Is your pentester giving you a generic report?

Picture of zakery stufflebeam
zakery stufflebeam
Share it:

Photo by Cytonn Photography on Unsplash

Why is your pentest not cutting it

There are many reasons that I could go into about why your pentests are generic, uncreative, and lack what you need for your needs. The reality is that most companies including pentesting companies are looking to get as many engagements out of the way as they can to increase profit. This leads to generic reporting that is enough to satisfy compliance standards but not enough to give real context to the biggest issues at your company. This mixed with technical resources lacking the creativity needed at times helps drive a reptitive cycle.

There are ways to combat this and some companies do this correctly. Here at SpartanCyber we provide more than a simple report. We provide context to the report that others dont typically do. This is not just a sales pitch but a guide as to what to look for to get the most out of your report. If you choose another consultant I would still recommend looking for these things! The below list is a list of things that you absolutely need to be asking for and reviewing previous pentest reports for to ensure your pentest report is usable beyond simple remediation.

  1. Does the report provide context as to why something is considered critical for your business? More often than not these companies are copy and pasting criticality levels from a scanner, or CVE website. Is this whats happening?
  2. Does your report offer repeatable verification steps? This is vital for your company to be able to validate the remediation steps. Many offer suggestions but not a step by step guide on a repeatable process to validate after remediation.
  3. Does the report show the pentesters methodology? If not how can your company understand how a pentester got to this stage in their test. This gives the defensive team an understanding to help them progress.
  4. Are the screenshots on this report well done professionally and with ease of use in mind. Many pentesters often take generic screenshots and they show “proof” but dont help anyone on the business understand what is happening for the screenshot.
  5. Finally an important one is did the pentester show all the times they tried something and it didn’t work? This shows how many times the defense had actually “won”. The defense needs to understand what they are doing well also.

Leave a Reply

Latest Post

Discover more from Spartan Cyber Consulting

Subscribe now to keep reading and get access to the full archive.

Continue reading