Silent Sector Blog

Silent Sector on "Cheap Penetration Testing"

Written by Zach Fuller | Nov 10, 2021 9:17:00 PM

Learn how Silent Sector transforms cyber risk into a revenue generating asset. Learn more...

Contact Silent Sector for an initial consultation.

 

TRANSCRIPT: 

Companies looking for penetration testing have a huge number of options. These days, unfortunately, the industry has become very commoditized. So there are a lot of automated services and solutions, different cheap penetration tests, you know, that are out there. A lot of times though, it's really doing a disservice to the organizations that really needs a true penetration test. So it's important to understand the difference, right? The problem is, in order to really understand the nature of risk within a technology environment doesn't matter if it's a, if it's a web application, or if it's your internal or external network environment, if it's wireless. Either way, whatever environment you're looking at, you really need to take a deep look at the vulnerabilities themselves, right. And automated tools and systems and canned approaches really can't do that, you really have to have an expert on the other side of those to do the manual exploit validation to really understand if a vulnerability is truly an attack surface for the organization. Just because a tool throws up a big red flag doesn't mean it's something that you need to jump on right away necessarily. And this is what catches a lot of companies off guard, when they go for some of these canned approaches. And some of the commoditize pentesting services that have hit the market. These days, what ends up happening is they get this huge list of vulnerabilities, many of which are actually not exploitable, based on the configuration of their environment. And what happens is they go and they start remediation on everything. So it costs them a tremendous amount of time and money and resources to do all this remediation when in fact, a lot of it isn't necessarily as critical as they thought it was. So keep that in mind. If you're just looking to check a block if you just need to get something done a pennant, a cheap penetration test can do the job. But keep in mind too, that your clients are getting more and more sophisticated. If you're in the b2b tech world, especially working with fortune 500, fortune 1000s, they're going to look at the penetration test, a letter of attestation or a high level overview of the results and ask a lot of questions, right. So you need to be prepared to answer those. So keep in mind who your buyer is their sophistication level, and make sure that your penetration testing is really accomplishing everything you need, not just checking the block, because in the long run, the commoditize pen test approach can actually end up costing you a lot more