What is a Pentest?

People use the term “penetration test” all of the time without actually understanding what it means.

Even in the security industry, there is often disagreement on what exactly a “penetration test” is and how it differs from a vulnerability scan, vulnerability assessment, red teaming, etc.

So, let’s clear up some of the confusion. This is how PEN Consultants approaches Penetration Testing:

Penetration testing, which some may refer to as “ethical hacking” or “white hat hacking”, is the practice of testing a computer system, network, or web application to find vulnerabilities an attacker could exploit. Penetration testers use much of the same knowledge, tools, and techniques as malicious hackers, but they do so with permission from the owner and with the intention of improving security.

Here a few quick ways to determine that the “penetration test” you are discussing with a vendor is almost certainly not a true penetration test:

• The vendor can’t discuss or demonstrate an industry-standard testing methodology
• The vendor talks about how the testing process is mostly automated or predominantly uses scanners
• The vendor can’t, or won’t, share a sample report
• The vendor reports false positives and tells you to verify them
• The vendor is vague or noncommittal about the engineers they employ and who will be on your project
• The vendor’s contract (Statement of Work) is vague about the tests and types of testing to be performed

Penetration testing can have tremendous benefits to the security of your organization, but only if you are getting true value for your money.

Curious whether your previous vendor’s tests/methodologies were comprehensive? Contact PEN Consultants and we will give you an apples-to-apples comparison.

https://penconsultants.com/contactus