Strike requires significant customization, including payload obfuscation, process injection technique selection, and malleable C2 profile development.
Cobalt Strike remains relevant for advanced red team simulation, but default configurations are not sufficient against mature defenders.
Open-Source C2 Alternatives
The research also identifies Sliver and Havoc as open-source alternatives to Cobalt Strike.
| Tool | Source-described strengths | Source-described caveats |
|---|---|---|
| Cobalt Strike | Beacon, malleable C2, team server, Aggressor Script, professional red team standard | Commercial license required; default and common configurations are widely detected |
| Sliver | Multiple C2 protocols including HTTP/S, DNS, WireGuard, and mTLS; built-in implant generation; extensible post-exploitation modules | Teams must still account for evolving detection |
| Havoc | Modern C2 architecture, Qt-based operator interface, custom agent development through HavocUI API | Rapid adoption by red teams and threat actors has led to vendor-specific detection coverage |
DecryptionDigest describes Sliver as the strongest open-source option for red teams needing a free, actively maintained, multi-operator C2 platform. Havoc may fit teams comfortable tracking rapidly changing detection coverage.
7. Open Source vs Commercial Penetration Testing Tools
The open source vs commercial decision is not simply about cost. The research emphasizes capability, maintenance, ecosystem, reporting, integrations, licensing, and operational risk.
Open Source and Free Tools Mentioned in the Research
| Tool or framework | Category | Source-described value |
|---|---|---|
| Kali Linux | Penetration testing distribution | Debian-based distro preloaded with over 600 tools for scanning, exploitation, and post-exploitation |
| Nmap | Network discovery and port scanning | Scripting engine supports reconnaissance tasks such as SSL cipher enumeration, SMB fingerprinting, and version detection |
| OWASP ZAP | Web application DAST | Free DAST with automated crawlers, attack mode, custom scripting, and headless scanning |
| Wireshark | Packet analysis | Deep packet inspection for network-layer analysis |
| Sliver | Open-source C2 | Multi-protocol C2 and multi-operator red team use |
| Havoc | Open-source C2 | Modern C2 architecture and custom agent support |
| OSSTMM | Methodology | Metrics-driven methodology using Risk Assessment Values |
Commercial or Commercially Positioned Tools Mentioned
| Tool | Category | Source-described value |
|---|---|---|
| Cobalt Strike | Red team C2 platform | Professional adversary simulation with Beacon, malleable C2, and team server architecture |
| Burp Suite Professional | Web application testing | Dynamic scanning, intercepting proxy workflows, plugin ecosystem, OWASP Top 10 testing |
| Nessus | Vulnerability assessment automation | Supports over 72,000 CVE checks and integrates with Splunk and ServiceNow |
| Core Impact | Enterprise penetration testing | Mentioned as enterprise-ready with integrations and reporting workflows |
The sources do not provide current pricing for these tools. Therefore, any buying decision should verify licensing, support terms, user limits, and deployment options directly with the vendor or project maintainers.
Open Source vs Commercial: Enterprise Trade-Offs
| Factor | Open source tools | Commercial tools |
|---|---|---|
| Acquisition cost | Often free or community-supported | Licensing required in many cases |
| Customization | High, especially for skilled teams | Varies by product |
| Support | Community-driven unless paid support exists | Vendor support may be available |
| Reporting | Often requires separate tooling or customization | More likely to include structured reporting features |
| Enterprise integrations | Varies widely | Tools like Nessus are described as integrating with Splunk and ServiceNow |
| Operational maturity required | Can be high for C2 and advanced tooling | Still high for red team tools; commercial does not mean turnkey |
Open source tools can be highly capable, but enterprises should budget for operational overhead: training, configuration, validation, documentation, and reporting. Commercial tools may reduce some workflow friction, but they still need a formal testing methodology.
8. Best Frameworks by Use Case and Team Skill Level
For buyers comparing penetration testing frameworks, the most useful approach is use-case mapping. No single framework or tool covers everything.
