How to Schedule a Penetration Test Like a BOSS
Penetration tests (aka pentests) can be expensive! Depending on the complexity of your site or network, they may range from $25 or, sometimes, all the way up to $100k! This is a guide for those looking to schedule their first pentest AND get the most return on investment spent on an exercise like this. This is based on experience from being on both sides of the fence!
Table of Contents
Pentest ROI: Get Multiple SOWs
As with any 3rd party service, you want to get multiple proposals for the project. This is the “dating” phase of engaging with a third party company. Throughout this process, many items will come to fruition for consideration:
- Does the company show professionalism during this process?
- Are they timely in their responses and promises for delivery of proposals?
- Do you connect with the team on an interpersonal level?
- Do you like their writing and grammar in their proposals?
- Did they ask good scoping questions? Do you feel confident that they understand your environment well?
- Did they provide you onboarding documentation or methodology documentation on how they’ll work with you?
However, with any vendor, you’re often dealing with the sales team and the technical people. But the technical people you are speaking to during that process might not be the same people who will be doing the actual penetration testing. Likewise, you may see lots of published whitepapers and talks from the company, but you probably will not be getting those folks assigned to you if the company is large.
Pentest Team Assignment
One of the MOST neglected areas when scoping any engagement with any company is knowing who will actually be working on your project. A company may have the best reputation in the world, but much of this is on the backs of senior researchers and consultants. As with any economy of scale, not everyone can be the best all the time. This is especially the case with larger companies. Many small boutique firms can confidently say that everyone they employ is a rockstar, but that gets hard to be the case as the company grows. When first engaging a company, be sure to ask that senior resources are assigned to you. Then, when they schedule, here are some questions you can ask about each consultant:
- Name and recent work summary or resume
- LinkedIn Profile
- GitHub profile
- Blog or Website
Using some basic OSINT from some of the starting points above, you should be able to discern whether this person is an intern (doesn’t mean they’re not good) or a senior person that has been with the company for many years.
Here are some other questions to consider:
- Do they have experience testing your particular technology stack?
- Is your assigned pentest team comprised of only junior folks?
Note: A junior at a penetration test firm is anyone who has spent less than a year at the company or has had about that much time total pentesting experience. Penetration testing consultants are exposed to a lot of environments in a short time frame, so they can become “senior” quickly.
Side Note: Why is experience important?
Experience is important for several reasons. Even if an individual is experienced for several years, they may not be particularly experienced at penetration testing itself. When you hire a consultant, besides technical skills, other soft skills come into play.
- They must know when to escalate when they are not getting what they need from the client. This will prevent burning hours waiting for critical documentation or access.
- They must know how to communicate properly. Sometimes, junior staff lacks the ability to properly present the problem or communicate a fix to a problem.
- They may have the soft skills (which is great), but maybe not the technical skills needed, especially if your project is a complicated or mature one. Professional penetration testing is always a time-boxed task, so consultants are under the gun to find critical issues. Less experienced people may still encounter bugs, but usually not as fast as senior folks. Though, there are always exceptions. I have seen junior folks do exceptionally well, often surpassing seniors.
Get Your Team Ready for a Pentest
There is a lot of work involved needed from the client side as well to make a pentest successful.
Here is a checklist of items that will make the project a success:
Prepare an environment AS CLOSE AS POSSIBLE to your production environment
If there is a choice between a development environment that is not quite the same vs. a staging environment closer to prod, my personal opinion is to go with the staging environment. Even if changes are being done in staging, just let them know and keep them in the loop on the exact changes being made. Remember: attackers are knocking on your production environment anyway, so use an environment close to production to get the most value from your engagement.
Get your documentation updated
This needs no explanation: the more documentation, the better. Documentation is GOLD to every security engineer, architect, auditor, or tester out there. We love documentation. The fewer questions we have to ask, the more we can focus our time on testing and reviewing your environment and providing solutions.
Provision ahead of time
One of the worst things you can do is make the vendor burn valuable hours waiting for your IT to provide equipment or accounts. Make this a priority. If the pentest starts on Monday, accounts should be provisioned and provided to the firm the week before. Things can go wrong. Credentials may be incorrect or may not have been received. IT may be super swamped that week. You want to allow time for all the onboarding kinks to iron out.
Here are some credentials you may want to provide:
- GSuite or O365 Accounts (for secure access to your files)
- Confluence Access
- VPN (as needed)
Create a Slack or MS Teams channel
Chat is where it’s at. If you use chat daily with your co-workers, it makes sense to provide chat access for them. After all, these people are going through your source code and hammering away at your environment. Time is money in a penetration test, so giving them instant access to you and your team will save you and them a lot of time when questions come up. Of course, create a single-channel slack to limit their access and invite your team leads to it as necessary.
Be available: clear or update calendars
A penetration test is intense, and depending on the level of security maturity in your environment, a lot of issues may arise. Be ready and have your team prepared to triage any bugs discovered or answer questions for the pentesters. It might be the case that you have awesome security and it will be just business as usual for your team. However, it’s better to be safe than sorry.
Many companies think getting a pentest is like scheduling a dental appointment: you just show up and it’s done. As you can see, it’s not that simple. For all the money and the expectations with a pentest, it pays to be prepared, especially if it’s your first. A good pentest company will have a complete onboarding checklist and make all of the above as painless as possible. However, that’s not always the case, and humans run even the best companies… so your mileage may vary.
I hope this guide has been helpful to you. While I do not conduct penetration tests myself, I do help coordinate, scope, and manage pentest s a vCISO. I also provide Enterprise Security Gap Assessments as a precursor to a pentest.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.