What Are the Elements of High-Quality Penetration Testing?

What are the elements of high-quality penetration testing?

Evaluating security just as vital as implementing security. With various types of security testing such as vulnerability scanning, risk assessments, and penetration testing available to organizations, it can be difficult to pinpoint what type of assessment suits your team's needs... and what differentiates high-quality security exercises vs. low-quality security exercises.

With penetration testing being the most in-depth and coverage-based approach for organizations looking to bolster their security posture, adhere to security regulations, and fortify themselves against future threats, today we'll be honing in on what quantifies high-quality pentesting.

Let's get started:

Penetration Testing vs. a VA Scan: Common Misconceptions

Penetration testing and vulnerability scanning are often misinterpreted as being the same service, leading to organizations mistakenly purchasing one when, in actuality, they would benefit from the other.

A vulnerability scan is an automated, high-level test that looks for and reports potential vulnerabilities. A penetration test is a detailed hands-on examination that works to detect and exploit weaknesses in your organization's system.

Due to its scope, pentesting recommended over a VA scan for common instances including, but not limited to:

• Regulatory compliance

• Cyber insurance

• Security posture

• Informing future cybersecurity roadmaps

Common Types of Penetration Testing

As listed in the MITRE cybersecurity framework, there are numerous variations of pentesting, all of which can be tailored to an organization's timeline, expected outcomes, and cyber insurance requirements.

Here at Packetlabs, we execute penetration tests via the following:

• DevSecOps: DevSecOps is integrated early in an organization's development cycle and acts as an extension of its development team to flag vulnerabilities within pre-existing detected management systems

• Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization

• Purple Teaming: Purple Teaming is our collaborative testing exercise where the Packetlabs red team works with a company's internal security operations team (or blue team) to bridge the gap between offensive techniques and response efforts

• Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of an organization's cybersecurity strategy. As the first step in strengthening its security posture, this assessment generates the roadmap to strengthen its overarching security program

• OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing

• Ransomware Penetration Testing: A Ransomware Penetration Test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack

• Cloud Penetration Testing: Multiple perspectives help with strengthening security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle

• Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that a company can discover gaps and vulnerabilities unique to their organization (alongside testing their ability to detect and respond to threat actors)

• Application Security Testing: More targeted in scope than a regular pentest, Application Security Testing uncovers vulnerabilities residing in web and mobile apps by actively exploring applications from an attacker’s perspective

• Infrastructure Penetration Testing: Infrastructure Penetration Testing uncovers vulnerabilities in IT and network systems to provide a tailored approach for each environment

These are all in addition to the Packetlabs Portal, which enables teams to quickly view Packetlabs' findings, prioritize efforts, request retests after remediation, and monitor progress.

Each type of penetration test or assessment can be tailored to a company's specific cybersecurity wants, needs, goals, and pre-existing vulnerabilities.

What Indicates High-Quality Penetration Testing?

There are numerous factors that denote high-quality penetration testing.

Cost

There are several factors that determine the cost of a pentest such as the size of the target, scope, methodology, experience, endpoints, test duration, and the breadth of expert remediation recommendations offered in the final report for fixing found security weaknesses.

Other common factors are as follows:

• Scope: The more comprehensive the pentest, the higher the cost. This includes everything from identifying and testing vulnerabilities to performing a social engineering assessment

• Type of testing: As just one example, a black box test is more expensive than a white box test because it is more time-consuming

• Methodology: Penetration testing should be conducted using globally accepted and industry-standard frameworks

• Automated vs manual: Manual penetration testing is more costly but more effective in identifying vulnerabilities. At Packetlabs, automated testing accounts for only 5% of the testing. The other 95% consists of manually simulated real-life attacks

• Complexity of target environment: The more complex the environment, the more time and effort it will take to identify and assess potential vulnerabilities

• Tester qualifications: Experienced and certified ethical hackers will provide you with a more thorough pentest which can save you time and money in the long run

• Time frame: As expected, the longer the testing timeframe is, the higher the cost will be

While not all high-quality pentests come with a higher fee, it is advised to be wary of penetration tests that are offered at a cost under the average market value.

The Experience, Qualifications, and Reputation of the Pentesters

The reputation of the penetration testing company (alongside the skills, qualifications, and collective years of experience of the team conducting the penetration test) are one of the top determining factors what is defined as high-quality penetration testing.

Senior penetration testers with robust industry certifications, such as CREST, OffSec‘s Offensive Security Certified Professional (OSCP), OSCE, OSWE, and SANs, result in higher fees; however, they also result in more in-depth findings, enhanced cross-team communication, and longer-term cyber hygiene benefits.

Seeking a cybersecurity firm with a strong history of positive reviews is also indicative of quality. For example, alongside celebrating our twelfth year in business in 2023, our team's experience and 95% manual penetration testing yielded a partnership with the SickKids Foundation, which was another one of last year's highlights: the SickKids Foundation is a fundraising organization based in Toronto that supports the Hospital with sick children. With over 1.5 million active donors, the foundation collects and manages sensitive information, which could result in reputational damage and loss of donors if breached.

