Penetration testing is a type of information security assessment that attempts to analyze your organization’s security posture from the perspective of a malicious user. During the assessment our delivery consultants will identify and attempt to exploit vulnerabilities and attack paths with the ultimate goal of demonstrating how a motivated malicious user could attack your organization. Final deliverables for this kind of service include a detailed report containing an introduction, executive summary, tactical and strategic remediation recommendations, assessment narratives, and technical finding details which contain evidence to reproduce each finding, a qualitative and quantitative risk rating, a list of affected systems, and a remediation recommendation to reduce or eliminate the risk associated with the finding. Penetration assessments differ greatly from vulnerability assessments in that the vulnerability assessments are typically purely automated and really only typically find obvious vulnerabilities, often called low hanging fruit. Furthermore, vulnerability assessments typically only find 40% to 50% of an organization’s actual vulnerabilities, and this highly depends on the effectiveness of the vulnerability scanning tool’s configuration. Penetration assessments on the other hand include manual testing and exploitation. This is the primary difference between a penetration assessment a vulnerability assessment. Manual testing, though slower to perform, often allows a penetration tester to uncover vulnerabilities that an automated vulnerability assessment wouldn’t, and helps uncover chained exploitation across several vulnerabilities to demonstrate a more accurate or impactful risk exposure to your organization.

The length of a penetration assessment highly depends on several factors including the type of assessment, the scope of the assessment, any specific requirements that we need to incorporate into the assessment, and the reasonable level of effort needed to complete each assessment. Internal penetration assessments and external penetration assessments typically last around two (2) to three (3) weeks for each assessment and this includes active testing, report generation, and quality checks prior to delivery. Application penetration testing for web applications, APIs, desktop applications, or mobile applications can, at times, take three (3) to four (4) weeks per assessment depending upon the size and complexity of the application and the number of user roles being tested. These types of assessments also require a more manual testing approach to ensure thoroughness and delivery quality which adds additional effort. Reports for these assessments are often larger than internal and external network penetration assessments due to the larger number of controls and best practices assessed. Each assessment effort is custom scoped to ensure our delivery team has sufficient time for testing and reporting activities in order to meet our strict delivery quality standards and to provide your organization with high-value results from each assessment. With that said, we often time-box internal and external penetration assessments to a max of two (2) weeks of effort per assessment, followed by up to one (1) week of quality assurance review of deliverables, unless your organization requires, and requests, a larger assessment effort. In that case, we will ensure to communicate the level of effort needed to align with your organization’s requirements and are more than happy to customize the assessment effort and scope accordingly.

Absolutely. We take our assessments, and your organization’s requirements seriously. If during an assessment we identify a vulnerability, or several vulnerabilities, successfully demonstrate exploitation, and obtain access to systems or data, we will examine the depth by which we can obtain additional access, and determine whether a high or critical risk rating is warranted. In such a case, we will generate a quick, but detailed, technical findings report and will include the necessary evidence of how our delivery team discovered, obtained, and successfully exploited each vulnerability to obtain the access achieved. Once generated, we follow mutually agreed upon escalation procedures to alert pertinent personnel at your organization designated as escalation points of contact. With that said, we also draw on our knowledge of your organization at the time of the assessment, our understanding of what your organization considers critical assets, infrastructure, or data, and draw from our extensive experience performing security assessments, to meticulously determine whether a high or critical risk is actually warranted for a particular finding. We put forth a reasonable effort to avoid escalating findings unnecessarily and to avoid inflating the risk rating assigned each finding.

We understand that if your organization has never had an assessment that the results of your first engagement can be overwhelming and rather eye opening. Rest assured that we are here to help and want to be your trusted advisor and trusted information security partner. We are more than happy to continue conversations after the conclusion of an engagement to address any questions or concerns. Remediation recommendations in our reports, while aligned with industry best practices, may not always work for every organization. That’s why we are more than happy to continue conversations to discuss alternative mitigations or remediation options to help your organization reduce risk. We also include follow up remediation validation support testing as an optional service if you’d like us to validate your organization’s remediation efforts. This benefits your organization in the following ways. One, you’ll receive an updated report reflecting the outcome of your organization’s remediation efforts along with additional evidence showing how we performed the remediation validation support testing. Two, the updated deliverables will help your organization communicate to its customers just how seriously you take information security, offering them peace of mind for choosing to utilize your organization’s services. Finally, the effort needed to perform this testing is often minimal compared to the effort to perform an entire assessment. This helps keep the overall cost of this optional service down while simultaneously provides bigger gains to your organization in terms of risk reduction or elimination.

