This is a general order and timeline. After the first step, some of the phases run simultaneously. During a typical engagement, PEN Consultants will:
- meet (or teleconference) with you to discuss your needs and goals
- give you preliminary pricing based on your desired services
- send a mutual non-disclosure NDA, to protect both parties
- complete a detailed questionnaire to narrow down testing scope
- provide a detailed, no obligation, contract and statement of work (SOW) for your review
- perform testing/service (after execution of the final contract/SOW)
- after testing is complete, (1) “get noisy” so your SOC staff will see the attack(s) and get some IR experience out of it or (2) clean-up, restoring any and all modifications made during the testing (if applicable)
- create a detailed report explaining what key factors were discovered and provide recommendations for you to prevent and/or detect discovered attacks (at all layers), etc. (if applicable)
- follow up with a debrief – on-site or teleconference – to discuss/show what was found (if applicable)
- assist you with locating vendor products, determining a better use of current vendor products, acquiring qualified staff to carry out remediations, etc. (if applicable)
- remain engaged until you are 100% satisfied
