Methodology for Information Security Examination with Audit Value (MIAUW)

Methodology for Information Security Examination with Audit Value (MIAUW)

MIAUW: A Structured Approach to Reliable Information Security Research

In a world where cybersecurity risks are becoming increasingly complex and legislation such as the NIS2 Directive and the Cyber Resilience Act is forcing organisations to be demonstrably “in control”, performing a penetration test (pen test) is no longer enough. The question is not only whether a test has been performed, but also how and with what certainty the results are reliable and reproducible.

That is why the Methodology for Information Security Testing with Audit Value (MIAUW) has been developed. Led by Brenno de Winter, in collaboration with experts from the field, this open methodology provides a structured framework for penetration testing that allows companies and governments to demonstrate with certainty that their systems have been tested in an auditable, repeatable and transparent manner.

Why is Meow special?

Many traditional penetration tests lack a standardised approach, leading to variable results and uncertainty about the completeness of the study. Meow is designed to change this. The methodology ensures that:

  • Each step of the test is imitable and irrefutable.
  • An official report can be drawn up by an auditor so that external parties can confirm the validity of the study.
  • The scope, context and research depth are clearly documented.
  • Findings are objectively scaled so that priorities become clear.
  • All tests and findings performed are repeatable, making audits and compliance checks easier.

Meow is not just another standard for pen testing; it offers a holistic method that creates both technological and legal security.

Open-source as a basis for transparency and reliability

Meow is an open-source methodology, meaning anyone can access, use and improve the principles. This not only ensures broad support and transparency, but also avoids dependence on commercial parties who hide tests and results in a ‘black box’.

Open source is particularly effective in an ecosystem. At MIAUW, we forged a Coalition of Willing of parties who liked the approach. That led to great partnerships and, above all, a lot of collaboration. After all, you don’t do something like this alone. Shaping a lot of people also makes MIAUW a cool community effort. For instance, a lot of work has also been done: Jeroen Diel, Mischa van Geelen, Maaike Hielkema, Hans van de Looy and Victor Pous.

The open nature of Meow allows companies and governments:

  • Self-check the quality of research and reporting.
  • Working with independent experts and auditors for validation.
  • Easier to meet compliance requirements as the methodology is aligned with international standards.

Meow joins valuable, existing initiatives such as the CCV Pentest seal of approval, providing a standardised and reliable way to test and assess information security surveys.

Core technical principles of Meow

The methodology rests on a number of essential principles that ensure pentesting is not only technically thorough, but also holds up legally and audit-wise.

Meow ensures that all tests performed are documented and verifiable. This means that:

  • Each step of the test is substantiated with evidence (such as screenshots and logs).
  • An auditor can review the study without having to completely redo it.
  • It is clear who tested what, how and why.

This creates an audit trail that allows organisations to demonstrate to regulators that a test has been performed correctly and completely.

Reproducibility and comparison over time

Meow allows security teams to compare the status of a system at different points in time. This is crucial, as vulnerabilities are not always discovered immediately, but only activated or exploited later.

  • The methodology records which tests were carried out and what the results were.
  • This allows an organisation to easily assess whether the security posture is improving or deteriorating.
  • This supports the principle of “continuous security monitoring”, as required under NIS2.

Policy-driven alerts with business rules

Not all vulnerabilities are equally important, and not every technical issue poses a business risk. Meow allows business rules to be applied to pen test results, so that notifications and reports are filtered based on what is relevant to the organisation.

  • Organisations can determine when and on which alerts are generated.
  • This avoids ’noise’ from low-risk reports and focuses on what really matters.
  • Risks are placed in the right business context, allowing management and security teams to make more informed decisions.

Meow in practice: a better way of pen testing

Meow is already used in sectors where security and compliance are essential, such as government, healthcare and financial services. Through a combination of technical in-depth testing and auditing mechanisms, Miauw ensures that:

✅ Information security research provides demonstrable assurance, rather than a subjective snapshot.
✅ Organisations can better fulfil their compliance and security responsibilities through reproducible results and clear audit trails.
✅ Pentest results are not dependent on one tester’s interpretation, but are reported and validated in a standardised way.

Otis as mascot of MIAUW

Since the acronym MIAUW brings to mind cats, it was only logical to have a cat as a mascot. That became Otis, Brenno de Winter’s gorgeous cat. Naturally in a pose where he is meowing. As an ocikat of character, Otis is inquisitive, friendly and social. Incidentally, he is a tad dominant and not afraid to let it be known that he wants or disapproves of something. OpenKAT

Why Meow is a game-changer in security

The development of Meow is a direct response to the growing demand for transparent, repeatable and auditable pen testing. By following this methodology, organisations can not only operate more securely, but also demonstrate to regulators, customers and internal stakeholders that their security policies meet the highest standards.

Want to know how Miauw can help your organisation take security testing to the next level? Contact us to find out how this innovative methodology can contribute to a reliable and demonstrably secure digital environment.

Are you ready to professionalise your pentest strategy? We would be happy to help you.