avatarTeri Radichel

Summary

Teri Radichel of 2nd Sight Lab outlines the comprehensive nature of a penetration test proposal, emphasizing the distinction between penetration testing and vulnerability scanning, and the value of automation when combined with manual effort for efficient and thorough security assessments.

Abstract

The undefined website content presents an insightful look into the proposal process for penetration testing services offered by 2nd Sight Lab, led by Teri Radichel. The article clarifies the misconception that vulnerability scans are equivalent to penetration tests, highlighting the necessity for manual verification and analysis in a penetration test. Radichel shares her straightforward proposal approach, which is designed to facilitate quick decision-making for potential clients by providing clear information on services, qualifications, and pricing. The use of automation is discussed as a tool to enhance the efficiency of the reporting process, allowing for more time to be spent on complex testing and analysis. Additionally, 2nd Sight Lab offers a separate service for basic vulnerability scans for clients with limited budgets. The article concludes with an invitation for interested parties to reach out for a detailed penetration test proposal or to engage with Teri Radichel's expertise in cybersecurity.

Opinions

  • Radichel values the trust of former clients who seek her services again, viewing it as a testament to the quality of her work.
  • She believes that the format of a proposal (document or slide deck) should be consistent with what a client has previously received, even if she cannot recall the specific reasons for using different formats.
  • The article expresses that the likelihood of a proposal being accepted is not significantly influenced by the amount of time spent on it, as clients either value the services offered or they do not, based on budget, qualifications, and approach.
  • Radichel advocates for the use of automation in report generation to save time on repetitive tasks, which can then be allocated to more critical aspects of penetration testing such as reverse engineering and manual testing.
  • She criticizes the practice of some providers who misrepresent basic vulnerability scans as comprehensive penetration tests, especially when compliance requirements demand more thorough assessments.
  • The author emphasizes the importance of manual effort in verifying automated findings, ensuring that the final report is accurate and actionable.
  • Radichel offers a distinct service for vulnerability scans, clearly delineating it from a full penetration test by setting expectations on the level of analysis and recommendations provided.
  • She acknowledges the potential usefulness of vulnerability scans for organizations with limited resources or those new to security testing, as a starting point for improving their security posture.

Penetration Test Proposal

What to expect from a penetration test or security assessment proposal from 2nd Sight Lab

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: Pentesting | AppSec | Secure Code | Data Breaches

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I didn’t get a chance to do a lot of coding or writing this week because suddenly I had to put out a lot of proposals all at once. I was especially happy that some former clients wanted to hire me again. It is a special honor to know someone appreciates your work that much that they want to hire you again.

A penetration test proposal

As I was writing proposals for clients I noticed I had created some proposals in different ways in the past. I sometimes write documents and sometimes slide decks. I don’t remember why I do this differently in some cases, but if I provided one or the other for a client in the past I tend to stick with that format.

I am going to share my slide deck proposal in this story with the blanks I would fill in if you request a proposal from me. If you like it, you can reach out to me on LinkedIn to get a proposal for your next penetration test. A proposal for a security assessment would be very similar. I send the proposal and the contract together. The contract must be signed by a C-Level executive.

Why am I sharing this? Because my proposal process is really straightforward and it makes it easy I hope for people to decide whether they want to hire 2nd Sight Lab or not. I don’t have a lot of variation in my proposals at the moment. This could change depending on how busy I am and how my 2nd Sight Lab services change in the future. So this is a snapshot of a proposal at this moment in time.

I spend very little time trying to close sales because first of all I’m busy. So are my clients.

Secondly, I have found over the years that spending a ton of time on a proposal doesn’t increase or decrease the likelihood it will be signed. Here is what I have learned:

  • Either people want my services as I offer them or they don’t.
  • My price is within their budget or it’s not.
  • They like my qualifications or they don’t.
  • They like my approach or they do not.

I try to present the information for them as succinctly and quickly as possible so they can make a decision. I limit time going back and forth by providing everything a customer needs to make a decision at one time — the proposal and the contract — rather than sending a lot of emails back and forth. I can easily adjust the proposal if needed after that point.

I’ll share my slide deck with you but first, let’s clarify one thing.

A penetration test is not a vulnerability scan

A penetration test or a security assessment is not simply a vulnerability scan where I run a tool, it generates some information, and I hand it over. Some people try to pass off that kind of scan as a penetration test. Some auditors may accept that, but others will not if you are trying to obtain compliance. I talked to a company whose auditor rejected their scan report trying to pass as a penetration test when they were trying to get a SOC 2. Some less experienced auditors may not know the difference.

