Scope creep affects most pentest projects. It doesn’t matter how clearly you define pentest goals, clients will generally find something to add to the scope, your own team will want to spend a bit more time on something, it all adds up. But, the problem of shifting goals and targets can prove an impediment to efficient and cost-effective pentesting, resulting in large projects that spin out of control for the pentest team and the client.
Preventing pentest scope creep means using good pentest management, frequent check-ins with the client, and having processes so that clients always know what’s being checked and when. With Cyver Core, that’s integrated into the platform, so you stay on top of scope, changes to scope, and can easily schedule new pentests to assess new targets.
Let’s take a look at how Cyver Core helps you prevent scope creep and get it under control across all your pentest platforms.
Manage Assets in the Pentest Platform
When you onboard a client to Cyver Core, you ask them to upload assets to the platform. That means the client has to consider assets, map them, and then add them to the platform one by one. Immediately, your project starts off based on pre-mapped targets. You can obviously continue to have calls and consult with the client to help them figure out which assets they want and need. However, those assets will be mapped and added to the platform, complete with access details and everything else you need. If something isn’t added and you think it should be, you can always communicate that to the client and ask for updates.
Set and Share Scoping to the Team
Once assets are in the platform, you can add them to a project, alongside methodology, checklists, and other scoping data. If you’re using Cyver Core’s quote module, you can directly send that to the client as a proposal, which they can sign off on.
In addition, that scoping data is directly available for your pentest team and the client team to see on the project page. By clicking the “Scope” tab, you can easily see which assets are in scope and what the goals of the pentest are. Everything is set in advance, with links to specific assets and their access information.
Communicate On Affected Assets and Projects
Clients can add comments and communicate directly with the pentesters working on their project – via the relevant asset or project. This means that if an asset was missed during scoping, the client team can let you know. It also means that your team can discuss whether it’s important to follow through on a vulnerability by trying to exploit it after the vulnerability is uploaded.
When stakeholders are involved from the start, can see all assets being tested, and can see methodology for each – they have time to consider if the scope is enough, if changes have to be made, and if the pentest meets the goals for the assignment. That means you’ll have earlier and better communication and you can collaborate with the requesting team to meet the actual goals of the test.
Use Quotes for Direct-Sign-Off on Changes
Sometimes your original pentest scope won’t be enough to meet the goals of the pentest. That may mean adding to the scope or changing the scope, sometimes after work is underway. If you’re using Cyver Core’s quote module, you can send a new proposal, request a new signature, and get a new signoff on changes to work and the value of the new pentest, before starting any additional work.
With changes to the original scope documented and incorporated into the price as a standard, you’ll be able to more easily keep pentests on track – and ensure the rate remains fair for what’s being tested.
Deliver Ongoing Pentests for New Issues
Often, when new targets come up during the pentest, the ideal is to move them into a new pentest, to be scheduled after the initial one. With Cyver Core, you can easily set up the same pentest again, but on new assets added by the client. That makes it easier to simply offer a new test for scope changes, meaning that your current pentest can be delivered on-time.
Scope creep can mean that a simple pentest project takes much longer, costs more than it should, or goes far outside of the bounds of what was originally discussed. Using pentest management makes it easier to see and track changes, to collaborate with client teams to ensure the test is meeting expectations, and to document change requests so they can be either incorporated into the existing pentest or rolled into the next test.
If you’d like to see a demo, contact us to get started!