While penetration testing can be considered “adversarial” testing, it should be anything but that. Your penetration test, no matter who you do it with, should be a partnership. In every partnership, communication is key. Settling for a pentest company that merely communicates its start and end date and then provides a report at the end isn’t enough. The pentest partnership should be more.
Communication Throughout
We are here to provide our qualified determinations about vulnerabilities in the client environment. While the typical standard is a report at the end, we can offer more value to our clients by keeping an open line of communication throughout our engagement together.
There is considerable benefit in looping a customer in when something critical has been found, so they can see how the vector was found, how it was exploited, and the real-time outcome it presents. It’s one thing to show an MFA bypass in a few screenshots. It’s something completely different for you to hop on a Google Hangout or Zoom with the front-end developer and walk them through the steps in real time.
Considerations
There are some considerations here. Time, being one. The more we must stop during testing to have a meeting, the less time we can dedicate to testing. In the end, what we provide is a contractual service, and customers want exceptional value.
In the 30 minutes to an hour our team has set aside to show the real-world impact of the vulnerability on their infrastructure, we may find something else. However, the value of developers, administrators, and points of contact seeing these things happen in real-time, in their production environments, on their servers, will help provide insight and can help to improve upline communication with CISO’s, ISO’s, and boards of directors considering the need for continued security testing.
What you can expect from TCM Security
Every client engagement we provide security testing for (since Q4 2022) includes inviting each client and members of their team to a dedicated, private Slack channel. We communicate findings with clients, provide additional information and insight about critical issues, and provide opportunities to sit with us while we show how their infrastructure was exploited.
In the end, this IS a partnership. As security experts, we must provide you with a functional understanding of how to secure your infrastructure best. Doing that alongside our team in real-time will provide you with the insight you need to set your organization apart from others in your silo.
About the Author
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers. Pentest Services: https://tcmdev.tcmsecurity.com/our-services/ Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | InstagramContact Us: sales@tcm-sec.com