While penetration testing can be considered “adversarial” testing, it should be anything but that. Your penetration test, no matter who you do it with, should be a partnership. In every partnership, communication is key. Settling for a pentest company that merely communicates its start and end date and then provides a report at the end isn’t enough. The pentest partnership should be more.
Communication Throughout
We are here to provide our qualified determinations about vulnerabilities in the client environment. While the typical standard is a report at the end, we can offer more value to our clients by keeping an open line of communication throughout our engagement together.
There is considerable benefit in looping a customer in when something critical has been found, so they can see how the vector was found, how it was exploited, and the real-time outcome it presents. It’s one thing to show an MFA bypass in a few screenshots. It’s something completely different for you to hop on a Google Hangout or Zoom with the front-end developer and walk them through the steps in real time.
Considerations
There are some considerations here. Time, being one. The more we must stop during testing to have a meeting, the less time we can dedicate to testing. In the end, what we provide is a contractual service, and customers want exceptional value.
In the 30 minutes to an hour our team has set aside to show the real-world impact of the vulnerability on their infrastructure, we may find something else. However, the value of developers, administrators, and points of contact seeing these things happen in real-time, in their production environments, on their servers, will help provide insight and can help to improve upline communication with CISO’s, ISO’s, and boards of directors considering the need for continued security testing.
What you can expect from TCM Security
Every client engagement we provide security testing for (since Q4 2022) includes inviting each client and members of their team to a dedicated, private Slack channel. We communicate findings with clients, provide additional information and insight about critical issues, and provide opportunities to sit with us while we show how their infrastructure was exploited.
In the end, this IS a partnership. As security experts, we must provide you with a functional understanding of how to secure your infrastructure best. Doing that alongside our team in real-time will provide you with the insight you need to set your organization apart from others in your silo.