Penetration testing (also known as a pentesting) is the process of performing an intelligent and creative test of your cyber security posture from a malicious outsider or insider’s perspective. Commonly known as ethical hacking, penetrations testing allows you to identify and understand the risks you face from those with nefarious intent.

Most organizations pursue penetration testing for at least one or more of the following reasons.

1. As a security best practice they want to limit their liability and protect their systems from cybersecurity risks
2. Their clients and users require it as condition of doing business
3. It is a compliance requirement related to frameworks such as SOC 2, PCI DSS, ISO 27001, NIST 800-53, and HIPAA legislation.
4. There is some area of risk to your cyber footprint that keeps you up at night
 

Mistaking a vulnerability assessment or vulnerability scan with a penetration test is a common faux pas. While a vulnerability assessment uses software-based scanning tools to uncover known software vulnerabilities, it does not include a creative, and therefore human, attempt to exploit vulnerabilities in a creative way. While all penetration tests include a vulnerability assessment, they also include a skillful human effort to mimic a malicious attacker.

1. Step One – Understand Your Objectives
   Is it a client requirement, a security concern, a compliance requirement, or some combination? Do you want blackbox, grey box, or whitebox testing?
2. Step Two – Identify your Risks
   Let’s face it, your budget isn’t infinite; we need to prioritize! At Practical Assurance, we use our unique combination of compliance and security expertise to help you align your goals, budget, and risks to get the best validation for your time and money.
3. Step Three – Determine the Scope of the Test Based on Those Same Objectives
   Many penetration testing companies take a “gut feel” approach factoring in terms like “two engineers for two weeks”. What if we took an appropriate budget and strategically prioritized time from high to low risk? Practical Assurance will help you identify and quantify your scope based on your unique needs, goals and risks.
4. Step Four – Planning
   Information gathering, team identification, environment preparation, scheduling, clear communication, and post-remediation testing are essential. At Practical Assurance, all phases of the process are strategic, clear, and effective.

Because of our extensive security and compliance background, we can prioritize security while easily integrating pentesting into an audit readiness workflow that will save you time and money. We take a unique risk-based approach in both project scoping and continuous monitoring that’s client and efficiency focused. Our ability to do continuous quarterly pentesting within a typical annual budget is a common reason our clients choose us.

We know it’s hard to realize your flaws. But in online security, doing so is vital for your company’s protection, building trust with clients and prospects, and allows you to prepare for key compliance requirements.