Penetration testing is a ubiquitous, proactive cybersecurity activity that every organization should be doing. That’s why innumerable providers offer this service.
Pentests are valuable for ensuring an organization’s cyber health. However, the definition of what’s involved in an effective pentest often varies widely among providers and their enterprise clients.
An organization seeking measurable improvement in their security posture must align their goals, objectives and tactics with those of the offensive testing service they engage. At the same time, service providers must strive to provide high value and effectively articulate what they do (and don’t do) for their enterprise customers. Choosing the right solutions to add to their portfolios is critical to every service provider’s success.
Grow Business by Using Automation to Deliver Pentest Planning and Reporting
Denver, Colorado-based Digital Silence describes itself as a “world-class boutique cybersecurity firm” with the singular goal “to do security consulting right.” The firm provides penetration testing, advisory, and incident-response services to its growing client roster.
Digital Silence set out to become a trusted partner in the crowded security service provider field. Achieving that goal requires the team to align goals and expectations with each client. The ability to drive revenue growth by providing premium services that significantly improve every client’s cybersecurity posture defines success.
Key elements of the Digital Silence model include client education, collaboration, and frequency of engagements. Leveraging these strategies can help other service providers stand out in a highly competitive, crowded market by ensuring a high level of customer satisfaction.
Digital Silence has grown its business by automating pentest planning, delivery and reporting to increase service margins, scale offerings, and provide more value to clients. Providing pentest planning and reporting automation from PlexTrac enables Digital Silence to deliver fast, high-quality pentest services and reports to its clients.
Automating reporting, one of the most time-consuming — and essential — components of the pentesting process, delivers results to clients faster while giving the Digital Silence team more time to deliver outstanding value to its growing portfolio of clients.
Be Clear with Definitions and Scope
Penetration testing has become the gold standard of security testing, but the definition of what’s involved is not always mutually understood by service providers and their clients. In other words, not all penetration testing is the same from provider to provider.
The first step to building a partnership with clients that extends beyond a one-off engagement is to define clarity of scope. Next is to provide actionable insights that the client organization can use beyond simply checking a box or meeting a compliance requirement. For example, educating your clients on the difference between pentesting and vulnerability scanning can help them appreciate the value of the expert services you provide.
Provide Collaborative Services
Once you’ve aligned your client’s goals with your service offerings, you can extend your value proposition by providing actionable insights so customers can implement your recommendations more quickly.
There are several ways to make pentest findings more actionable than is typical in the traditional static pentest report. One of those ways is to collaborate with the client at various points in the testing process. Iterative testing with opportunities for collaboration between the service provider and the client will increase the understanding of the issues for those responsible for remediating them.
Another way to improve findings’ actionability and increase collaboration opportunities is to adopt dynamic delivery of findings and recommendations. Digital Silence does this using a client portal. Clients seeking to rapidly input findings into their remediation workflow don’t have to wait for the full report; instead, they can interact with critical information more directly and immediately.
“A lot of organizations feel purple teaming is just a ‘nice to have’ — until they’ve gone through it,” said JT Gaietto, chief security officer of Digital Silence. “Continuous vulnerability monitoring and real-time collaboration are becoming more important. We leverage PlexTrac to help educate and provide more value to our customers in an engaging and structured environment, rather than just sharing a bunch of static PDFs.”
When clients are more involved and have more visibility into pentest engagements and findings, they are likely to perceive and derive more value from the services you provide. That value will create long-term relationships with clients and generate a strong, ongoing revenue stream for service providers.
Support Continuous Testing Strategies
When clients start to see progress based on your actionable recommendations, they are more likely to adopt other sophisticated services to continue maturing their security posture.
Offering targeted testing more frequently will deliver value to customers while also increasing profitability. For example, strategic testing that leverages the latest threat intelligence will enable clients to stay current on market trends and help them make a strong business case to their organization’s leaders to buy more of your services.
Continuous testing models provide organizations with better security outcomes while making a long-term client relationship with your business more likely. Digital Silence created an innovative, collaborative service called Heliotrope, supported by PlexTrac Runbooks, to meet the demand they were seeing for continuous testing. Providing clients with services they can use consistently will dramatically improve each client’s security posture while creating more demand for your services.
Drive Efficiency in Your Pentest Service Offerings
The secret to delivering more value to customers is to become more efficient in your practice’s internal processes so you can increase client interaction, meet service-level agreements, and develop innovative new offerings.
When it comes to pentesting, which takes time to perform well and more time to report actionable results, adopting technology that saves time is critical. Automation, according to Digital Silence’s Gaietto, consistently makes the reporting process much more efficient for his firm and its clients.
“Overall, we’ve seen at least a 50% time saving on our reporting processes,” he said. "That’s a clear-cut benefit to both the service provider and the customer.”