Are you getting value from your penetration test?

Are you getting value from your penetration test?

23rd February 2021 Brigantia

Penetration testing (pen testing) is considered a “must” for any size of organisation. Cyber attacks are becoming more complex and there are new forms of attack discovered every day. Whilst most SMBs will still only consider pen testing when they are requested to do so as part of a compliance audit, it should always be considered how much value you will gain from a one-off report.

When businesses request pen testing services, they are typically faced with a large cost, and it often puts them off wanting to do these checks on a more frequent basis due to budget restrictions. They struggle to see much value in the report they receive as it is essentially presenting them with a vulnerability scan, that with a small amount of human intervention, removes any false positives. However, they must provide something for compliance and therefore the report becomes essential.

You should consider whether you need pen testing, or whether your requirements can be covered by automated vulnerability checking. The differences between pen testing and vulnerability scanning could save you time and money, and offer much more value to your business.

Pen testing vs automated vulnerability scanning

Vulnerability scanning (Vulnerability Assessment) is a process that uses automated tools to scan your network and website for systematic vulnerabilities or loopholes. A scan report will rank any vulnerabilities discovered based upon severity: Critical; High; Medium; Low; and Informational. This is to help you address and fix the highest priority issues quickly. Critical, high, and medium issues indicate that a system can be exploited at any time and the exploitation can be done relatively easy by even the most novice cybercriminal.

Vulnerability assessments should be done regularly to ensure remedial work is undertaken before cybercriminals have a chance to exploit your points of weakness. Regular vulnerability scans are automated, they are designed to be “light touch” on your network down, and when performed and remediated regularly, ensure there is no easy way into your network for a cybercriminal.

Pen testing (also known as ethical hacking) is a technical test that goes beyond scanning for vulnerabilities. It is a chance for business owners to see their technology and security systems in the same way that a cybercriminal would see them, and will show how an attacker can infiltrate their systems and exploit them. Pen testers will attempt to exploit the company’s cybersecurity vulnerabilities, aiming to provide an example of a real-world attack. The most important thing to consider when a pen test is completed is making sense of the findings, and whether you are seeing things that could have been prevented before hiring a skilled pen tester. Addressing any known vulnerabilities using automated tools is a must before spending a lot of money hiring a skilled professional to essentially, do the same thing.

To Summarise

Regularly checking your network and applications for vulnerabilities offers a huge amount of value to all sizes of business. Not only to prevent your business from being an easy target but also to show and prove to an auditor that you are in control of securing your network and meeting your compliance requirements.

Bluedog’s automated Vulnerability Assessment and Pen Testing (VAPT) service is a very cost-effective way that saves time and money. Bluedog’s team of security specialists look through the automated reports with a view to ensuring that any false positives are removed, allowing you to prioritise fixing the right vulnerabilities quickly. With this service the pen testing element is only brought into play when it is required, with the bulk of the work being carried out by the more cost-effective automated vulnerability checking.

Watch our recent bluedog VAPT webinar here.

Book a 1-1 session with me.

Sean O’Neill
Bluedog Product Specialist

About the author

Chris Speight: