Pentest management tooling is work management specifically built around pentesting and cybersecurity. At Cyver Core, that means using project management, client management, pentest pipelines, vulnerability libraries, and team management tooling in combination with automation and import tools to simplify how you plan, manage, and deliver pentests.
Of course, getting started with pentest management does require setup. You’ll have to invest time into creating project/pentest templates, into onboarding teams, and into building the processes where you start using the platform and its workflows. All of that can take some time, including internal change management if you’re onboarding a team.
Discuss Pentest-as-a-Service and Pentest Management
The first step to getting started with pentest management is taking time to discuss it with stakeholders. In most cases, this means both existing clients and any existing staff or colleagues who would be impacted. Opting into pentest management changes everything for the client, so that’s the best place to start.
With pentest management you:
- Start, manage, and track pentests via the platform
- Allow clients to request new pentests based on templates or their previous pentest
- Deliver pentest reports in the cloud, with both a traditional report and with findings as tickets
- Deliver vulnerability metrics in a dashboard, where clients can log in to see them
- Use a cloud portal with secure login rather than email
So, you’ll have to talk to clients about adopting a new delivery methodology to see if they are willing to use the new method. In most cases, you’ll offer more value for the same money and the same or less effort, which means it’s largely a perk for the client.
You’ll also have to get buy-in from pentesters/hackers/red teamers working on projects with you. Shifting to pentest management doesn’t change much about how you actually complete pentests. However, it does change a lot about how you plan, assign, and track pentest deliverables.
- You manage upcoming pentests in the platform, via a calendar and Kanban board
- Projects are created in the platform and are updated based on status, with a checklist of tasks per status.
- You assign work out across teams by assigning a team and a lead pentester to the project. Those people are responsible for those specific tasks, which can be assigned out. So, pentesters have to track work inside the platform and share when they complete the tasks. Of course, tasks and checklists associated with pentests are completely customizable.
- The vulnerability library is moved into the platform, reducing the need to copy-paste data from project to project. Vulnerability findings have to be imported from relevant tooling or can be set up manually.
- Pentests are created based on pentest templates for the client, with the scope, access data, timelines, etc., mapped out. Therefore, all access data is in the platform.
- The report is created in the platform using a modular template, which can be customized per client.
Essentially, a large part of pentest management means changing how you track, manage tasks, and report findings to the client. That can require significant shifts in mindset and work process from pentesters and you need buy-in before you’ll see value from it.
Setting Up the Platform
If you want to see value from a pentest management platform like Cyver Core, setup is crucial. Why? If you don’t have templates and information in the platform, it won’t’ provide value. In the case of Cyver Core, we recommend the following process:
- Brand your interface
- Onboard pentest teams by inviting relevant people to the platform, introducing them to the portal, and ensuring they know how to use it. This also includes setting up teams, assigning lead pentesters, etc.
- Set up compliance norms, using either Cyver Core’s default templates or by customizing them or building your own
- Set up report templates, either using Cyver Core’s default template or by uploading and modifying your own. You can customize this per client later.
- Set up a basic pentest template or use Cyver’s. You’ll modify per client later
- Check how the import process works with a demo project and familiarize yourself with vulnerability imports, report editing, and report generation, etc.
- Onboard clients and set up pentest templates and report templates per client
Eventually, the more time you spend on setup, the easier it will be to automate processes like adding vulnerabilities to reports, set up new pentests, and generate new pentest reports for clients. If you’d like help with that, or if you’d like to see the Cyver Core platform in action, schedule a demo.