Methodology Frameworks by Use Case
| Use case | Best-fit framework from the research | Complexity noted in sources | Why it fits |
|---|---|---|---|
| Full-scope enterprise penetration test | PTES | High | Covers pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting |
| Web application and API testing | OWASP WSTG | Medium | Includes web test cases for authentication, session management, input validation, SQL injection, XSS, and access control |
| Adversary simulation and detection testing | MITRE ATT&CK | Very high | Maps testing to real attacker tactics, techniques, and procedures |
| Government and regulated-sector assessments | NIST SP 800-115 | Medium, documentation-heavy | Aligns well with formal audit and governance requirements |
| Metrics-driven security measurement | OSSTMM | Steep learning curve | Uses Risk Assessment Values to quantify attack surface and controls |
Tools by Enterprise Use Case
| Use case | Best-fit tools from the research | Skill level implied by sources |
|---|---|---|
| Exploit validation | Metasploit | Accessible to non-expert operators using documented modules |
| Web application testing | Burp Suite, OWASP ZAP | Moderate to advanced depending on manual testing depth |
| Network discovery | Nmap | Beginner to advanced depending on scripting usage |
| Vulnerability assessment automation | Nessus | Enterprise operations and compliance teams |
| Template-based scanning | Nuclei | Not specified in provided source data |
| Advanced red team C2 | Cobalt Strike, Sliver, Havoc | Advanced; requires tradecraft and detection awareness |
| Packet-level analysis | Wireshark | Moderate to advanced network analysis skills |
| All-in-one testing environment | Kali Linux | Useful for trained testers who need broad tooling access |
Recommended Pairings
| Team type | Practical framework/tool pairing |
|---|---|
| Small security team | PTES checklist + OWASP WSTG for web testing + selected tools such as Burp Suite, ZAP, Nmap, or Metasploit |
| Compliance-driven enterprise | NIST SP 800-115 + PTES + tools with strong evidence and reporting workflows |
| Application security team | OWASP WSTG + Burp Suite or OWASP ZAP + automation where appropriate |
| Internal red team | PTES for engagement management + MITRE ATT&CK for adversary mapping + Cobalt Strike, Sliver, or Havoc where authorized |
| Purple team program | MITRE ATT&CK + transparent use of C2 tools so blue teams can validate detection coverage |
This is where the phrase penetration testing frameworks compared becomes practical: the winner depends on the job. Metasploit is not a Burp Suite replacement. Burp Suite is not a Cobalt Strike replacement. MITRE ATT&CK is not a replacement for PTES. They are complementary layers.
9. How to Build a Balanced Pen Testing Toolkit
A balanced enterprise toolkit starts with methodology, then adds tools by phase. The research repeatedly warns against starting with tools alone.
Step 1: Define the Engagement Model
Start by deciding what you are testing and why.
- Compliance: Use NIST SP 800-115 or PTES for documented process.
- Web apps and APIs: Use OWASP WSTG for application-layer depth.
- Detection and response: Use MITRE ATT&CK to map real attacker behavior.
- Quantified measurement: Consider OSSTMM when repeatable metrics are required.
Step 2: Build by Testing Phase
| Testing phase | Tools and frameworks supported by the research |
|---|---|
| Planning and scoping | PTES, NIST SP 800-115 |
| Reconnaissance | Nmap, Kali Linux tooling |
| Web application testing | OWASP WSTG, Burp Suite, OWASP ZAP |
| Vulnerability assessment | Nessus, Nuclei where template-based checks fit |
| Exploitation validation | Metasploit |
| Adversary simulation | MITRE ATT&CK, Cobalt Strike, Sliver, Havoc |
| Network analysis | Wireshark |
| Reporting and remediation | Metasploit reporting, separate reporting layers such as Vectr for red team timelines and detection gaps |
DecryptionDigest emphasizes that the value of a penetration test is not exploitation itself, but remediation guidance. Teams should evaluate whether their tools capture evidence, associate it with attack-chain steps, map findings to CVEs or MITRE ATT&CK techniques, and support remediation priorities.
