It's difficult to be vulnerable, no matter what the situation, even when we're talking about something that's ultimately beneficial like having an external company come in and test your cybersecurity environment.
Nevertheless, penetration testing and red teaming are security necessities for any prudent, forward-thinking organization. That's why we wanted to share a few ideas on how you can help us help you prepare for your next RedTeam Security engagement.
Before you get confused by all this talk of vulnerability and engagements, we're not proposing a romantic relationship here. If you're working with us, you're looking for help securing your organization from the industry's leading professionals.
Our engagement might involve:
Keep in mind, too, there's a difference between penetration testing and red teaming. Even though they are often used interchangeably, we like to put it in vivid terms — pen testers are pirates ready to rampage and pillage wherever and whenever they can. Red teamers are more like ninjas, stealthily planning multi-faceted, controlled, focused attacks.
Sure, we listed all those types of engagement above because we wanted to show off all that we can do. It also helps you to understand all that's available to you.
However, we don't recommend all of our services for all organizations. Far from it, in fact; we specialize in creating tailor-made plans specific to your organization's needs. We like to make this known in advance because it's much easier for us to accurately plan and price your engagement if we know what you're looking to include from the outset.
This is related to the previous tip, of course. It's possible that you know that you want web application testing, but you don't have a very deep sense of what that actually means for you.
We'd recommend reviewing some of our resources like our blog post on Understanding Application Complexity to help you get a handle on what we'll be talking about and what that means for you.
The better able you are to quantify your testing environment, the more accurate and specific we can be. For example, be ready for us to ask you "how many IP addresses do you have?" Please, don't hand us a five-page spreadsheet and make us count them by hand. Know the answer beforehand and it'll be a whole lot more painless for the both of us.
You can get a good idea of the topics we'll want to know about by perusing our Scoping Questionnaire.
In order for us to work within your budget parameters, we need to know what they look like. The more we know, the better able we are to determine if your budget matches your testing environment.
For example, we can't test 100 live hosts when you only have the budget to test 50. With all the numbers at our disposal, in advance, we can work with you beforehand to determine priorities based on your objectives, the importance of the testing items, and your risk level.
Asking this question is our chance to channel our inner financial advisors. With a better idea of your risk threshold, we can make smart choices about what level of testing to conduct for your organization.
If you are relatively risk-tolerant, for example, maybe we don't need to go as in-depth. If you're risk-averse (or in an industry with strict security regulations or compliance requirements), we will want to be as thorough as possible leaving no stone unturned.
Finally, provide as much detail as you can when answering our scoping questionnaire and during your consultation with a RedTeam Security expert. Your responses help us ensure an accurate and complete proposal, which helps us help you with your RedTeam engagement.
If you have any questions, schedule a meeting with one of our security consultants. We're here to help.