Penetration tests (aka pentest) can be expensive! Depending on the complexity of your site or network they may range from $25-50k and sometimes go up to $100k! This is a guide for those looking to schedule their first pentest AND get the most return on investment for the money from time spent on an exercise like this. It comes out of experience from being on both sides of the fence.
Pentest ROI: Get Multiple SOWs
As with any 3rd party service, you want to get multiple proposals for the project. This is the “dating” phase of engaging with a third party company. Throughout this process many items will come to fruition for consideration:
- Does the company show professionalism during this process?
- Are they timely in their responses and promises for delivery of proposals?
- Do you connect with the team on an interpersonal level?
- Do you like their writing and grammar in their proposals?
- Did they ask good scoping questions? Do you feel confident that they understand your environment well?
- Did they provide you on-boarding documentation or methodology documentation on how they’ll work with you?
With any vendor however, you’re often dealing with the sales team, and the technical people you are speaking to during the sales process will likely not be the same people who will be doing the actual penetration testing. Likewise, you may see lots of published whitepapers and talks from the company, but if the company is large, you probably will not be getting those folks assigned to you.
Pentest Team Assignment
Probably one of the MOST neglected areas when scoping any engagement with any company is knowing WHO is going to be actually working on your project. A company may have the best reputation in the world, but much of this is on the backs of senior researchers and consultants. As with any economy of scale, not everyone can be the best all the time. This is especially the case with larger companies. Many small boutique firms can confidently say that everyone they employ are rockstars, but it gets hard to be the case as the company grows. When first engaging a company, be sure to ask that senior resources are assigned to you. Then when they schedule, here are some questions you can ask about each consultant:
- Name and recent work summary or resume
- LinkedIn Profile
- GitHub profile
- Blog or Website
Using some basic OSINT from some of the starting points above you should be able to discern whether this person is an intern (doesn’t mean they’re not good) or a senior person that has been with the company for many years.
Some questions to consider:
- Do they have experience testing your particular technology stack?
- Is your assigned pentest team comprised of only junior folks?
Note: Junior at a penetration test firm is <1yr at the company or total pentesting experience, imho. Penetration testing consultants are exposed to a lot of environments in a short time frame so they can become “senior” quickly.
Side Note: Why is experience important?
Experience is important for several reasons. Even if an individual is experienced for a number of years, they may not be particularly experienced at penetration testing itself. When you hire a consultant, besides technical skills, other soft skills come into play.
- They must know when to escalate when they are not getting what they need from the client. This will prevent burning hours waiting for critical documentation or access.
- They must know how to properly communicate. Sometimes junior staff lack the ability to present the problem properly or communicate a fix to a problem.
- They may have the soft skills (which is great), but maybe not the technical skills needed, especially if your project is a complicated or mature one. Professional penetration testing is always a time-boxed task, so consultants are under the gun to find critical issues. Less experienced people may still find issues, but usually not as fast as senior folks. There are ALWAYS exceptions though, and I have seen junior folks do exceptionally well often surpassing senior people.
Get Your Team Ready for a Pentest
There is a lot of work involved needed from the client side as well to make a pentest successful.
Here is a checklist of items that will make the project a success:
Prepare an environment AS CLOSE TO POSSIBLE as your production environment
If there is a choice between a development environment that is not quite the same vs a staging environment that is closer to prod, my personal opinion is to go with the staging environment. Even if changes are being done in staging, just let them know and keep them in the loop on the exact changes being made. Remember, attackers are knocking on your production environment anyway, so use an environment as close to production to get the most value from your engagement.
Get your documentation updated
This needs no explanation. The more documentation the better. Documentation is GOLD to every security engineer, architect, auditor, tester out there. We love documentation. The less questions we have to ask, the more we can focus time on testing and reviewing your environment and providing solutions.
Provision corporate user accounts, VPN, and etc ahead of time
One of the worst things you can do is make the vendor burn valuable hours waiting for your IT to provision equipment or accounts. Make this a priority. If the pentest starts on Monday, accounts should be provisioned and provided to the firm the week before. Things will go wrong, credentials may be incorrect or may not have been received. IT may be super swamped that week. You want to allow time for all the onboarding kinks to iron out.
- GSuite or O365 Accounts (for secure access to your files)
- Confluence Access
- VPN (as needed
Create a Slack or MS Teams channel
Chat is where it’s at. So if you use chat daily with your co-workers, it makes sense to provide chat access for these people who are going through your source code and hammering away at your environment. Time is money in a penetration test, so giving them instant access to you and your team will save you and them a lot of time when questions come up. Of course, create a single-channel slack to limit their access and invite your team leads to it as necessary.
Be Available – Clear or Update Calendars
A penetration test is an intense undertaking and depending on the level of security maturity in your environment you may get a lot of issues arise. Be ready and have your team be prepared to triage any bugs discovered or answer questions for the pentesters. You may have awesome security, and it will be just business as usual for your team.
Pentest ROI: Conclusion
A lot of companies think scheduling a pentest is like scheduling a dental appointment, where you just show up and the work is done. As you can see it’s not that simple. For all the money spent on a pentest, and the expectations that go with it, it pays to have some preparation involved, especially if it’s your first. A good pentest company will have a complete onboarding checklist and make all of the above as painless as possible, but that’s not always the case, and even the best companies are run by humans… so YMMV.
I hope this guide has been helpful to you. While I do not conduct penetration tests myself, I do help coordinate, scope, and manage pentest s a vCISO. I also run Enterprise Security Gap Assessments as a precursor to a pentest.