Something you’ve likely already encountered on your penetration testing service quotes are the inclusion or add-on of a re-test. Some organizations use this as a differentiator by including it with their quotes and some offering it simply as an add-on. It’s something you should determine if its right for your organization and if so, what style to choose from.
What’s a Re-test?
A re-test is a follow-up assessment where aspects of the findings are revisited to determine if they have been fully remediated. Traditionally this will occur after a specified time, usually up to 60-90 days after the findings report has been delivered. However, there can be different caveats to what is re-tested. Most often it is either any finding or only critical/high risk findings that will be retested. It’s important to make the distinction before you agree to the terms, so be sure to fully understand what the re-test encompasses.
Is a Re-test Right for Me?
As with most things, there is no one-size fits all when it comes to security, but it is best practice to perform re-tests. However, if you have a tight budget then perhaps the following will lend a hand in making the decision. If this is one of your first penetration test, then you’ll likely have many findings, and a retest will give you more bang for your buck versus a more mature security program. Additionally, if you are doing this for compliance purposes or hesitant to provide the findings report to senior leadership with a bad score, then a re-test will allow you to have a much cleaner report with issues resolved before you must hand it over.
Benefits of a Re-test
- It ensures you fully corrected the issues discovered on your penetration test.
- Re-test’s are considerably less expensive than performing the entire assessment again.
- With the time limit, it typically gets issues resolved quickly that may have dragged out otherwise.
- It provides a cleaner report to senior leadership with issues resolved when they are shared.
Cons of a Re-test
- Can make comparing quotes from different penetration testing organizations more difficult.
- It can sometimes cause resourcing constraints with issues needing to be remediated quickly.
- You’ll need to understand exactly what is in scope on a re-test before agreeing.
Conclusion
Re-tests don’t have to be complicated, and it doesn’t need to cost you an arm and a leg either. Discuss the parameters of the re-test with your penetration testing service provider and ensure it’s covering exactly what you require. If you have any questions or would like to further discuss re-test options, contact us.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com