Part 2: The Most Asked Questions About Penetration Test Preparation 

How can I prepare my company for a penetration test?

Properly preparing for a penetration test ensures that your business is ready for a thorough security assessment. Begin by defining what you are trying to achieve, such as identifying system vulnerabilities, assessing your security, or meeting regulatory compliance. Clearly define the scope of the test: what systems, applications, and networks will be tested? Next, decide who needs to know about the test. You may want to keep those involved to a minimum if you are looking to test the response from your team. Otherwise, inform key stakeholders and IT team in advance to avoid surprises.

Ensure that critical data is backed up to safeguard against potential disruptions. Testing aside, you should always back up important data and have a disaster recovery plan. It’s better to discover an issue that can take out your system during a planned test instead of a real attack. Also, patch known vulnerabilities so testers can focus on uncovering new risks. Otherwise, you’ll be paying to find issues you already know about.

Depending on the type of test you want done, having documentation like network diagrams and access credentials ready will streamline the process. 

Should I go with white-box or black-box testing?

In a white-box test, the tester has full access to source code, architecture, and internal information. This test is as far away as you can get to a malicious attacker, however, the penetration tester can go deeper in a shorter period, getting more testing done for your budget. With white-box testing, you may provide documentation like network diagrams and access credentials, which will streamline the process.

In a black-box test, the tester has no prior knowledge of the system, properly simulating an external attack. These tend to go for longer periods of time, as you will be paying for the upfront reconnaissance, as well as the work done around the discovery and mapping of your systems. These can involve full red team assessments and even physical testing of offices.

Most popular tends to be gray-box, a middle ground between the two. Here, the tester has limited knowledge, mimicking an attack from an insider, someone with partial system access or an external attacker.

How do I choose a reputable penetration testing company?

Selecting the right penetration testing company is important to gaining valuable insights. Prioritize firms with experience in your industry, as they’ll understand your unique challenges. If you want to ensure legitimacy, request references to verify their expertise. 

Unfortunately, it’s common within some companies for projects to be won by putting the most experienced team members in front of you, but the work is later passed to junior testers or even offshore teams. If you want your testing done “in the country,” confirm that ahead of time with the testing company. 

Most companies’ testers will have certifications. However, it’s common to find people with certifications but no real-world experience. The opposite can be true as well— some of the most skilled and experienced people in the industry hold no certifications. Ultimately, don’t be afraid to ask to speak to the specific people who will be conducting your test. When you do, make sure you ask about their experience.

How long does a penetration test usually take?

The timeline for a penetration test varies based on your business’s needs. The actual testing of a basic network or web application can take 2 days. However, with reporting time included, even a basic test will take 1-2 weeks. Larger, complex environments can extend to several weeks or months. Factors include the number of systems, test depth (White, Gray, Black box), and social engineering components. It’s best to discuss timelines upfront with your provider to set up clear expectations.

How can I ensure my employees are ready for social engineering tests during a penetration test?

Preparing your team for social engineering tests is about fostering security awareness. Provide engaging training on common tactics like phishing, pretexting, and baiting. Train for a workplace culture of curiosity and caution, where questioning unexpected requests is supported. Regular security drills reinforce these lessons, helping employees identify and respond to suspicious activities. Also ensure they know how to report unusual incidents. While you don’t need to disclose specific test details, emphasizing security awareness keeps your team vigilant.

Should I hire an in-house team or outsource penetration testing?

Choosing between an in-house team and outsourcing depends on your business goals. An in-house team offers familiarity with your systems and continuous oversight, however, it also requires ongoing investment in training and resources. 

Outsourcing provides specialized expertise, fresh perspectives, and up-to-date threat intelligence, often at a lower cost. Many larger businesses use a hybrid approach. An in-house team manages daily security, while external experts, at least once a year, conduct comprehensive assessments to identify overlooked vulnerabilities.

Tiro Security’s penetration testing team averages over 10 years of practical experience, with no penetration testers having less than 5 years of experience. If you need assistance to build an internal penetration testing team or are looking to bring in an outside company, set up a call with Kris Rides at kris.rides@tirosec.com and start protecting your data today!