Most pentesters work in a role synonymous with “Cybersecurity consultant”. In fact, many organizations hire them as such. However, that consultant role typically only reflects a small part of what pentesters do. They work with organizations on a one-off basis, in an external role.
Unlike, say, an operational excellence consultant, we normally only report problems. Where the true consultant would assess problems, report them, and then help to create a plan for mitigation and improvement – the pentester normally assesses problems and reports them. That’s a far cry from internal pentest and security teams and from scanners which sometimes even implement directly into software to suggest configuration fixes.
Of course, many pentesters still write up fix advice. Most of us maintain extensive vulnerability libraries which often include configuration and problem-origin data. Yet, developers and security teams rarely see that data in time to immediately resolve the issue.
Stepping up to fill the role of a consultant, delivering more than just a pentest report, and using modern tooling to integrate more closely into client teams will help you to deliver a better service, build more loyal clients, and grow your pentest firm as delivering value well above and beyond scanners and automation tooling.
Why Offer Consultancy?
The end goal of many pentesters is to improve the security of their clients. For some, that end goal might be to pass compliance audits. But, most of us actually want our clients to be and to stay secure. Not only does that say good things about our skills as pentesters, but it also creates happy and loyal customers.
The thing is, it doesn’t matter how many vulnerabilities you find. Gartner shows that, when pentests vulnerability findings are delivered as a PDF report, just 28% of them are ever remediated. That’s unacceptable, considering significant rises in cybersecurity risk.
Of course, many developer and compliance teams are choosing to look for workarounds. Vulnerability scanners are a common part of many teams. And, these scanners work well with how Agile teams need work delivered. The scanner flags an item and delivers it with prioritization, remediation data (where available), and data from a vulnerability library. Some even go so far as to directly fix items or to offer step-by-step guides. E.g., Google Cloud’s Web Security Scanner. You’ll never replace those scanners, but with some tweaks to ensure that work delivered is more valuable than those scanners, they will never replace you either.
To understand why else you’d want to deliver cybersecurity consultancy alongside pentesting, let’s go over what that means in practice:
Adding on Cybersecurity Consultancy
Most pentests are one-touch affairs. You interact with the client, usually in a rush because they’ve left the pentest till the last minute, scope assets, and then conduct the pentest. You spend a day or eight building a report, deliver it to them, and except for the invoice, likely never hear from them again (or at least not this year).
Moving to a consultancy role doesn’t change how you pentest, however, it does change how you deliver and the type of service you deliver after you finish the pentest.
Findings as Tickets – Most modern teams run Agile. Some sources say that as many as 92% of new teams are Agile. That means it’s important to distribute work directly to teams. No one has a top-down manager to break down work and hand it out. Yet, pentest reports require exactly that. Delivering work with pentest-as-a-service platforms enables you to automatically import findings from your tooling and then build tickets using data from your vulnerability library and some small tweaks.
For example, in Cyver Core, you can batch import or manually add findings. The platform pulls from your vulnerability library to add data. Then, you go through each finding to set data like proof of finding, tips to help the developer resolve the issue, and a CVSS score. When you publish it, relevant client teams automatically see it and can immediately roll it into the next sprint. That makes remediation much faster. It also puts ownership of the vulnerability directly in the hands of the people who have ownership of the asset. And, of course, you can easily automate reporting and deliver traditional PDF reports as well.
Collaboration – Most pentesters have little contact with the teams that built the software, maintain the server, etc. Changing that allows you to deliver better service. For example, you can answer questions after delivering vulnerability findings. That can help developers to quickly find and remediate the issue. You can also point out areas of weakness, offer items that might pose a risk but aren’t necessarily “vulnerabilities”, and otherwise discuss the pentest and the assets with stakeholders. Essentially, functioning as a real consultant.
Retesting – Retesting adds on more work to the pentest, which means more money for you. But, it also means ensuring that findings are remediated. If you can get clients to work with you on the basis of “find vulnerabilities, remediate them, retest”, you can ensure they’ve secured their environment. Eventually, they will be significantly more secure.
Rescheduling – One-off pentests are never enough to ensure security. Rescheduling a new pentest as part of the current one means you’ll be ready to check the client’s assets periodically, when they release large updates to the asset, or otherwise when it becomes important. That means they stay secure, and you increase the number of pentests you do per client.
Integrating into Teams with Pentest-as-a-Service
Deliverables like “Findings as tickets” and “one-on-one communication with devs” aren’t really possible using email, PDFs, and non-pentest-oriented work management platforms. Pentest-as-a-Service, which combines pentester-facing pentest management and client-facing pentest delivery bridges your need for automation and work management and the client’s need for communication and collaboration.
- Clients see findings vulnerabilities as they come in
- Relevant teams get alerts and can collaborate on finding a fix
- Dev teams get more control over asking for pentests, asking questions, and asking for retests
- Scheduling is built-in, so you get more control over your pentest calendar, and more business from the same clients
- Clients are more likely to work with the same pentester over time, so you familiarize yourself with the environment. This means stepping up from a blank black box test to one that you can scale over time to successively harden the environment
Moving Forward
Pentesting has changed a lot since the Tiger Teams of the 1960s. Today, it’s changing even more. New technologies like scanners, new vulnerability assessments like red teaming, and increasing levels of cybersecurity risks are pushing the industry to change, and rapidly.
At Cyver, we believe the answer is Pentest-as-a-Service. Using automation to reduce the time we spend on manual work frees that time up to deliver value and insight as consultants. And, delivering findings as tickets improves the time in which teams can remediate. We add to that by offering metrics and data like “Time to Fix”, “Vulnerability Distributions”, and “CVSS score mapping” to your clients.
If you want to know more about our pentest-as-a-service platform, Cyver Core, visit “How it Works”. Or, schedule a demo to see it in action.