Penetration Testing Services

The Top Five Criteria for Selecting Your Pen Testing Vendor


JULY 2024

The ROI on Pen Testing varies widely depending on the vendor you choose. Here are some tips for making a smart choice.
Penetration Testing Services Provider

 

Who performs your offensive security testing? In-house resources, external service providers or both?

 

The Ponemon Institutes 2023 State of Offensive Security Report surveyed 664 IT and security practitioners in organizations that perform offensive security testing. Here's what they said and why it matters.

 

"Organizations select third parties for their offensive security testing based on their effectiveness, customization of engagements, and quality of deliverables.”

Entrusting live penetration testing services to the wrong vendor can, at best, waste resources and at worst, leave you more exposed than when you started.  Select a penetration tester carefully. According to the Ponemon report, The five most important criteria when engaging offensive security vendors are:

1.     Effectiveness of Services

2.     Customized Engagements

3.     Quality of Reports

4.     Methodology

5.     Ability to Deliver Quickly


How to Assess Effectiveness of Penetration Testing Services


It sometimes seems that everybody who has an interest in cyber security wants to be a penetration tester. The truth is that not everybody has the mindset for it, and even fewer have the skills. It requires a particular approach to problem-solving, comprehensive domain expertise as a penetration tester, and a thorough understanding of the technologies and solutions in play in the environment you are testing.

The obvious approach is to look for qualifications. But even these are a mixed bag. A popular exam is Certified Ethical Hacker (CEH), a popular entry-level certificate. Though there is nothing wrong with it – entry-level is not what you should be looking for. Long considered the gold standard for hackers. The OSCP exam has been held up as the minimum that you should be looking for. However, though it is a challenging exam to pass and can serve as a mandatory minimum expression of competence, it is still not enough to assure you that you will get the service you need.

So how to judge? I suggest you look for two things – a sample report and references. Does the report look like a reformatted vulnerability scan? Can you talk to previous clients who advocate for the work? Unfortunately, no exam will tell you that you are hiring the right team – so you will need to do your due diligence.


Business Focused Report


The report you get from your test team needs to achieve many things. First, it needs to give the technical team responsible for remediation enough insight so that they can fix any problems discovered. It needs to walk you through the entire testing engagement to understand what they did, what worked, and what didn't. But more than that, it needs to give you sufficient insight into the threats and vulnerabilities to assess risk and make business decisions about what to fix and when


Risk-Based Methodology


A penetration testing company will often roll out its usual offering when they start a test. It's packaged, perhaps semi (or even fully!) automated, targeted to the scope you asked for, and comprises all the usual tests. This is not how attackers work. They survey your attack surface and then head towards the low-hanging fruit – the places they can most easily break in.

From your perspective, these more accessible routes are the highest risk vectors. You need a penetration tester that appreciates that you are not interested in how cool their tools are. You want to keep the bad guys out. Your hired hackers need to be more interested in your business than their tools. So, when you interview them, ensure they are articulating a business focus and have a methodology that identifies and attacks your highest risks. Otherwise – what's the point?


Why an Attack Surface Analysis Should Occur Before Pen Testing


A penetration test is a great way to identify and assess vulnerabilities. A pen test uses creative, blended attacks like real-world adversaries to find weaknesses in their test systems. However, they can only see those weaknesses in the places that they look – this is called the test's scope. The organization determines the scope, but it is often a smaller attack surface than the one that the attackers can find. Better first to have your surface discovered by an Attack Surface Analysis than by an attacker.

An organization's test scope quickly becomes outdated as its attack surface evolves. Risk is continuous. Even the most mature organizations face constant changes in cybersecurity risks. Organizations should begin with an Attack Surface Analysis (ASA) to get the most out of a pen test. An ASA will identify and update the attack surface technical and business risks.


Actionable Remediation Plan


It's all well and good getting a penetration report back that shows how clever the pen testers were and how they exploited all the vulnerabilities and broke in left and right. But it's not that helpful if it doesn't give you the information you need to fix the problems. A good report will tell you for each issue what was found, how it was found, how it was exploited, why it's a problem and potential recommended remediation.

Though a read-out call with the testers can be invaluable to getting the back story and context of any exploits, the report should be able to stand alone in conveying the information needed for the client to make business decisions and perform the remediation.


Get Started Today


Ready to get started? Contact Truvantis to schedule an Attack Surface Analysis before scoping your next pen test.

Truvantis is a cybersecurity, compliance and privacy consulting organization with comprehensive experience in implementing, testing, auditing, and operating cybersecurity and information privacy programs. In addition to cybersecurity, compliance and privacy services, we offer cybersecurity training courses and certifications. We are also a PCI DSS, Qualified Security Assessor (QSA).

We specialize in helping our clients improve their cyber governance posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance.

Ready to move forward?

Contact Truvantis to speak with an expert about your penetration testing service requirements.

Truvantis


Penetration Testing Benefits