Whether you’re conducting your organization’s very first penetration test or are simply getting your assets in order, it’s smart to understand everything that goes into preparing for the engagement.
After all, with an ever-growing threat landscape and more and more remote employees, never has penetration testing been more important.
Proper preparation helps to ensure you get the most out of your test, including powerful results to make the mitigations you need. Before starting the engagement, be sure that you:
A pentest is a pentest, right? Well, not exactly. There are six types of penetration tests, all focused on different facets of your security, including:
There are also Red Team engagements, which are designed for companies with advanced security postures — who have already conducted a few different pentests listed above and are ready to put their security improvements to the test of senior, top-dog pentesters.
Learn more about the six main kinds of penetration tests — as well as what differentiates each from a Red Team assessment— to confirm which type of test you’d like to run.
Even after you choose which type of pentest makes the most sense, you still have the task of defining the parameters of the engagement. For instance, if you’re running an application pentest, what app are you focusing on? Are there certain functions of the app you’re testing, like its checkout security features, or any parts that are off-limits?
It’s best to connect internally over the extent of your engagement. While a pentesting company can help you define and refine the scope, before contacting a pentester, it helps to come to the table with some ideas of your own.
Learn more about defining the scope for your pentest here.
Pricing for penetration tests can vary depending on a few important factors, including:
It’s important to understand that penetration testing doesn’t have a one-size-fits-all price tag. A web application penetration test for a small start-up company may only run around $25,000. However, a web application penetration test for a large company with two extensive web applications could be closer to $140,000.
Read What Should You Budget for a Penetration Test? The True Cost for an in-depth look at what factors influence the price.
When it comes to pentests, our team gets a lot of questions:
Most pentesters start the engagement by allocating time for open-source intelligence (OSINT) research. Different companies spend longer in this pre-attack phase than others, so a few days may go by before any breaches are even attempted. Once attack plans are established, the pentesters strike simultaneously, usually in small teams focused on their own attack vectors. The goal of a pentest is to find as many security gaps as possible, exploit them and access each vulnerability’s risk level— so the pentesters are after as many ways in as possible.
After the pentest, you should receive a report of the findings. The anatomy of a pentesting report will vary greatly depending on the pentesting company that constructs it, but most contain, at minimum, an executive summary, a breakdown of what happened throughout the attack and recommendations for mitigating the risks.
Explore what’s typically included in a pentesting report here.
Despite all your best efforts to lay the foundation for a successful penetration test, the results are directly correlated with the talent of your pentesters.
The skills and experience, culture and collaboration and communication of your pentesting team can really make or break the true value of the engagement and its results.
Here at Mitnick Security, our pentesters work with multi-million dollar clients, and our results truly speak for themselves within the cybersecurity community.
Learn more about how we helped the online surf website, World Surf League, by reading the case study on their pentest.