RedTeam

A new customer, about some experiences with other companies:

“Well, sometimes they find five vulnerabilities and report only four, so they have something ready for the next time.”

This is something that always bothers me, this attitude that a pentest is only successful if you can show new vulnerabilities. If we test a system for a second time and the vulnerabilities we found in the first test are fixed, and the customer additionally didn’t make the same mistakes or fixed them in all other places, I consider our job well done. My interest doesn’t lie in successfully exploiting my client to show what a 1337 h4X0r I am, but to increase their security level by showing them the problem, explaining it in detail and thus enabling them to avoid making the same mistake in the future. Although, the greatest satisfaction lies in combining those two :).

Of course, if you work with someone for the first time, this first test is always difficult in terms of customers not knowing if they get what they pay for. It’s hard to tell if those new pentesters didn’t find anything (or only a few weaknesses) because your security is top notch, or because they’re just not good enough. But in a retest, the customer already worked with you and knows that you do a decent job (hopefully ;)).

Also, normally, there’s always some new vulnerabilities to find. IT systems just change too fast to not include some new attack vectors the next time you test. There’s also the thing about systems never being 100% secure, with only the complexity of exploiting them successfully getting higher. So the more time you have with a system, the more intimate knowledge you get and the more potential security flaws you find.