Highly accurate Information Security Testing

3 Tips on How to Get the Most Out of a Penetration Test

Posted: June 30, 2014

We hope that this post helps you get the most out of your next penetration test.

1) Refine and Communicate the Purpose

Why are you doing the penetration test?  Is it to meet a specific compliance requirement, or is it to test your security and determine risk.  If it’s both, you’re likely going to have to prioritize one or the other.

Write out your primary goal, and then break it down into at least 3 sub-goals.

For example, if the primary reason you’re getting the pen test done is to place a check in the box for PCI compliance, you might as well determine some other goals to get maximum value out of the testing process.  Some other goals you might want to communicate to the pen testing team could be:

Communicate your goals and purpose to the penetration test team.  Determine exactly what you want to get out of the process.  As pen testers, we want to give you exactly what you want and we can only do this if we know what you want.  This communication can greatly enhance your satisfaction with the overall process.

2) Prepare Technical Staff and Management in Advance

Properly set the expectations of both management and technical staff members in advance.

Management needs to know:

Technical staff needs to know:

3) Define Your Desired Outcome

Determining what you want and need in the report is very important.  Do you want something specific?  Do you need certain portions of your network split up into separate appendices?  Do you need a summary table of findings?  Do you need findings mapped to security controls?  Do you need multiple briefings to different audiences?

Request a copy of our report format and review it in advance.  Don’t like something about the report, or want something else, no problem.  Just let us know.  We want to give you exactly what you want.  This can also get back to our first point, if certain goals are known from the beginning, they can be addressed clearly in the report.  This will help the pen test team give more focused advice on how to solve the issues related to your goals, which may differ from solving the vulnerabilities themselves.