Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA's free and virtual Global AI Symposium, October 22-24, for cutting-edge insights on AI and cloud security. 

Need a Penetration Test? Here’s What to Do Next

Home
Industry Insights
Need a Penetration Test? Here’s What to Do Next

Blog Article Published: 07/24/2024

Originally published by Schellman.


In our experience, there are typically three reasons why you may move forward with a penetration test and start looking around for a provider. Making that initial decision to move forward with an assessment like this is a big step, but what should you do after you make it?

If you fall into any of the following common scenarios that mandate a pen test, here are the immediate next steps to take for each one:

  1. You want to proactively improve your cybersecurity
  2. You need to satisfy a client request
  3. You need to meet compliance requirements


1. What to Do Next When You Need a Penetration Test for Improved Cybersecurity Purposes

If you’re already performing external network, authenticated web application, and authenticated internal network vulnerability scans, a penetration test can be a great and natural next step in building a more mature security posture for your organization.

Once you decide to take this step, you then need to decide the scope—or, what you want to test. Knowing what kind of test(s) you need should then help streamline your subsequent search for vendors.

Do keep in mind though, that a solitary penetration test likely won’t suffice as your organization and products evolve—while your cadence can vary, you should expect to repeat this process more than once to achieve optimal cybersecurity.


2. What to Do Next If Your Client Requested You Perform a Pen Test

Of course, if you’re pursuing a pen test due to a client request, they likely already know exactly what kind of test they want—and if not, you shouldn’t move forward with a vendor until you do understand the specific nature of your client’s request.

You need to know what part of your environment your client wants examined, as there are many different attack vectors you can have tested:

  • Web Application
  • Application Program Interface (API)
  • External Network
  • Internal Network
  • Social Engineering (Phishing/Vishing/Smishing)
  • Mobile Application

Once you know what they want, you can then use a scoping questionnaire to drill down even more specifically to better determine the level of effort and resources that this engagement will take (and search for vendors that can perform what you need).


3. What to Do Next If You Have a Compliance Requirement for a Pen Test to Be Performed

In a similar vein, you may be in the market for a penetration test because a compliance standard you’re being asked to adhere to calls for one. If that’s the case, the good news is that most compliance frameworks have strict requirements as to what should be included in the scope of its requisite penetration test, with the two major being:

Your next step, then, is to familiarize yourself with those strict requirements of the particular standard you’re seeking to comply with so that, when you do engage a penetration tester to perform the work, you can work more closely and knowledgeably with them to ensure you’re meeting all the requirements necessary to achieve your compliance initiatives.


Other Important Penetration Test Considerations

No matter what scenario you fall under, you’ll need to accommodate your penetration test within your daily operations, which means understanding—at least roughly—how long your tailored assessment will take, and several factors can affect the duration of your penetration test.

Similarly critical will be the overall scheduling and timing for your penetration test, which is more complex than you may anticipate—together with the anticipated duration, it’ll be important to understand what constraints you have, be they compliance requirements or otherwise, so that you ensure you leave yourself plenty of time to accommodate the test, including any time that may be necessary for retesting.

And finally, you’ll also need to set aside funds for a penetration test. Just as with timing and duration, your price will depend on various factors, and this article breaks down the different considerations for different types of penetration tests so that you can more easily gauge your possible costs.

Having a penetration test performed is a solid step, whether it moves you closer to bolstering your cybersecurity, satisfying client requests, or meeting compliance requirements. Now that you have your next steps, as well as further details on common considerations, you can more easily set expectations for your organization going forward.

CompliancePenetration TestingRisk Management

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Zero Trust Guiding Principles v1.1
SECtember.ai Global
CCZT: Now with Zero Trust Strategy
Trending This Week
#1 AI Deepfake Security Concerns
#2 AWS S3 Bucket Security: The Top CSPM Practices
#3 QR Codes, Audio Notes, and Voicemail - Clever Tricks Up a Phisher’s Sleeve
#4 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
#5 Analysis for CVE-2023-23397 Microsoft Outlook Vulnerability
Audit Cloud Providers with Confidence & Enroll in STAR Lead Auditor Training
Related Articles:
Pioneering Transparency: Oklahoma’s Proposed Artificial Intelligence Bill of Rights

Published: 09/06/2024

The DORA Quest: Beware of Vendors with Magic Beans

Published: 09/06/2024

The Why and the How of Managed CNAPP

Published: 09/05/2024

Five Levels of Vulnerability Prioritization: From Basic to Advanced

Published: 09/04/2024