The global skills and competency framework for the digital world

#1331 PENT - Penetration testing - separate research and testing elements change request accepted

Separated into the skills that ‘research, discover and develop exploits, reverse engineering and researching of mitigation bypasses’ and the skills to implement and test etc.

While many of the categories are reasonably accurate, it seems to me that while the ‘Research’ attribute is correct, there isn’t an ‘Applied Research’ equivalent in SFIA 7 – and also, this description is also only partially reflective of this skillset.  



The systematic creation of new knowledge by data gathering, innovation, experimentation, evaluation and dissemination. The determination of research goals and the method by which the research will be conducted. The active participation in a community of researchers; communicating formally and informally through digital media, conferences, journals, books and seminars.


Applied Research

Vulnerability research and discovery, leading to the development of exploits, reverse engineering and researching mitigation bypasses. Cryptographic research leading to the assessment of existing algorithms. In the information security field, uses existing knowledge in experimental development to produce new or substantially improved devices, products and processes.

Proposed change applies to Penetration testing

Current status of this request: accepted

What we decided

Accepted into broader review of security skills for SFIA 8.

What we changed

Vulnerability research skill proposed for SFIA 8.