June 28, 2023
How are Secure Impact penetration tests different to the market standard?
This is a question we're asked a lot by clients, so we've produced the summary below to outline how our penetration testing services compare to others in the market.
Rather than a tick box exercise, our penetration tests are always geared to ensure meaningful change for our clients, and we're proud to be setting a new industry standard.
Engagement Scoping
Market Standard
- A short call, often with a commercial individual only, which misses key context and detail regarding your risk profile and security objectives.
- Outcomes of this call often produce a rough scope, based on some generic metrics, which may mean you don’t get a targeted test, nor the right insights to your vulnerabilities to make the most important changes.
Secure Impact
- A one-to-one call with our technical team lead and consultants that will be working on the engagement, meaning you get value and technical expertise from day 1. We always endeavour to provide you value even if money doesn’t change hands.
- The entire technology stack is considered in the context of the wider organisation to better understand your risk profile. This affords a more holistic understanding of your ecosystem.
- The most important areas are identified to be tested, with specific objectives in mind - this makes it more cost-effective for you in terms of where and how a consultant’s time is spent, and the value generated.
- The scope is designed to maximise the value and impact of the engagement, meaning targeted outcomes and remediation advice, based on your specific risk profile.
Use of Automated Scanning
Market Standard
- Scanning is often heavily utilised as this is low effort for consultants, and means they can carry out more pentests in a certain timeframe. However, this approach causes excess noise and traffic during an engagement, and often drowns clients in unnecessary findings that don’t truly impact their security.
- Over-reliance on scanning produces a large number of false positives in findings reports, meaning some of the results given to clients aren’t even correct, furthermore confusing security teams and reducing the actionability and value of your pentest.
Secure Impact
- We take a strong, manual approach, with “just the right amount” of automation.
- We validate our findings to avoid reporting false positives.
- We take the time to demonstrate and explain the real-world threat that each vulnerability poses to your organisation - this creates actionable learnings for you and your team and encourages knowledge transfer.
- Manual testing vs overly automated scanning produces actionable results, specific to your business, meaning the remediations you make will have a definitively positive impact on your security maturity.
Engagement Reporting and Deliverables
Market Standard
- Reports are often over-templated, generic, and long and difficult to read. This is not useful for time-pressured security teams to instigate change. These reports are often overwhelming and end up being “hidden in a drawer” vs acted upon.
- Other formats such as public-facing or redacted reports are often low-quality, which may send an unintended message to your own clients.
Secure Impact
- High-quality, concise reports that are easy to read, easy to understand by multiple teams, and easy to action change as a result. We include screenshots and icons and colour coding to clearly denote severity of findings, and more.
- We provide supplementary report formats, including public-facing reports and redacted summaries. These documents are clear and visually attractive documents that you would be proud to share with your stakeholders.