This is a great question and we love helping organizations prepare. Proactive preparedness increases the value your organization will get out of a penetration assessment. Here are some simple steps your organization can take to prepare for an assessment.

1. Designate two (2) or more individuals to serve as technical points of contacts. These individuals will also serve as technical escalation points during the assessment and will be responsible for handling technical questions and technical troubleshooting before and during the engagement.

2. Designate personnel to serve as sponsor points of contacts. These individuals will receive pertinent engagement communications (weekly status updates, report delivery, etc.) but will not receive technical communications during the engagement, nor will these individuals be included in escalation communications unless otherwise requested.

3. Ensure all requested information is provided to us well ahead of the scheduled start date for the assessment.

4. Ensure all systems, services, URLs, applications, etc. considered out of scope for testing are delivered to us ahead of the scheduled start date.

5. For Internal Penetration Assessments, ensure remote testing devices are installed at least two (2) weeks before the start of the assessment and dedicate a technical point of contact to serve as the liaison for troubleshooting and testing connectivity.

6. For Application Penetration Assessments, ensure the environment being tested is production-like, all user accounts and credentials are provisioned, all accounts have the correct application roles assigned, and that those are provided to us before the assessment begins so that we can verify access.

7. For any assessment where we require allow listing, please ensure to dedicate the personnel resources to perform the allow listing using our provided source IP address information at least one (1) to two (2) weeks before the assessment is scheduled to begin. This will ensure we can test and troubleshoot any access challenges before the assessment starts.

8. Communicate any rescheduling needs as early as feasible to avoid a rescheduling fee according to our terms of service

The earlier your organization can provide us with the pertinent information we request for each assessment, the better. Often engagements are completely derailed or delayed because the organization being tested hasn’t effectively prepared for the assessment or gathered the necessary information for us to begin. The less disruption to the start of the assessment the better. With that said, we understand that sometimes incidents occur prior to an engagement that require your teams full attention. In those situations, we would rather give you more time to address that incident than try to rush the start of the engagement. The more communicative your organization is, the smoother the engagement will go.

The short answer is yes. Penetration testing is often time-boxed and focused on evaluating the security of the information systems in your environment. Your organization can request that our delivery team attempt to bypass shunning controls and incident response controls during the scoping and discovery discussions, and we will gladly add the additional effort (often measured in weeks) to the engagement. Otherwise, during a penetration assessment, our delivery team attempts to attack your organization’s systems and services directly and are not trying to test the effectiveness of your shunning capabilities or incident response controls. In order to maintain this testing perspective, we require your organization to allow list our delivery team’s source IP addresses on systems with active shunning capabilities or incident response functionality. This doesn’t mean you’ll need to provision firewall rules to grant access necessarily, we just ask that incident response controls don’t prevent our delivery teams from testing the in-scope information systems. This allows the delivery team to provide your organization with some efficiency in our testing effort, and thus keeps the cost of services reasonable. Bypassing security controls with shunning capabilities can take weeks to months of testing effort in and of itself, in addition to the effort it would take to then perform a penetration assessment against your organization’s information systems once we bypasses incident response controls. If your organization uses systems with Web Application Firewall capabilities, Intrusion Detection and Intrusion Prevention, next-gen firewalls with active shunning capabilities, or utilize a Security Operations Center (SOC) capable of isolating systems in the environment, we generally would like to know that during the scoping and discovery call so we can include that information in our risk assessment for each finding, and request allow listing. However, testing the effectiveness of those controls is out of scope for penetration assessments by default and we require allow listing before the start of any penetration assessment. If your organization wants us to test the effectiveness of those controls, we are more than happy to scope an engagement to do so. This type of engagement would represent an adversary emulation engagement more than a traditional penetration assessment. Furthermore, during our scoping and discovery discussions, we always ask if there is a regulatory compliance motivation for any given penetration assessment. Requirements such as those outlined in the Payment Card Industry Data Security Standards (PCI-DSS) require unfettered access for the penetration assessments, and more specifically, require allow listing. Failure to do so, often means the penetration assessment results will be discarded during an audit and the organization will be required to perform the assessment again. As a penetration assessment service provider, we are also required to document whether we were allow listed or not within the penetration assessment report.