Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO-20000-1
Privacy Assessments
Privacy Assessments
APEC Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
Privacy Program Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
Healthcare Assessments
Healthcare Assessments
HITRUST CSF Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Series
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Learning Center
Our Technology
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Pen Testing Strategy Guide: Setting Goals with Your Security Provider Blog Feature
Austin Bentley

By: Austin Bentley

Print/Save as PDF

Pen Testing Strategy Guide: Setting Goals with Your Security Provider

Penetration Testing

Maybe it’s time for your yearly pen test. Or, maybe you’re building up your very own internal pen test team. Navigating this journey can be challenging, but we’re committed to making it easy for you. Fortunately, we bring a wealth of insight from our “other side of the table” perspective. This multipart series will prepare you for concerns on both sides of the table, so you can be certain you’re ready for your next engagement. 

Your Goals 

In business, every project starts with requirements. Before starting conversations with providers, we’d recommend having requirements hammered out. Doing this will help save everyone’s time and, more importantly, help align you with the correct team. To help determine these goals, let’s walk through a few questions you should be asking your team: 

Are You Supporting Compliance or General Security? 

Most pen tests are conducted for compliance reasons. If this is the case for you, we’d recommend familiarizing yourself with the requirements specific to your framework. For example, one framework may require a basic vulnerability scan, while another may require a more complicated pen test. As of this writing, here are some frameworks that strictly require a separate pen test or red team assessment: 

Other frameworks may not outright require a pen test, but could have specific controls (such as vulnerability management) that may be satisfied via a pen test:  

Do You Need a Vulnerability Scan, Pen Test or Red Team Assessment? 

Each of these services can be easily confused. Let’s look at what each of these are, and why you’d choose one over another: 

Test Type 

Work Performed 

Vulnerability Scan 

An automated test checking for publicly known vulnerabilities against hosts. 

Pen Test 

A manual test, performed by a human, of known and unknown vulnerabilities, in addition to exploitation of said vulnerabilities. (Which also may include a form of a vulnerability scan.) 

Red Team Assessment 

An unannounced manual test, performed by a human, against an entire organization (which also may include components of pen testing and vulnerability scans.) 

 

What Tests Are Required? 

If you are interested in a vulnerability scan or red team assessment, feel free to skip this section. 

If you approach a provider and ask “I need a pen test!”, the inevitable follow-up question will always be: “What type of test do you need?” Which tests you need should be clarified by your compliance team and/or senior cybersecurity management. To help narrow things down, here is a list of common forms of pen tests:  

What Is Your Scope? 

The scope of an engagement decides what hosts, domains, products, and test types are required. Therefore, the larger the scope, the more effort is required to complete the test. By having a pre-determined scope, you’ll be ready to discuss what level of resources are required. You’ll also be able to avoid potential frustration or fees.

How Soon Do You Need It Done? 

Depending on your provider, they may schedule tests as far out as a year. Some may have availability as soon as next week! If you know you have an upcoming pen test – schedule and sign a contract as soon as reasonably possible to ensure your deadlines are met. Note that there may also be other intricacies outside of your department which could impact timing.

Do You Have Residency, Contractual, or Background Requirements for the Testers? 

It’s not uncommon for providers to outsource their testing. Keep this in mind, as some organizations require testers to reside within a specific country. Other times, testers must be onboarded as contractors. It’s also not unusual for testers to perform a standard background check or even a government-endorsed suitability investigation. 

Is a Retest Included? 

Assuming issues are identified during the test, you will likely want to fix all or some of the issues. Providers have their own policies with respect to this topic some providers include it for free with the initial test round, while others expect a completely new pen test.  

What’s My Budget? 

It’s no secret – pen tests can be expensive. Now, recall that scope determines the bulk of the cost. By appropriately choosing your scope, you can directly tweak the level of effort required, and therefore the cost.  

However, there are also timing and quality concerns that should be balanced accordingly. In a nutshell: as with any project, a pen test can become overrun, depending on how smoothly the project is performed.  Unnecessary delays are not terribly uncommon. Normally, this is a result of a team or product not being ready for the test. 

Final Thoughts 

Defining your goals before engaging with a provider will save time, resources, and frustration for both parties. Understanding what type of test you need, the scope of the engagement, and your timeline will equip you to begin these discussions.  

If you’re ready to make the leap, consider filling out our scoping questionnaire 

If not, keep reading our other articles on pen testing! 

About Austin Bentley

Austin Bentley is a Manager with Schellman, based in Kansas City, Missouri. Prior to joining Schellman, Austin worked as a Penetration Tester for a large financial institution, specializing in Application Security and Internal Pentesting. Austin also led and supported various other projects, including security automation and code review.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.