Step 3: Separate Pen Test, Red Team, and Purple Team Tooling
| Exercise type | Goal | Tooling implication |
|---|---|---|
| Vulnerability scanning | Identify known weaknesses | Automated scanners and repeatable checks |
| Penetration testing | Validate exploitability and business impact | Metasploit, Burp Suite, OWASP WSTG, PTES |
| Red teaming | Simulate advanced attacker behavior | MITRE ATT&CK, Cobalt Strike, Sliver, Havoc |
| Purple teaming | Improve detection and response | Transparent tool use, mapped detection tests, timelines |
DecryptionDigest recommends maintaining separate toolsets for red team and purple team exercises. Purple team exercises benefit from transparency because defenders need to validate detection coverage.
Step 4: Make Reporting a First-Class Requirement
Do not evaluate tools only by exploit count or scanner coverage. Reporting determines whether findings become fixed.
A mature report should include:
- Evidence: Screenshots, command output, request/response data, or logs.
- Business impact: What the issue enables in real terms.
- Severity: Prioritized with context, not just CVSS or scanner output.
- Remediation owner: A person or team accountable for the fix.
- Deadline: Based on severity and exposure.
- Retest status: Validation before closure.
- Mapping: CVEs, MITRE ATT&CK techniques, or compliance controls where relevant.
Secure.com warns that a report without action is just documentation. This is especially important given the cited 50-day median remediation time for AI/LLM penetration test findings.
Bottom Line
The strongest enterprise approach is not to pick a single tool and call it a framework. A credible penetration testing program combines methodology, tooling, reporting, and remediation validation.
For most enterprises, PTES provides the lifecycle structure, OWASP WSTG provides web and API testing depth, NIST SP 800-115 supports compliance-heavy environments, and MITRE ATT&CK supports adversary simulation and detection testing. On the tooling side, Metasploit is strongest for exploit validation, Burp Suite for web application workflows, Nuclei for template-based scanning where appropriate, and Cobalt Strike, Sliver, or Havoc for authorized advanced red team operations.
When penetration testing frameworks are compared for commercial buying decisions, the best choice depends on your use case: compliance, web security, vulnerability validation, red team realism, or reporting maturity. Mature teams usually combine two or three methodologies and several specialized tools rather than relying on one platform to do everything.
FAQ: Penetration Testing Frameworks Compared
1. What is the difference between a penetration testing framework and a penetration testing tool?
A framework defines the methodology: scope, sequence, testing phases, documentation, and reporting. A tool performs a specific function such as scanning, exploitation, proxying web traffic, packet analysis, or command-and-control simulation.
For example, PTES is a framework, while Metasploit is a tool used for exploitation and validation.
2. Is Metasploit still useful for enterprise penetration testing?
Yes. The research identifies Metasploit as a foundational exploitation framework with over 2,000 modules across exploits, payloads, auxiliary tools, and post-exploitation capabilities.
Its best fit is vulnerability validation and compliance-driven penetration testing. For stealthy red team operations against mature defenders, the research warns that default Meterpreter payloads and common shellcode patterns are widely detected.
3. When should an enterprise use Burp Suite?
Burp Suite is best suited for web application and API testing workflows. The source data highlights its dynamic scanning, intercepting proxy, and plugin ecosystem.
It pairs naturally with OWASP WSTG, which covers authentication, session management, input validation, SQL injection, cross-site scripting, and broken access control testing.
4. Is Cobalt Strike appropriate for normal penetration testing?
Cobalt Strike is better suited to advanced red team and adversary simulation engagements than routine vulnerability validation. Its Beacon agent, malleable C2 profiles, team server architecture, and scripting capabilities support sophisticated simulations.
However, the research warns that default and common configurations are heavily detected by mature EDR tools, so professional use requires customization and proper authorization.
5. Where does Nuclei fit in a penetration testing toolkit?
Nuclei fits as a template-based vulnerability scanning tool. Based on the available source data, it should be treated as an automation layer rather than a full penetration testing framework.
The provided research does not include Nuclei-specific pricing, benchmark data, template counts, or enterprise integration details, so buyers should validate those points directly before standardizing on it.
6. What is the best penetration testing framework for compliance?
For compliance-heavy environments, the research points to NIST SP 800-115 because it is documentation-heavy and aligns well with regulated industries and federal requirements. PTES also supports documented methodology, while OWASP WSTG is useful for web application and API testing requirements such as those associated with PCI DSS.
In practice, many enterprises combine NIST, PTES, and OWASP WSTG depending on the audit scope.