Automation can be used to produce a good report — faster

Although a vulnerability scan is not a penetration test, on the flip side a generated report doesn’t mean it’s not a pentest either. This is where some old-school penetration testers like to point fingers and say any automation whatsoever is bad. That’s not true.

Because I have a background in software engineering I automate some of the things I do repeatedly on every single penetration test report. There’s no sense in me re-writing the same information over and over again or spending a million hours on formatting a document when I could be spending more time reverse engineering and manually testing systems for logic errors.

If you look at my report it may seem automated at first, and it partially is. I automate generation of the initial findings and layout. Then I go through and try to validate each finding, dive deeper, and I remove findings that are false positives. I add steps to reproduce critical findings with manual screen shots and explanations where applicable. I manually review as many findings as possible. I insert manual test findings into my data — and regenerate the report.

If I didn’t have enough time to review every single finding, I don’t exclude it from the report. I note which findings need time to review. I also note where I couldn’t prove something was exploitable but I think it is and why. In addition, I include non-security bugs in the appendix — caused by entry of malformed data or other things I did while testing.

Automation speeds up the busy work so I have more time for the complicated work of trying to exploit, explain, reproduce with specific steps, or eliminate findings that don’t matter.

I also combine the results of multiple tools, including some I’ve written myself, and findings discovered through manual testing and reverse-engineering.

So if someone looks at the report and says, “It’s automated so it’s bad” — then they really don’t understand what the findings mean. If they did, they would understand that the information was not all created by some scanning tool.

I had intended to cover that in my talk at RSA this year. However my talk was only selected as an alternate this year and now I can’t go as I’m too busy. I might produce a video on it anyway as I think there are some misconceptions in this area. Automation is not bad. Automation without any form of manual effort and verification is not a very good penetration test.

Vulnerability scans as a service

To highlight the difference, I am now offering vulnerability scans as a service. Here’s how that works.

You choose one thing you want me to scan:

  • One web environment like Azure, GCP, or AWS.
  • One web application.
  • One IP range (network).

I will run one scanning tool on that environment, application or IP range. My tool will generate a report. I will give you that report without doing anything special to it besides perhaps putting my company logo at the top. It will cost $1500 payable up front (at the moment — if I get too busy, that price might go up). I hand you the report. We’re done.

Here’s what I won’t do for that price. I won’t explain the report to you. I won’t analyze the findings. I won’t make my own personal recommendations on how you can change your process or architecture to better prevent these types of findings. I won’t try to exploit the systems and demonstrate how they can harm your business or lead to a data breach. If you need additional services you can hire me at hourly rates after that point.

Are vulnerability scans bad? No! It’s a place to get started if you have a very low budget and you can’t afford and learn how to use the tools. Some of them cost more than what I am charging and using the out of the box configuration might not actually work or go deep enough to be useful. A report can give you an idea where you stand and what you need to start fixing. It may be a cost-effective way to fix some basic problems so you will get more value out of a penetration test or assessment later.

I wrote about that here:

A penetration test proposal

To show the difference, I’ll share a simple penetration test proposal — for customers who are OK with this format. I can provide this in a document format instead of a slide deck if required. As you can see from this proposal I’m doing a lot more than what is described as a vulnerability scan. I was fiddling with this and I’m in a hurry so I need to re-check it for any spelling or formatting errors. Just wanted to get it out there.

If this proposal interests you and you would like a penetration test, please reach out on LinkedIn using the link below. Note that we only perform penetration tests for US countries at this time with a few exceptions for people I know personally. If you would like a longer document style proposal I can do that too. I’m getting pretty busy this year already so if you want to get on my schedule sooner is better than later.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Penetration Test
Proposal
Scan
Pentest
Pentester
Recommended from ReadMedium
avatarAbhirupKonwar
How I got access to Credentials easily

Elite Google Dorking🥷

4 min read
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarPwndec0c0
Exposing the Dark Side of Google Dorks: How I Extracted Millions of Emails.

How I was able to scrape large data of emails from the top mail domains(gmail,yahoo,hotmail etc..), .gov, .edu on of all countries and…

4 min read
avatarKhaleel Khan
Unlock Hidden Secrets: How This Tool Reveals Everything About Any Phone Number!

Deep-HLR: An Essential Tool for Fraud Prevention and OSINT Investigations

3 min read
avatarRED TEAM
Malware Development Part 11: APC Injection Technique

“APC Injection: Advanced Code Injection Technique Explained”

24 min read
avatarMichael_J_B
Why You Can’t Break Into The Cybersecurity Field

🎯 Cybersecurity is not an easy career field, but changing careers is not impossible. I have met many people who say cybersecurity is the…

7 min read