Process

A high-quality pentest involves thinking and acting like an attacker. There might be different ways to break into a system and might also require someone to think outside the box especially if the target has some security mechanisms in place.

Without an in-depth understanding of the target, its context, and how it works, the pentest might not be rigorous. A high-quality pentest should cover all these aspects and can often span a longer duration of time than some organizations may assume.

For example, projects with larger scope or higher complexity generally require more time and resources to assess. This could include:

• The presence of custom codes and legacy systems

• Unique integrations within a company's networks

• More than one type of penetration testing being performed in a bundle

• Ongoing consultation with an organization's IT team

• In-depth remediation efforts

Depth of Reporting

High-quality pentests result in reports that are as descriptive as they are informative.

When looking for a pentesting vendor, their dedication to detail is paramount; different applications and industries, for example, have varying PII to be determined for each report, with different inclusions depending on the context.

Remediation Recommendations

When done right, pentesting doesn't just address existing weaknesses: it addresses potential future ones as well.

High-quality pentesting firms offer remediation testing or the periodic rotation of pentesting team in order to better help clients in implementing recommended security posture improvements.

These services can be essential for organizations looking to enhance their security posture, but can also contribute to higher upfront costs. One way we offer this at Packetlabs is via our MSP Partner Program: through a Partnership, Managed IT Services Providers can leverage our specialized cybersecurity skills and knowledge to provide even more comprehensive solutions to clients.

The Willingness to Rotate Vendors

While we recommend investing in a high-quality pentesting firm long-term, there are certain instances where vendor rotation may be beneficial.

Here are situations when we advise you look into rotation:

• There have been no new findings in 1 - 2 years. Outdated cybersecurity is the top risk for SMBs and enterprises alike–and is costing businesses upwards of one million dollars per cyberattack. That, combined with a cyberattack occurring once every 39 seconds, means that having a pentesting vendor stay on top of new vulnerabilities is crucial... and that, if they aren't finding any, they simply aren't looking deeply enough

• Your reports look like VA scans. Although VA scans are serviceable for identifying base-level threats, this surface-level approach to reporting only skims the tip of the iceberg and leaves your organization vulnerable to numerous advanced and emerging threats

• The penetration testing quality is poor. If your penetration testing vendor delivers only the standard level of VA reporting, is only relaying basic threats, is not relaying new findings, and engages in poor communication, it's time to move on to a vendor that cares about your organization's cybersecurity as much as you do

On the opposing end, it is recommended to stay with your current vendor if they are meeting the following criteria:

• They deliver high-quality findings. As we illustrate in our plethora of sample reports, the difference between a baseline VA scan report and a report brimming with high-quality findings is stark. If your team is continually coming to the table with new findings, provides in-depth reporting, and is communicative about their approach, we recommend not trying to fix what's not broken

• They offer the ability to rotate testers. With some pentesting vendors, they are not able to offer the opportunity to rotate testers due to either outsourcing or reliance on automated scans. With teams like Packetlabs, our 95% manual testing methodology means that we can (and often do!) swap our ethical hackers between projects periodically in order to ensure that your organization's vulnerabilities are always getting fresh eyes on them

• They have a team that aligns with your security goals. Finding a vendor for any service that aligns with your company's goals, security standards, and vision for improvement is rare. If you find that your team is aligning with your vendor's, we advise that you continue to foster that relationship long-term

No organization is too small–or too large–for threat actors to target, which makes having the right cybersecurity team at your back a necessity.

The Importance of High-Quality Penetration Testing

With cyber threats continuing to develop at a breakneck pace, high-quality pentesting has never been more crucial.

In recent years:

• There are an estimated 800,000 cyberattacks per year in 2023–with that number predicted to continue to rise annually

• 97% of security breaches are exploiting WordPress plugins

• An estimated 300,000 new malware are created daily

• 92% of malware is being delivered via email

• In 2023, it’s taking organizations an average of 49 days to identify a cyberattack

• Over 4.1 million websites on the Internet have malware

• 66% of interviewed CIOs plan to continue to increase their investment in cybersecurity

As a CREST and SOC 2 Type II accredited penetration testing firm, Packetlabs’ 95% manual pentesting goes beyond industry standards. Our best-in-class methodology digs deeper to deliver more. We offer several solutions that push the envelope on security–and guarantee full regulatory and cyber insurance compliance.

Conclusion

Pentesting is one of the commonly misrepresented terms, with even more misconceptions shrouding what differentiates a high-quality pentest from a low-quality one. obscurity in the understanding of a high-quality and a low-quality pentest.

To recap, indicators of high-quality penetration testing include, but are not limited to:

• Being manual vs. automated

• Having seasoned, qualified ethical hackers at the helm

• Being priced on-par (or above) average market value

• The willingness to encourage vendor rotation when warranted

• Offering in-depth remediation steps

• Touting a coverage-based, transparent process

By considering the needs of their systems, pre-existing vulnerabilities, and mandated compliance, organizations can select the most suitable type of pentesting for them. Investing in a thorough manual penetration test can be the difference between being saved from what Packetlabs clients have aptly nicknamed "company-killing asteroids" and suffering reputational or financial losses.

Looking to explore the benefits of high-quality penetration testing? Our team is always one click away.