Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
A penetration test is as critical a subject for organisations as it is a process filled with uncertainty for managers and difficult to plan. We advise you to be careful about certain matters when choosing a Pentest company to conduct a bespoke penetration test for your organisation.
Before engaging with a penetration testing company, you should be careful about the information you share regarding your organisational assets and maintain a relationship built on mutual trust. Given the sensitive nature of this subject, information that could pose a security risk to your organisation should be kept to a minimum when sharing with the other party during the quotation stage. In subsequent stages, you should sign an NDA to ensure legal protection against any damages that may arise.
Pentest companies, unfortunately, may raise objections to certain points in the NDA due to the trust-based nature of the relationship. Throughout these processes, you must take all precautions to keep your organisation safe and to protect against any potential security risk.
After signing an NDA with the company that will conduct the pentest on your corporate network, logging and recording every action taken by the penetration testing firm will both prevent potential misunderstandings and enable legal remedies to be pursued in the event of any damages.
Regardless of the type of penetration test, the IP addresses from which the company conducting the pentest on your network will operate should be defined, and it should be clearly stated in the NDA that they must not perform any operations outside of these IP addresses. This allows you to identify which attacks on your assets — such as web applications or mobile applications — were carried out by cyber attackers and which by the Pentest company. It is of course mandatory that all logging is completed before the process concludes and that logs are retained for the defined period.
You should first request the following information from the company that will conduct the penetration test on your organisation:
In addition to this information, be careful about extreme price variations (either very high or very low) during the quotation process, insist on identity checks to guard against inexperienced personnel being sent, and carefully examine many other aspects during corporate penetration tests. On the other hand, if possible, we recommend obtaining a sample report from the Pentest company in advance so that your cybersecurity experts can carefully review it.
First, a penetration test type should be selected for the test to be conducted on the corporate network. You can use the White Box penetration test type, which is the most secure approach, and then transition to grey box or black box types in subsequent tests. Afterwards, we recommend selecting an internal or external test type based on your organisational assets and contacting a specialist company. NDA agreements should be signed immediately after the quotation stage with the penetration testing company, and legal advice should be sought from lawyers. The company providing the Pentest service should then be met with to identify risks, and it would be in the organisation’s best interest to have the necessary measures for maintaining operational continuity communicated in writing.
Certification and reference information provided by the company should absolutely be verified, and any firms cited as previous penetration testing clients should be contacted to confirm the accuracy of the claims. It is important to note that information provided to the Pentest company during the quotation and planning stages can be sensitive; disclosing too much at an early stage can put your organisation’s security at risk.
You May Be Interested In These
