For many pentesters, launching a pentest company is a next-step from pentesting on your own, as a consultant or a freelancer. It’s also an opportunity to work with more diverse clients than simply taking on a role in an internal pentest team. The thing is, most pentest firms never grow beyond a few people on a team. This greatly limits your ability to scale and to grow a pentest business from a one-man team to a thriving business with the ability to take on even the largest of clients.
Taking that next step and truly scaling up normally means creating processes, implementing the tooling you need to scale pentests, and having oversight and insight into how, when, and why work is being performed. In this blog, we’ll cover the pentest tools that support overhead, management, and process – or the solutions you truly need to scale your business.
Process Automation
Good process is necessary to scale up any team. Without oversight into what teams are doing, you can’t implement quality control, guarantee what’s been checked, or offer transparency if something goes wrong. Implementing process means using standardized checks and repeatable processes, so every pentester on the team checks the same things as a default. They should ideally use the same tooling, the same steps, and the same approach. And, if they see something outside of the norm, they can add that onto the test, review it using their own methods, and add it on top of everything else.
Standardized processes are crucial to ensuring you can scale up across more teams. And, that becomes more crucial as you scale out to pentests for specific compliance norms, because is becomes more important to ensure everything required for the compliance framework is checked.
Process automation means:
- Oversight into responsibilities and accountabilities
- A clear view of what work must be performed for which pentest
- A clear view of who performed the work, who signed off on it, and when
- A specific task-list of checks which you can share to the client when they ask what was checked
- A specific and replicable process for pentesting, which you can scale out across pentesters with the ability to have someone else step in to help or take over halfway through – because the process is always the same.
Report Generation and Automation
Reporting takes an average of 20-50% of the total time to pentest, or 4-16 hours depending on the duration and complexity of the pentest. Of course, your exact experience may differ, but it does take up a significant amount of time. Unfortunately, most of that time expenditure is simple data entry. This means tasks like copy-pasting content from scanner and tool exports into a single document. Most importantly, that boring, repetitive work introduces increased risks of human error.
Automating the process by using import tools to automatically move pentest findings from tooling and scanners to your report can reduce that time expenditure by up to 75%. You’ll still have to sit down and write specific details about how you discovered the finding, how to replicate it, and what methodology was used, but you won’t have to manually move data from one platform to another.
That also ties into vulnerability libraries and management. It’s easy enough to write up common descriptions of findings, methodology used, and likely replication data. Doing so will save you hours of typing each time you have to build a pentest report. But, with tools like Cyver Core, the process is automated, and your vulnerability libraries can be automatically pulled into the finding import process – so you generate findings tickets with the maximum possible data.
Pentest Management
Pentest management is the process of getting oversight of clients, pentests in the pipeline, and how work fits into schedules across your teams. At Cyver Core, we handle that using a multi-part approach.
Client Management – Clients onboard to the platform, meaning you can see who is in the pipeline at any given moment. Clients with open requests are visible, in one place. That makes it easier to keep track of who is making requests. It also makes it easier to have a clear view of potential revenue, who you should be contacting, and if you need more leads to achieve the kind of sales volume you want.
Pentest Management Automation – Pentests are created as templates, per client. When the client uploads their assets and access codes, that data stays in the platform. Their preferences, compliance requirements, and team stay in the platform. So, everything is in one place and you can easily see requirements. But, you can also simply copy the old pentest to quickly set up a new one, meeting the specifications and with all client assets in place. That can save hours each time you set up a new pentest – reducing overhead each time you repeat a pentest for a client.
Timelines/Calendars – Cyver Core uses a combination of timelines, calendars, and Kanban boards to create visibility across the pipeline. You can see what work is upcoming, who is responsible for it, and how it overlaps with other work. This makes it very easy to see when you can or can’t fit a new pentest into the pipeline, to understand how full your pipeline is, and to decide when you have to scale the team up or redistribute responsibilities.
Team Management – Good team management means assigning roles, assigning responsibilities, and seeing what each person is responsible for across the organization. With Cyver Core, you can set roles, assign specific tasks to individual pentesters, and assign full pentests to a lead pentester – while breaking tasks down between the team. That gives you better oversight into who is responsible for each task, who to turn to if something is late or if something goes wrong, and a better ability to gauge when you might have to scale the team up or down to meet current capacity.
Eventually, pentesters often lack process and structure. While that allows you to rapidly respond to new requests and to quickly adapt to new work methodology, it also means it’s difficult or even impossible to scale. Without good, automated process in place, manual workloads eventually become too high.
If you want to learn more about pentest management platforms and automating those workloads, Cyver Core can help. Download our free whitepaper on pentest report automation or check our features to see how we specifically fill those gaps. Or, schedule a demo to discuss your organization’s specific needs.