January 20, 2023
Pentesting has been a staple of cybersecurity programs for decades.
For much of that time, organisations had only one type of pentest engagement to choose from—the traditional penetration test. Today, the options have expanded considerably, providing a broader range of testing capabilities but introducing plenty of confusion at the same time.
This article will look at the three most popular types of pentest engagement, explain the differences, and provide some insights to help you choose the ideal pentest offering for your organisation.
What is Pentesting?
Penetration testing—also known as pentesting—is a category of cybersecurity functions that aims to uncover vulnerabilities in an IT environment before a hacker can exploit them. Until around ten years ago, all pentesting engagements were completed by teams of human security experts. However, today there are more options, which we’ll explore shortly.
Unlike protective controls such as a firewall, which aim to prevent malicious activities, pentests are a form of offensive security. They preemptively employ hackers’ tools and techniques to uncover weaknesses in an environment or asset before a malicious hacker can exploit it.
Most pentests have a specific scope since testing “everything” in a single engagement is generally not feasible or desirable. Some of the most popular targets for pentesting include:
- Networks (local, cloud, or hybrid)
- Wireless networks
- Web applications
There are many reasons to implement regular pentests. Some of the most common include:
- Assess cyber risk. Pentests help organisations uncover unknown sources of cyber risk before a hacker can exploit them.
- Fulfil compliance obligations. Many legal and compliance frameworks, including PCI-DSS, require organisations to complete annual pentests of specific assets.
- Identify unknown vulnerabilities in products or architecture—particularly those that can’t be found using automated vulnerability or application security scanners.
- Prepare for M&A. Most M&A agreements now include cybersecurity requirements which typically require organisations to submit to pentests.
- Mitigate supply chain risk or meet stakeholder requirements. Customers, suppliers, and partners increasingly demand that organisations prove their cybersecurity readiness by scheduling regular pentests and publishing the results.
- Protect business continuity and system uptime. Cyberattacks frequently lead to significant and costly interruptions to business operations. By identifying weaknesses proactively, pentests help to protect business continuity and system uptime.
- Protect customer data or commercial secrets. Today, data is often among an organisation’s most critical assets—and it’s also a common target for hackers. Pentests are often used to uncover weaknesses that may allow an attacker to collect and extract data from an organisation’s network, website, or Internet-facing assets.
- Avoid negative publicity. Organisations that are the subject of successful cyberattacks inevitably face negative publicity—even if the attack is quickly contained. This can have implications for ongoing business, particularly if an attack threatens the assets or business continuity of partners, customers, or suppliers.
A traditional pentest is a time-bound engagement delivered by a security services provider like CyberOne. These engagements are delivered by a team of qualified, experienced pentesters over a defined period—often 1-2 weeks, but there is no firm rule on engagement length.
Most traditional pentest engagements have an overarching mission—for example, meeting annual compliance objectives or preparing for an event such as a product launch or M&A. However, some organisations prefer to schedule regular traditional pentests purely as a continuous addition to their cyber risk reduction program.
A typical pentest engagement will follow a clear project plan. At CyberOne, our engagements use the following testing methodology:
- Scoping. Working with the customer to define which assets and infrastructure fall within the scope of the engagement.
- Reconnaissance. Gathering publicly available information about the customer that may help the testing team identify weaknesses.
- Mapping. Assessing target assets to build a complete picture of their attack surface.
- Vulnerability analysis. Scanning and manually investigating in-scope assets to identify security vulnerabilities.
- Service exploitation. Exploiting vulnerabilities to access systems and data.
- Pivoting. Reusing successful exploits to target further systems and assets.
- Clean up. Removing testing data from the customer’s systems.
- Reporting and debriefing. Providing an in-depth pentest report with clear recommendations and guidance for remediation. This can be delivered as a written report or via a virtual or face-to-face meeting.
A recent upgrade to traditional pentests has been the addition of ‘pentest platforms,’ which allow customers to more easily schedule pentests, see the status of ongoing engagements, request more information about reported vulnerabilities, request retests following patching, etc. This feature was initially introduced by crowdsourced pentesting providers and is rapidly becoming an industry standard due to the improvement it provides to customer experience.
An automated pentest is exactly what it sounds like—an automated solution that attempts to replicate the processes of a traditional pentest without requiring any human intervention.
Note the word attempts. In reality, no automated tool can completely replace the need for human pentesters. If it could, traditional pentests would already be obsolete—and they notably aren’t. There are some weaknesses that require human perseverance and creativity to uncover—the type of perseverance and creativity that a malicious hacker would employ.
However, today’s automated pentest solutions are extremely powerful and can provide continuous security validation of critical systems and assets in a way that would be prohibitively expensive to deliver manually. Similarly, many security weaknesses are more suited to machine-testing, as they are simply too time-consuming to uncover in a 1-2 week human testing engagement.
Automated pentest solutions are NOT the same as vulnerability scanners. In addition to uncovering known vulnerabilities, an automated pentest solution provides additional capabilities such as:
- Security control validation
- No-harm exploitation of discovered weaknesses
- Complete attack surface coverage
- Risk-based remediation guidance
Typically, automated pentesting isn’t a complete replacement for traditional pentesting. Organisations often employ automated pentesting solutions to provide a continuous assessment of cyber risk and uncover vulnerabilities introduced during normal business operations—while reserving traditional pentests for more focused testing of specific assets.
At CyberOne, we work with Pentera to provide our clients with automated pen testing solutions.
Crowdsourced pentests are a completely different approach to security testing that has come to prominence over the last decade. Instead of working with a set team of pentesters provided by a security services provider, crowdsourced testing enables organisations to engage with a global community of ethical hackers and security experts.
This approach gives organisations access to an unprecedented range of security testing expertise, helping to uncover high-risk vulnerabilities by mimicking the behaviours of real malicious hackers.
In almost all cases, organisations don’t attempt to organise crowdsourced testing in-house. Instead, they work through a crowdsourced testing provider, which will typically deliver a platform through which organisations can invite freelance hackers and security experts to test their assets.
Broadly, there are two ways to engage with crowdsourced testing:
- Specific, time-bound engagements that mimic traditional pentests
- Continuous testing engagements that allow testers to submit vulnerabilities at any time.
While it is possible to engage directly with crowdsourced testers and manage the entire process in-house, crowdsourced testing providers usually manage the engagement process and the delivery of specific testing engagements. This allows organisations to reap the benefits of crowdsourced testing while retaining important elements of traditional pentests such as:
- Vetted and risk scored vulnerability reports
- Low internal effort requirements to manage the testing process
- Remediation guidance for reported vulnerabilities
At CyberOne, we work with Synack to provide our clients with crowdsourced pen testing solutions.
Which is Right For Your Organisation?
There is no “best” form of pentesting. Each of the options described above is equally strong, and your choice of engagement type should be defined based on your specific needs.
For small organisations with few resources, meeting compliance requirements is typically the priority—and this usually mandates the use of traditional pentests. At the other end of the scale, many organisations use a combination of pentest engagements to meet varied cybersecurity needs.
- Traditional pentests to meet compliance objectives.
- Automated pentesting for continuous security validation of their networks.
- Crowdsourced pentesting for specific, high-risk or business-critical applications.
This approach is highly effective for controlling cyber risk but naturally requires a higher investment of resources to maintain compared to a more traditional program.
If you’re not sure which engagement—or combination of engagements—is right for your organisation’s needs, we can help. Get in touch today to discuss your pentesting options with one of our experts.