OSSTMM
An operational security testing methodology defining metrics and processes for assessing security across five channels: human, physical, wireless, telecommunications and network.
What is OSSTMM?
OSSTMM (Open Source Security Testing Methodology Manual) is a comprehensive operational security testing methodology developed by ISECOM (Institute for Security and Open Methodologies). Unlike PTES, which focuses on IT penetration testing, OSSTMM takes a broader security perspective.
OSSTMM defines security testing across five operational channels: the human channel (social engineering, personnel physical security), the physical channel (building security, access control), the wireless channel (WiFi, Bluetooth, RFID, electromagnetic signals), the telecommunications channel (telephony, VoIP, fax) and the network channel (IP networks, protocols, services).
A distinguishing feature of OSSTMM is the RAV (Risk Assessment Value) metric, which enables quantitative security assessment. RAV considers the balance between the attack surface and applied controls, delivering a measurable operational security indicator rather than a subjective assessment.
Why does it matter?
OSSTMM offers a more holistic approach to security testing than standards focused exclusively on IT. It is particularly valuable in organisations where physical, telecommunications and wireless security are equal elements of the security posture. The RAV metric enables security level comparisons over time and between different infrastructure elements.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.