How To Take The Pain Out Of Pentesting

Pen-testing as an industry has only been around for about twenty years. It’s evolving fast and the relentless innovation can make it hard to keep up - nothing stands still for long. Yet one aspect of the business hasn’t changed a single bit in twenty years - an archaic process that’s proved stubbornly resistant to progress:

Booking a pen-test.

Take a look at typical booking process below. I wish I could say I was exaggerating here, but this is absolutely standard based on my experience as both a vendor and client. Just look at the effort the client must put in and how long they’re expected to wait:

Task 1: Shortlist vendors, draft and send 3 RFI’s = 3.5 hrs

• Wait 2 days for response from 3 vendors

Task 2: Fill out 3 scoping questionnaires = 4 hrs

• Wait 5 days chasing answers from other depts

Task 3: Read proposals and select a vendor = 2 hrs

+Wait 1 day for response from chosen vendor

Task 4: Co-ordinate diaries = 2.5 hrs

• Wait 3 days for stars to align

Task 5: Fill out ‘Permission to test’ form = 2.5 hrs

• Wait 5 days for legal to sign off

Task 6: Set up vendor on procurement system = 2.5 hr

• Wait 3 days for both accounting teams to liaise

Task 7: Calling & emailing during test itself = 1.5 hrs

• Wait 10 days for report to be written and sent

Task 8: Reading test report =.5 hrs

• 1 day wondering why the hell that took so long?

Now, add weekends into that and a client is lucky if its delivered in a month. On top of which, they’ve had to put in nearly three days of effort themselves.

The model is broken, there’s simple too much faffing and not enough testing. Ask any pen-tester and they’ll tell you they hate getting dragged into this process. Ultimately, that’s what pushed us at OnSecurity to do something about it; as pen-testers, we just got sick of the faff. The online platform we built eliminates the admin. By booking tests online and viewing results in realtime - bringing overall delivery time down from 40 days to 4.

There’s still much more we could do, (and more on that in my next blog) but in the meantime, get in touch below if you want to book pen-tests without the pain.