Blog

It's no secret: many organizations view and treat phishing as a periodic checkbox assessment. It’s often a basic email template sent to an entire organization. If someone clicks the link, they are recorded and possibly enrolled in training. While this approach can certainly check the “quarterly phishing exercise” box, you should consider demanding even more from your phishing assessment. After all, when you engage with a third-party provider, they should provide both depth and value within their specialization.

Web applications grow and evolve each year. There’s always a new feature, a new API, and a new way of doing things. These constant changes may introduce some form of vulnerability, which is not ideal when web applications often sit on your external network. This makes web applications an ideal vector for an attacker to migrate into your internal network or compromise customers. Therefore, any web application test deserves an adequate level of thoroughness and attention. Below, we’ve provided a list of questions you should consider asking prospective pen test providers to ensure the most effective web application pen test experience.

When people hear of an upcoming pen test, they most commonly think of network testing. These tests can be focused against your external network (i.e. network perimeter) or your internal network (cloud environment and/or on-premises network). As these networks typically change year to year with new devices, cloud migrations, on-premises migrations, and firewall migrations, periodic testing may be necessary. This can leave you wondering how to find the right pen test provider to ensure your organization's network security posture is thoroughly assessed.

You think you’re close to picking the right team. Your goals align, and you think the team is of sufficient quality. But, there’s one aspect that can be easily overlooked – yet it may ultimately determine whether the exercise was worth conducting.

So, you’ve decided you need a pen test – and you have your requirements in mind. Now comes the process of finding your team to perform the test. As with any service or product, there are large variances in quality between vendors and individuals – so you’ll need to perform a balancing act. Below, we’ll walk through questions designed to help you assess the capabilities, experience, and ability of any prospective provider to meet your specific requirements.

Since the beginning of 2024, FedRAMP Revision 5 has mandated that organizations not only perform traditional penetration tests, but also undergo comprehensive red team engagements. This new requirement reflects a broader emphasis on assessing not just technical vulnerabilities, but also the effectiveness of an organization’s overall security posture, including it’s response to sophisticated and realistic threats. Over the past year, we’ve conducted many red team exercises, each tailored to different organizational environments and threat landscapes. These engagements have varied significantly in scope and complexity, offering us a wealth of insights into both our successes and the challenges we’ve faced.

Among the several offerings the Sektor7 Institute has related to evasion, privilege escalation, malware development, and persistence, cyber security professionals of various disciplines, from red team operators to incident responders- can all find something of value in Sektor7 Institute’s RED TEAM Operator: Windows Evasion Course.

Out of all the types of penetration testing we perform at Schellman, physical security is frequently overlooked due to the fact many compliance frameworks simply don’t mandate this type of testing. Of course protecting your physical infrastructure can be challenging. Many organizations struggle to identify and address vulnerabilities, leaving them vulnerable to theft, vandalism, and other threats. The good news is, you're already taking the right steps! By reading this, you're demonstrating a commitment to physical security.