What is SP-800-115?

SP 800-115 is a technical guide that describes how to conduct information security testing and assessment. It provides practical methodologies for planning, executing, and documenting tests of security controls, with guidance on activities such as network and system testing, vulnerability scanning, and penetration testing. The aim is to identify weaknesses and verify that security controls function as intended, so organizations can make informed risk-based decisions and remediate issues before they can be exploited. It also covers important workflow elements like rules of engagement, reporting, and evidence handling to ensure tests are performed consistently and legally. This makes it a hands-on reference for evaluating the effectiveness of security controls, rather than a policy framework, a broad standard for securing networks, or an incident response procedure.