What Is Schellman’s Penetration Test Project Process?
Whether you’re considering engaging Schellman for a penetration test of some kind or you’ve already signed a contract with us for such, you’d probably agree that transparency benefits everyone.
The more information you have, the easier it makes decisions or your planning process—we agree and understand. Cybersecurity is complex, and we want to help you find efficiencies where you can.
That’s why we’ve put together a complete project timeline that is applicable for every service under our penetration test service line. In this article, we’ll lay out the way this kind of engagement with Schellman will go, step by step from start to finish.
You’ll learn about our entire process, and afterward, you’ll know what to expect from this experience in all its phases.
The 10 Phases of a Schellman Penetration Test Project
1. Initial Contact and Response
If you’re looking for a penetration test—abbreviated as pen test—you may have already perused our website and learning center to gauge Schellman’s initial qualifications. To learn even more, contact us so that we may set up an initial conversation to get us started.
During that call, we’ll provide more information about our services. So we can learn more about your environment and what you're looking for specifically, we will also request that you complete our pen test scoping questionnaire.
2. Scoping Questionnaire Completion
Though early on in the process, this is a critical juncture. Completing the scoping questionnaire timely can streamline much of our initial discussions. If need be, the members of our pen test team can make themselves available for a follow-up scoping Q&A to answer specific questions you have.
Remember, timing and scoping are the factors that most strongly determine the cost of an engagement. Once we can gather that information through the questionnaire, we can then reach out directly to provide a proposal with pricing and timing options.
3. Proposal and Contract Acceptance
That proposal will show a breakdown of pricing based on your established scope. If you’d like to move forward at that time, a contract will be created and sent for digital signature to the person listed as signing authority within your organization.
Upon execution of the contract, we would then set you up with access to AuditSource, our secure file sharing application.
4. Pen Test Authorization Letter Provided
Once you’re ready to go in AuditSource, we’ll draft and post the pen test authorization letter, which will include our team’s contact information, our public IP addresses, timing timeframe. It’ll also define the scope of the engagement at a more granular level. For instance:
- In our contract, it may say you need “an external network pen test against 400 hosts.”
- In the authorization letter, you would define what these hosts are exactly, be it by IP address, CIDR range, or domain.
In this letter, you’ll tell us specifically what is in scope. Once updated, it must be signed and returned before we can start testing.
We’ll tell you right now that not signing the authorization letter is the #1 reason penetration testing projects get delayed. Not completing this step may incur a change order and rescheduling depending on how long the project is delayed.
5. Kickoff Call and Final Preparations
Around two weeks before the start of the pen test, we’ll host a kickoff call to introduce the pen testers assigned to the project, review the scope and timing, touch on outstanding action items, and answer any outstanding questions.
After that, you’ll need to do the following:
- Start work on your end to allow our team’s public IP addresses through any technical controls in place that could impede testing (e.g., web application firewall).
- If credentials are required for this assessment, at this point is when you should onboard our test accounts. (E-mail addresses will be provided in the pen test authorization letter.)
- Concurrently, you should let your security and network teams know a pen test will be happening—this is a collaborative effort and should not be kept secret. We will provide our external IP addresses so that they can quickly correlate any anomalous activity to us.
(Depending on the aspects of testing involved, there may be factors you do choose to keep closer to the vest—this is mainly applicable to social engineering campaigns. Even then, you should still spread the word internally with IT and C-level executives—just do not let the targeted employees know.)
Now, you’re ready to begin testing. On the first day, we’ll reach out and remind you that we’re starting.
As we progress, we will post weekly status updates to AuditSource. These will contain all identified findings, including supporting screenshots and steps to reproduce for each. If we run into any small issues or have questions, we will inform you during this time as well. Any high-risk findings will be escalated within 24 hours of verification.
Once testing has finished, we’ll draft the pen test report—you should expect that to take a full week upon completion of the test to allow for complete report writing and our internal report review process. Multiple team members will have eyes on the report before it’s posted to you.
7. Report Posted to AuditSource
After that review process is complete, we will post the report to AuditSource for you to view.
At Schellman, we have a “no surprises” policy, so when that final status update is posted, rest assured that all findings listed there will be in the final report. The report will also contain additional details on our testing methodology and attack path narrative.
If you’re interested in seeing a sample report, contact us.
Once you’ve seen the posted report, you’ll have 30 – 45 days to retest all originally identified findings, should you so choose.
If you do, we ask that you attempt to remediate all issues you intend to before requesting a retest. After that process is complete, a retest report will be issued.
9. All Testing Complete
With all that done, the final optional deliverable we offer is called a “pen test summary letter.” This is a one-page document that you can share with customers rather than providing the full pen test report.
Despite its abbreviation, this letter provides evidence that Schellman performed a pen test and speaks to the scope, timing, and—at a high level—the number of findings discovered.
10. Next Steps!
After your penetration test is complete, you may find you want to take things further with a different approach. Review our suite of pen test services to see which ones may benefit your organization and start the scheduling talks for your next initiative.
Other Useful Resources for Your Upcoming Penetration Test
So that’s it—a Schellman pen test from the very beginning all the way through to the final deliverables. Using this information, you can set reasonable expectations regarding your upcoming engagement with us.
Or, if you’re not yet set on Schellman as your chosen pen test team, you’ve still got some good insight into how the process works generally.
To ensure you’re as prepared as possible for your penetration test—no matter who you use—check out our other content:
Interested in asking more organizationally specific questions? Please feel free to reach out to us—our team would love to talk more with you and satisfy any concerns you may have.
About JOSH TOMKIEL
Josh Tomkiel is a Director and Penetration Tester based in Philadelphia, PA with over 10 years of experience within the Information Technology field. Josh has a deep background in all facets of penetration testing and works closely with Schellman's other service lines to ensure penetration testing requirements are met. Additionally, Josh leads the Schellman's Red Team service offering, which provides an in-depth security assessment focusing on different tactics, techniques, and procedures (TTPs) for clients with mature security programs.