SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Pen Testing Strategy Guide: Setting Goals with Your Security Provider

Penetration Testing

Maybe it’s time for your yearly pen test. Or, maybe you’re building up your very own internal pen test team. Navigating this journey can be challenging, but we’re committed to making it easy for you. Fortunately, we bring a wealth of insight from our “other side of the table” perspective. This multipart series will prepare you for concerns on both sides of the table, so you can be certain you’re ready for your next engagement. 

Your Goals 

In business, every project starts with requirements. Before starting conversations with providers, we’d recommend having requirements hammered out. Doing this will help save everyone’s time and, more importantly, help align you with the correct team. To help determine these goals, let’s walk through a few questions you should be asking your team: 

Are You Supporting Compliance or General Security? 

Most pen tests are conducted for compliance reasons. If this is the case for you, we’d recommend familiarizing yourself with the requirements specific to your framework. For example, one framework may require a basic vulnerability scan, while another may require a more complicated pen test. As of this writing, here are some frameworks that strictly require a separate pen test or red team assessment: 

Other frameworks may not outright require a pen test, but could have specific controls (such as vulnerability management) that may be satisfied via a pen test:  

Do You Need a Vulnerability Scan, Pen Test or Red Team Assessment? 

Each of these services can be easily confused. Let’s look at what each of these are, and why you’d choose one over another: 

Test Type 

Work Performed 

Vulnerability Scan 

An automated test checking for publicly known vulnerabilities against hosts. 

Pen Test 

A manual test, performed by a human, of known and unknown vulnerabilities, in addition to exploitation of said vulnerabilities. (Which also may include a form of a vulnerability scan.) 

Red Team Assessment 

An unannounced manual test, performed by a human, against an entire organization (which also may include components of pen testing and vulnerability scans.) 

 

What Tests Are Required? 

If you are interested in a vulnerability scan or red team assessment, feel free to skip this section. 

If you approach a provider and ask “I need a pen test!”, the inevitable follow-up question will always be: “What type of test do you need?” Which tests you need should be clarified by your compliance team and/or senior cybersecurity management. To help narrow things down, here is a list of common forms of pen tests:  

What Is Your Scope? 

The scope of an engagement decides what hosts, domains, products, and test types are required. Therefore, the larger the scope, the more effort is required to complete the test. By having a pre-determined scope, you’ll be ready to discuss what level of resources are required. You’ll also be able to avoid potential frustration or fees.

How Soon Do You Need It Done? 

Depending on your provider, they may schedule tests as far out as a year. Some may have availability as soon as next week! If you know you have an upcoming pen test – schedule and sign a contract as soon as reasonably possible to ensure your deadlines are met. Note that there may also be other intricacies outside of your department which could impact timing.

Do You Have Residency, Contractual, or Background Requirements for the Testers? 

It’s not uncommon for providers to outsource their testing. Keep this in mind, as some organizations require testers to reside within a specific country. Other times, testers must be onboarded as contractors. It’s also not unusual for testers to perform a standard background check or even a government-endorsed suitability investigation. 

Is a Retest Included? 

Assuming issues are identified during the test, you will likely want to fix all or some of the issues. Providers have their own policies with respect to this topic some providers include it for free with the initial test round, while others expect a completely new pen test.  

What’s My Budget? 

It’s no secret – pen tests can be expensive. Now, recall that scope determines the bulk of the cost. By appropriately choosing your scope, you can directly tweak the level of effort required, and therefore the cost.  

However, there are also timing and quality concerns that should be balanced accordingly. In a nutshell: as with any project, a pen test can become overrun, depending on how smoothly the project is performed.  Unnecessary delays are not terribly uncommon. Normally, this is a result of a team or product not being ready for the test. 

Final Thoughts 

Defining your goals before engaging with a provider will save time, resources, and frustration for both parties. Understanding what type of test you need, the scope of the engagement, and your timeline will equip you to begin these discussions.  

If you’re ready to make the leap, consider filling out our scoping questionnaire 

If not, keep reading our other articles on pen testing! 

About Austin Bentley

Austin Bentley is a Manager with Schellman, based in Kansas City, Missouri. Prior to joining Schellman, Austin worked as a Penetration Tester for a large financial institution, specializing in Application Security and Internal Pentesting. Austin also led and supported various other projects, including security automation and code review.