Whether you’re conducting your organization’s very first penetration test or are simply getting your assets in order, it’s smart to understand everything that goes into preparing for the engagement.
After all, with an ever-growing threat landscape and more and more remote employees, never has penetration testing been more important.
Proper preparation helps to ensure you get the most out of your test, including powerful results to make the mitigations you need. Before starting the engagement, be sure that you:
1. Understand the types of penetration testing and choose the best for you.
A pentest is a pentest, right? Well, not exactly. There are six types of penetration tests, all focused on different facets of your security, including:
- External network pentesting
- Internal network pentesting
- Social engineering pentesting
- Physical pentesting
- Wireless pentesting
- Application pentesting
There are also Red Team engagements, which are designed for companies with advanced security postures — who have already conducted a few different pentests listed above and are ready to put their security improvements to the test of senior, top-dog pentesters.
Learn more about the six main kinds of penetration tests — as well as what differentiates each from a Red Team assessment— to confirm which type of test you’d like to run.
2. Define the scope of your penetration testing.
Even after you choose which type of pentest makes the most sense, you still have the task of defining the parameters of the engagement. For instance, if you’re running an application pentest, what app are you focusing on? Are there certain functions of the app you’re testing, like its checkout security features, or any parts that are off-limits?
It’s best to connect internally over the extent of your engagement. While a pentesting company can help you define and refine the scope, before contacting a pentester, it helps to come to the table with some ideas of your own.
3. Know your pricing expectations.
Pricing for penetration tests can vary depending on a few important factors, including:
- The type of test
- The size and complexity of your company
- The extent of the scope
- The experience and notoriety of the pentesters you hire
It’s important to understand that penetration testing doesn’t have a one-size-fits-all price tag. A web application penetration test for a small start-up company may only run around $25,000. However, a web application penetration test for a large company with two extensive web applications could be closer to $140,000.
Read What Should You Budget for a Penetration Test? The True Cost for an in-depth look at what factors influence the price.
4. Consider the answers to big questions, like...
When it comes to pentests, our team gets a lot of questions:
- How should we address the test with our team? Should we tell employees we are conducting security checks? This will depend on the type of pentest you choose and to what extent the scope may disrupt operations. For instance, many exclude DDoS attacks so operations can function as normal. As another example, during a social engineering pentest, you wouldn’t want to warn employees they may get phishing emails! A professional penetration testing company can help advise on the best approach for handling internal affairs.
- How long should we expect the test to last? The average pentest lasts 2.5-4 weeks, however, this is once again indicative of your company’s unique scope and agreed-upon timeline.
- How will we be kept updated during the test? Every pentesting company handles this communication differently. Here at Mitnick, our team is available 24/7 with questions and is available for ongoing communication with the persons privy to the assessment, on a need-to-know basis.
5. Understand what happens during a pentest and what you’ll get at the end.
Most pentesters start the engagement by allocating time for open-source intelligence (OSINT) research. Different companies spend longer in this pre-attack phase than others, so a few days may go by before any breaches are even attempted. Once attack plans are established, the pentesters strike simultaneously, usually in small teams focused on their own attack vectors. The goal of a pentest is to find as many security gaps as possible, exploit them and access each vulnerability’s risk level— so the pentesters are after as many ways in as possible.
After the pentest, you should receive a report of the findings. The anatomy of a pentesting report will vary greatly depending on the pentesting company that constructs it, but most contain, at minimum, an executive summary, a breakdown of what happened throughout the attack and recommendations for mitigating the risks.
6. Choose the right pentesters.
Despite all your best efforts to lay the foundation for a successful penetration test, the results are directly correlated with the talent of your pentesters.
The skills and experience, culture and collaboration and communication of your pentesting team can really make or break the true value of the engagement and its results.
See Our Results
Here at Mitnick Security, our pentesters work with multi-million dollar clients, and our results truly speak for themselves within the cybersecurity community.
Learn more about how we helped the online surf website, World Surf League, by reading the case study on their pentest.