Penetration Testing Framework
There’s a best way of doing things and an order and organizational aspect that MAXIMIZES the impact of your security efforts. We’ve tested and optimized each of the components required for an effective penetration testing project and translated them into one easy-to-follow step-by-step system.
As a CREST-certified supplier, we have undergone a rigorous accreditation process covering the policies, processes, and competencies required for professional Pentest services delivery. We abide by the CREST enforceable Codes of Conduct and Ethics so that you can have confidence and peace of mind when choosing your Pentest vendor.
Step 1: SCOPE
In any penetration testing engagement, one of the most critical aspects is defining the scope: what networks, applications, databases, accounts, people, physical security controls and other assets are “fair game” for the penetration tester(s) to attack.
Deciding what scope is right for you should be part of the initial discussion with whoever will conduct the assessment and anyone who has a stake in the results. Getting the scope right is key to deriving maximum business value from the assessment; likewise, defining the wrong scope can severely limit the usefulness of the test. Click Here to read our blog post, How to Scope Your Pentest.
Step 2: RULES OF ENGAGEMENT
Rules of Engagement (RoE) details the manner in which the penetration test is to be conducted, managed, and communicated. We believe there are some directives that should be clearly spelled out in RoE before you start the penetration test. Emagined uses a proven Client Success Plan to ensure that all expectations are set up front. That way, there are no surprises and everybody knows exactly how to communicate and what dictates project success. Click here to read our blog post, Why You Need Penetration Testing Rules of Engagement as Part of Your Penetration Test.
Step 3: TEST
No business is identical and our services can be tailored to fit your needs. Internal network, external network, application, cloud, dockers, wireless, kubernetes, Red Team, Phishing, API’s… the list can go on and on. Fact is, we’ve been there and done that… more than once… and we have a clear path and a best way to go about it. Want to know more… click the button below. Or, click here to read our blog post, How To Conduct a Penetration Test.
Step 4: Document Findings
A huge part of the VALUE that comes from a penetration test is the report that is generated. The report is used for many reasons and reviewed by many stakeholders and that’s why our reports are more than just an export of findings from a scanning tool.
Step 5: Prioritize & Rank Findings
All of our findings are prioritized and risk ranked according to criticality. We believe that a useful report is one that you can take action on and we aim to make that as simple as possible.
Step 6: Document Potential Mitigation
Part of keeping it simple, is tapping into our vast database of vulnerabilities. We maintain an huge volume of templates that feed our reporting engine that allows you to quickly and easily determine the best approach to mitigating your prioritized findings.
Step 7: Remediate
More often than not our clients want to address the “findings” as quickly as possible. We’re here to help with that process and provide guidance as necessary. We provide screenshots and oftentimes screen recordings of our exploits so that remediation steps are coherent.
Step 8: Retest
Want us to re-check what you’ve fixed? No problem. During the scoping process we’ll setup a timetable for going back and retesting what you’ve fixed so that you’re confident in your updates.
Step 9: Update
Lastly, once we’ve completed the remediation testing we’ll update your report with a new section that details what was remediated so that all stakeholders can clearly recognize your efforts.
Read more about remediation in our blog post, After The Pentest Report…Remediation.
We built a completely new kind of penetration testing platform to allow us to provide unparalleled levels of penetration testing, project management, reporting, and remediation support.