Penetration Testing Framework and Methodology
There are many security frameworks. However, we believe there’s a best way of doing things and an order and organizational aspect that MAXIMIZES the impact of your security efforts. We’ve tested and optimized each of the components required for an effective penetration testing project and translated them into one easy-to-follow step-by-step system.
CREST Certified
As a CREST-certified supplier, we have undergone a rigorous accreditation process covering the policies, processes, and competencies required for a professional Pentest execution standard. We abide by the CREST enforceable Codes of Conduct and Ethics so that you can have confidence and peace of mind when choosing your Pentest vendor and penetration testing methodologies.
Step 1: SCOPE
When considering penetration testing methodologies, one of the most critical aspects is defining the scope: what networks, applications, databases, accounts, people, physical security controls, vulnerability management, and other assets are “fair game” for the penetration tester(s) to attack.
​
Deciding what scope is right for you should be part of the initial discussion with whoever will conduct the assessment and anyone who has a stake in the results. Additionally, if you have compliance requirements like the NIST cybersecurity framework, we can scope that as well. Getting the scope right is key to deriving maximum business value from the assessment; likewise, defining the wrong scope can severely limit the usefulness of the penetration testing. Click Here to read our blog post, How to Scope Your Pentest.
Step 2: RULES OF ENGAGEMENT
Rules of Engagement (RoE) details the manner in which the effective penetration test is to be conducted, managed, and communicated. We believe there are some directives that should be clearly spelled out in RoE before you start the penetration test. Emagined uses a proven Client Success Plan to ensure that all expectations are set up front. That way, there are no surprises and everybody knows exactly how to communicate and what dictates project success. Click here to read our blog post, Why You Need Penetration Testing Rules of Engagement as Part of Your Penetration Test.
Step 3: TEST
No business is identical and our services can be tailored to fit your needs. Our pentest framework accommodates Internal network penetration tests, external network penetration tests, application penetration tests, cloud, dockers, wireless, kubernetes, Red Team, Phishing, API’s… the list can go on and on. Fact is, we’ve been there and done that… more than once… and we have a clear path and a best way to go about it. We want to make sure that we test for security vulnerabilities and potential security vulnerabilities during the security assessment. And, we have all the latest and greatest security testing tools. Want to know more… click the button below. Or, click here to read our blog post, How To Conduct a Penetration Test.
Step 4: Document Findings
A huge part of the VALUE that comes from a penetration test is the report that is generated. The report is used for many reasons and reviewed by many stakeholders and that’s why our reports are more than just an export of findings from a scanning tool.
Step 5: Prioritize & Rank Findings
Our findings are prioritized and cybersecurity risks are ranked according to criticality by our security professionals. We believe that a useful report has intelligence gathering, and identified vulnerabilities that you can take action on and we aim to make that as simple as possible.
Step 6: Document Potential Mitigation
Part of keeping it simple, is tapping into our vast database of cybersecurity vulnerabilities. We maintain an huge volume of templates that feed our reporting engine that allows you to quickly and easily determine the best approach to mitigating your prioritized findings.
Step 7: Remediate
More often than not our clients want to address the “findings” as quickly as possible. We’re here to help with that process and provide guidance as necessary. We provide screenshots and oftentimes screen recordings of our exploits so that remediation steps are coherent.
Step 8: Retest
Want us to re-check what you’ve fixed? No problem. During the scoping process we’ll setup a timetable for going back and retesting what you’ve fixed so that you’re confident in your updates.
Step 9: Update
Lastly, once we’ve completed the remediation testing we’ll update your report with a new section that details what was remediated so that all stakeholders can clearly recognize your efforts.
Read more about remediation in our blog post, After The Pentest Report…Remediation.
Our One-Page Penetration Testing Framework
We built a completely new kind of penetration testing framework to allow us to provide unparalleled levels of penetration testing, project management, reporting, and remediation support.
Additional Support & Downloads
The Free Ultimate Guide to Penetration Testing RFP will help you develop an RFP that addresses these areas. Click the button and then scroll to the bottom of the page for the download. Additionally, you can view some of our real-world case studies and lessons learned! Or, check out our comprehensive services here.