For most organizations, reaching out to pentesters is an ad-hoc process or something that’s completed when and as regulatory compliance requires it. For most, the process means onboarding with a pentester or a small pentest team to assess assets over a defined period, with a set scope – but with little other insight into the process. Most follow defined pentest methodology like NIST or PTES, but that tells most organizations very little.
As a result, clients don’t know what’s checked or why, often have no clear way to see or trace quality, and no clear way to get oversight of the full project. At the same time, organizations are increasingly security-oriented and increasingly in need of clear, reliable, and consistent communication about their security and vulnerabilities.
Bridging that gap often means making a shift towards pentest management software, which enables automation and clear progression tracking – without adding to pentester workloads. That creates a clear business case for using pentest management portals to onboard and manage clients but also to share data with clients throughout the pentest, rather than solely at the point of the report.
In this case, we’ll use our own software, Cyver Core, as an example:
Planned Stages and Phases
Cyver Core delivers pentest frameworks consisting of phases with defined steps and actions per phase. When you onboard a client, you and the client receive a checklist of next steps, ensuring that everyone always knows exactly what to do next, when they’re waiting on something or someone else, and what’s next.
For example, when you start a pentest, the client sees a clear list of next steps, linked to who’s responsible. For example:
Client:
- Invite team
- Define pentest scope
- Let the pentest team know you’re ready to go
Pentester:
- Onboard pentesters to the project
- Review scope
That simple addition of clarity of process and of next steps can do a lot to ensure that the client knows what’s happening, when, and why.
Repeatable and Predictable Work
Cyver Core also uses a combination of visible processes and standards to ensure that clients can easily request pentests and request repeat work. The software achieves this using templates with set scope, methodology, compliance requirements, etc.
Then, when the client wants a new pentest performed to the same standards as the old one, they can simply click one button to send the request to the pentester. That’s repeatable across however many assets or pentest types the client needs – and it’s easy to tweak and update the specific pentest each time in case you need a change of scope.
That makes it easy for clients to easily request new work without a larger amount of time investment each time, for the pentester to easily see what needs to be done based on previous scope, and for teams to work together smoothly and without needing new onboarding meetings per pentest.
Transparent Quality Standards
Cyver Core allows you to set pentest checklists per compliance norm, per methodology, and per pentest. Depending on the client, you can build a custom checklist per – allowing you to easily track progress, to meet the client’s specific pentest needs, and to transparently share what’s being tested and why. While the checklists aren’t visible to the client as a standard, you can easily publish them or share what’s being checked from that checklist, without having to go through and create a manual list.
Of course, checklists also allow you to better track work from your side as well, making it easier to assign and trace responsibility, to see which person on your team completed which task, etc., which also means you’ll spend less time aligning on schedules and workloads.
Eventually, good communication with your client enables you to build good relationships, to ensure the client has the information to remediate vulnerabilities and deliver reliable and predictable pentesting with a minimum of work on your side. Improving communication improves your relationship with the client, shifting pentesting away from ad-hoc, to a reliable service that your clients can see, understand, and request on-demand. That also makes it easier for the client to step away from siloed pentesting and towards continuous pentesting and better ongoing security.
If you’d like to learn more about how pentest software solutions like Cyver Core fit into your client management strategy, contact us for a demo.