“Cyver Core makes it possible to run pentests at this volume, we’d be a lot slower without it. On average, we’d be 3-4 days slower”
Hedgehog Security is a pentest firm running penetration testing and SOC compliance testing for 170+ clients, including custom and special work for ships, satellites, physical location security, and much more. That high volume, combined with a small team, means Hedgehog Security needs to run efficiently, minimizing overhead like reports and project setup.
Hedghog launched in 2009 and was one of our first clients, in October 2021.
We interviewed Peter Bassill, founder of Hedgehog Security, to discuss how they’re using Cyver Core.
- Clients: 171+
- Ethical Hackers: 6+
- Projects on Cyver Core: 1,000+
- Location: Gibraltar
- Rates Cyver Core: 9.8 out of 10
Getting Started with Cyver Core
Hedgehog Security knew it needed a pentest management platform, and it was in the process of developing one when they first met up with Cyver Core.
“I was actually writing software for a pentest management firm and when I discussed it with Luis, he was three months ahead of me. So, I gave him my development roadmap, and 6 months later, that’s what I got”.
The team consists of just 6 pentesters, so they wanted a pentest management system to manage workload.
“If we have a good backend system, it replaces having staff keep track of things, we can be a lot more agile, we can stack projects together quite logically, and we can balance workloads to ensure the right tester is doing the right things. That’s what we wanted, and that’s what we got.”
Using Pentest Management with Cyver Core
Hedgehog Security uses Cyver Core for all its pentest projects, as well as some other types of reporting. The team has fully customized the platform to meet its needs, complete with custom report types, red teaming, and even uses Cyver Core to deliver on-demand vulnerability scanning.
“Cyver Core is the central cog in our mechanism, it drives our Jira work, we replaced our file sharing portal. We’ve also done some unconventional things with the platform. For example, we use it for ISO auditing and red teaming – we want it to be the one thing we use to generate our report – no matter what that report is.”
Those customizations include integrations with other software:
“The ongoing projects feature allows us to offer on-demand vulnerability scanning. We have backend code that checks if the client has requested a test – if it’s a vulnerability test, the code grabs the scope from the platform and simply runs it. So long as it’s a predefined scope, that takes a load of work off us.”
Collaboration is also a key part of how Hedgehog Security uses Cyver Core. Its high volume means every pentester is assigned to the same pentest – with tasks split up based on specializations and availability.
“We usually have at least two pentests going on at any one time, but everyone is working on those pentests, so we split tasks up inside of Cyver Core using the assigned tasks features. Those checklists and feature allow for more collaborative work.”
“We use Cyver Core for the majority of reporting, pentest management, and client communication. It’s just working and we don’t have any challenges at the moment. And, we’re using everything but the calendar, which we’re still driving from Jira”.
Introducing Pentest-as-a-Service
Hedgehog Security is firmly in favor of Pentest-as-a-Service. The team is moving towards a collaborative approach to pentesting, as well as vulnerability remediation, which blends well with its other services, SOC and cybersecurity consultancy.
“Traditionally, getting a pentest means engaging with a pentest firm, having a scoping meeting, waiting, the pentest happens, they get a report, they have to read it and break it down. Most of them expect this. We’re trying to break that process of just getting a report and reading it – we’re inviting people to join us on the journey, to make pentesting more collaborative.”
“Of course, that’s not always easy. Clients don’t understand ‘I can log into the platform to see what the pentester is doing and understand what’s happening.’ Not all of our clients see a need for a pentest portal – we have a thirty-minute onboarding session with each new client, showing them how to use it, and that’s always a challenge because a lot of our clients aren’t used to having a portal. Of course, we also don’t advertise as having it.”
“Of course, when that changes, it’s very good. Recently we had a client have a lightbulb moment and they just started requesting retests, accepting vulnerabilities, and actually tracking vulnerabilities.”
Optimizing Pentest Report Generation
Hedgehog Security customized its templates and report settings when onboarding to the platform. They’ve also made some tweaks since then. However, they now run everything with seamless automation.
“Before Cyver, reporting would take us up to three days. They used to take us so long. We’d list all the evidence, all the attack chains, etc., for every vulnerability, that took so much time”
“Now, Cyver automates it all for us. You should see our reports, they’re beautiful, they’re curated, they have graphics and risk tables – and we spend less than thirty minutes on them. We normally sit down at 4 PM on the end-day of a pentest, look at the pentest, justify the findings, show the replication path, and prove findings are real and not false positives – then thirty minutes later we publish the report.”
“Of course, that relies on the pre-canned stuff we have ready. Cyver’s vulnerability database also means we can store all the vulns and don’t have to go rewriting that, it saves a lot of time. Initially we also asked for a lot of customizations to the report. Now, we push a button and everything is exactly what we want. If pentesters squared everything away properly, it’s no time at all”.
Pentest Management with Cyver Core
Hedgehog Security runs a large volume of pentests with a small team. They achieve this by splitting work, collaborating on tasks, and using pentest management to reduce workloads.
“Our office manager takes about half an hour to set up a new pentest in the platform – most of the work is working out who is the lead pentester and who is the lead reviewer. We have all the other information – scope, client contact details, etc., in the platform, so everything else is easy. It’s also easier for the client, because they can see who their lead tester is etc. “
“Cyver Core makes it possible to run pentests at this volume, we’d be a lot slower without it. On average, we’d be 3-4 days slower – which is saying something considering our average pentest is 5 days. It used to be 5 days of pentesting and 3 days of reporting – but now we’re reporting as we go.”
“Cyver Core allows us to be smaller, leaner, more agile, it just makes things simpler and quicker”.
Looking Forward
“We want to further our Pentest-as-a-Service deliverables. For example, we’d like to sell pentesting in the portal, so the client can buy X amount of pentesting, and then their developers or so on can request that pentesting. We’re hoping Cyver Core implements that in the future.
“We constantly put in feature requests and bug reports. The fact that the Cyver Core team listens, and those changes constantly happen makes a big difference.”
“Cyver Core allows us to be smaller, leaner, more agile, it just makes things simpler and quicker”. _ Peter Bassill