RedTeam

“Hi, my name is John Doe.”

“No, we just need one of your pentesters. He’ll be working under our company’s name for the time.”

The above conversation, though not in the exact same words, happened more than once in the past years, with different companies. Some of those companies were even advertising penetration tests as one of their key competences. Which brings me to the topic of this blog post: Pentesting as a “me too” business.

It seems that there are a lot of IT companies nowadays jumping on the IT security bandwagon, offering a variety of related services (one being pentesting). The problem is normally that IT security and pentesting is nothing you learn in two weeks by booking a “Writing Exploits for Beginners” class. That is why most of the time, what you’ll get is the results of some automated scanner like Nessus, maybe with a custom document layout. This, of course, isn’t a pentest at all.

Those who at least realise that they don’t have the necessary skills to do a pentest on their own will go and hire somebody for the project, which results in phone calls like the one above. This makes sense from a business point of view and is common practice in other branches of business. But a good pentest requires more.

First of all, a company specialised on pentests like us will hardly let their pentesters do their work in the name of somebody else. That’s just bad for your own business, despite the quick bucks we could make. But besides this obvious point, the main reason is that a pentest is more than just hacking away at somebody’s network or product. You have things like preliminary talks, to get an impression of the clients’ needs and to help them planning a pentest which makes sense for them. You want to determine the threat potentials, the scope of the test, an estimation of the time frame needed etc. This is followed by the actual test. After the test, the follow-up work starts. Additionally to the documentation we write, we always give a final presentation with the results, demonstrating whatever we found, for example. There’s also the point that we always do a pentest in a team of at least 3 pentesters, because we are convinced that the teamwork leads to better results in the end (I guess I should elaborate on this in another blog post sometimes). And these items are just off the top of my head and are certainly incomplete.

A pentest, at least for us, is therefore more than just an individual pentester doing the technical work. “Just” hiring somebody for the job after you sold your client a pentest, without having any expert knowledge in this area, will in all likelihood result in something subpar, even if the one you hired is somebody capable.