Public
Star 历史趋势
数据来源: GitHub API · 生成自 Stargazers.cn
README.md

OWASP Logo

OWASP Incubator Project License: CC BY-SA 4.0 Version: 0.1.0 Contributions Welcome Slack

What is OWASP APTS?

A governance standard for autonomous penetration testing platforms. It defines what these systems must do to operate safely, transparently, and within defined boundaries, whether they are delivered by vendors, operated as a service, or built in-house by enterprise security teams for testing their own organization.

APTS is not a testing methodology. It complements PTES, OWASP WSTG, and OSSTMM by addressing the problems unique to autonomous operation: scope enforcement, safe autonomy, manipulation resistance, and accountability.

173 Tier-Required Requirements Across 8 Domains

DomainPrefixRequirementsDescription
Scope EnforcementSE26Defining, validating, and enforcing testing boundaries
Safety ControlsSC20Impact classification, blast radius, kill switches, rollback, execution sandbox
Human OversightHO19Approval gates, dashboards, escalation, operator qualifications
Graduated AutonomyAL28Four autonomy levels (L1 Assisted through L4 Autonomous)
AuditabilityAR20Logging, decision trails, evidence integrity, audit trail isolation
Manipulation ResistanceMR23Prompt injection, adversarial inputs, scope widening defense
Supply Chain TrustTP22AI provider trust, data handling, multi-tenancy isolation, foundation model disclosure
ReportingRP15Finding validation, confidence scoring, coverage disclosure

Compliance Tiers

  • Tier 1 (Foundation): 72 requirements. The platform will not test outside scope, can be stopped immediately, and provides an audit trail.
  • Tier 2 (Verified): 85 additional (157 cumulative). Full transparency, tamper-proof audit trails, and independently verifiable findings.
  • Tier 3 (Comprehensive): 16 additional (173 cumulative). Highest assurance for critical infrastructure and L4 autonomous operations.

Nineteen additional advisory practices live exclusively in the Advisory Requirements appendix under the APTS-<DOMAIN>-A0x identifier pattern. Advisory practices are not counted toward any tier and do not affect conformance.

APTS has no certification body, no mandatory third-party audit, and no fee. Platforms are assessed against the requirements and conformance is documented. The standard does not prescribe who performs the assessment; internal self-assessment, independent internal review, and external third-party assessment are all valid approaches, and the choice is left to the reader.

How to Reference

Requirements use the format APTS-XX-NNN where XX is the domain prefix and NNN is the requirement number (for example, APTS-SE-001). For versioned references in contracts or evaluations, use APTS-v0.1.0-SE-001.

Quick Start: Where to Begin

Use this reader path to choose the shortest route through APTS based on your role and goal after reviewing the framework overview, domains, and tier structure above.

APTS reader path flowchart

RoleStart withThen useOutcome
New to APTSIntroduction, GlossaryGetting Started guideUnderstand the framework and scope
Vendor or platform builderIntroduction, Glossary, then Checklists for target tierDomain READMEs, Implementation Guides, Conformance Claim Template, Evidence Package ManifestDocumented conformance and evidence package
Enterprise internal teamIntroduction, Glossary, then Getting StartedCore domains (SE, SC, HO, AR), templatesInternal governance baseline
CISO or procurement leadIntroduction, Glossary, then Vendor Evaluation GuideEvidence Request Checklist, Evidence Package Manifest, conformance claimVendor evaluation decision
Security reviewer or auditorIntroduction, Glossary, then claimed tier and ChecklistsDomain verification sections, Customer Acceptance TestingIndependent review findings
ContributorCONTRIBUTING.mdExisting issues and PRsSmall, reviewable PR

This orientation aid is informative and does not create or modify APTS requirements.

The full standard with all requirements, verification procedures, checklists, and appendices is in the standard/ folder.

Contributing

This standard is open for community contributions. Whether it is improving requirement clarity, adding implementation examples, fixing errors, or translating the standard, all contributions are welcome. See CONTRIBUTING.md to get started and GOVERNANCE.md for project roles and decision-making. Translations are maintained in standard/translations/.

Report sensitive content issues (incorrect security guidance, documentation of insecure patterns) via SECURITY.md.

Join the discussion on OWASP Slack in the #project-apts channel.

Project Leads

License

CC BY-SA 4.0. Copyright 2026 The OWASP Foundation.

关于 About

OWASP Autonomous Penetration Testing Standard

语言 Languages

Python97.6%
HTML2.1%
Ruby0.2%

提交活跃度 Commit Activity

代码提交热力图
过去 52 周的开发活跃度
321
Total Commits
峰值: 117次/周
Less
More

核心贡献者 Contributors