FAQ
Answer:
A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. Penetration testing takes a step beyond a vulnerability scan and attempts to exploit those vulnerabilities that have been identified, as well as identifying and exploiting other vulnerabilities not identified by automated tools. As such, a penetration test requires attention to detail and manual examination by a skilled cybersecurity engineer who tries to detect and exploit weaknesses in the system.
Answer:
In general, the project will start with a kickoff call that will set forth the rules of engagement. Once the test starts, the engineer will holistically and methodically review all aspects of the application or network. Once testing is finished, testing results will go through a detailed quality assurance process and a report will be drafted. Our team will convey findings to stakeholders when requested.
Whenever you are considering a penetration test, it is important that the methodology is based on an industry-recognized standard. This ensures that the test meets all the compliance requirements you need, but also makes sure the engineer is giving you an unbiased, holistic view of your risk. Our network, API, and web application testing methodologies are based on the OWASP testing guide, NIST 800-115, and the Penetration Testing Execution Standard.
Answer:
The execution timeline will depend on the size and scope of the application being tested but, on average, can range from 1 to 4 weeks. Scoping and contract formalities that precede testing may also take 1-2 weeks, depending on the company’s approval process. Drafting of the final report requires 3-5 days on average.
Answer:
Our team will assist you in understanding what targets should be included in scope as well as what type of testing (“black box”, “grey box”, or “white box”) is aligned with your overall testing objective. Typically, assets that are prioritized for testing are those subject to regulatory compliance (such as PCI), assets that are most critical to the functioning of the business, or assets that historically have had security issues.
Answer:
The answer to this is “it depends.” There are a lot of factors that go into pricing. As each client environment is different, we will work with you to identify the services that best fit your individual needs.For external network testing, the number of live hosts, time windows for testing, and retesting will be determining factors. In general, if a company that has less than 10 IP addresses on its Internet perimeter, this should cost around $3,500. On the other hand, if there is a larger Internet presence, roughly 40 or more IP addresses, that price would be closer to $8,000. A key point when scoping penetration tests is that we only charge for hosts that have services listening, so if you know that answer, you’ll get the most accurate cost. The same principle applies for pricing internal penetration tests.
For API and web application penetration tests, cost of testing is generally calculated by the number of roles in an application (admin, user, etc.), whether APIs are involved, the number of API calls, the number of pages, whether the pages are static or dynamic, complexity of features, and any unique reporting requirements. On average, a small web application with one role will cost around $4,700 to test, while a more complex web application could cost upwards of $8,000.
If cyclical and frequent penetration testing is requested, we recommend a “time-box” approach where a bucket of testing hours/days is allocated across a specified time. This will allow for “on-demand” testing whenever it is necessary (i.e., major releases, sprint testing, etc.).
Answer:
For web application or API penetration testing, the following is requested:
- Testing environment (typically a staging or pre-production environment) or production environment details
- Testing limitations (i.e., out-of-scope targets)
- At least two accounts of each type of role
- VPN access or IP address whitelisting, if applicable
- API documentation, if applicable
- Source code, if applicable
- Informing any Blue Team or SOC, if applicable.
For external network penetration testing, the following is requested:
- Testing scope (in-scope, and out-of-scope limitations)
- IP address whitelisting, if applicable
- Informing any Blue Team or SOC, if applicable
For internal network penetration testing, the following is requested:
- Testing scope (in-scope, and out-of-scope limitations)
- A “jump host” on the internal network that will be remote accessed, or a physical “Raspberry Pi” (network device) will be shipped to the location where it will be connected to the internal network
- Informing any Blue Team or SOC, if applicable
Answer:
What does the report contain?
Once testing is finished, a report will be drafted which will contain the validated results from the testing efforts. Additionally, the report will include the following:
- Executive Summary
- Immediate Recommended Actions
- Scope
- Testing Methodology – Target Discovery Process, Vulnerability Identification Process, and Exploitation Process
- Testing Priorities
- Engagement Narrative
- Risk Ratings – Likelihood, Impact, Likelihood Modifiers, Impact Modifiers, and Risk Matrix
- Testing Results – Finding Risk, Location, Description, Proof of Exploitation/Steps to Reproduce, and Remediation Recommendations.
If a retest of findings has been agreed within the scope of work, an updated report will be drafted to indicate which findings have been remediated and which issues still exist.