Engaging any company in penetration testing necessitates quite a bit of contract language. The good news is that we at Secure Ideas have a lot of experience in this area and are regularly tweaking our process to keep it as quick and straightforward as possible.
This article will walk you through the main steps in our process, as follows:
The scoping step usually takes the form of a phone call or web meeting between you and a senior Secure Ideas consultant. The consultant will ask scope-related questions about the engagement during this call to estimate the total effort. We have many years of experience estimating the effort of penetration tests and other types of security assessments and consequently have become very accurate. Our penetration testing and consulting engagements usually are time-boxed, so this estimated effort can be translated directly into a fixed bid for the work.
The next step in our engagement process is building, reviewing, and signing a contract. Besides, penetration testing without a contract is a crime, so this step is a legal requirement for every penetration test engagement.
There usually are two contracts in place for an engagement:
We will send both of these documents to you for review and, if necessary, redlines by your legal counsel. Once we have mutually agreed upon the documents, we will send them to you for digital signature and counter-signature.
Upon signature, we can finalize the schedule for the engagement. We don't finalize the schedule before a signed contract because it is difficult for us to predict how long your contracting or supplier onboarding process will take. We try to keep enough of a bench to book work on average about six weeks out, but this varies depending on the time of year.
Once the schedule is set for the engagement, we will also schedule a kick-off call between you and the consultants assigned to your engagement. This call will be scheduled for a date about two weeks before the start of the engagement activity and will cover topics such as:
The engagement window varies depending on the type of work and the amount of effort scoped. Most penetration test engagements are completed within one-to-two calendar weeks.
The report is the primary deliverable for most engagements and is a step we take very seriously. We may start working on the report during the engagement but will generally be drafted two-to-five business days after the end of the active engagement period.
The report then goes through our rigorous review process, where at least two other Secure Ideas consultants read through and critique the report for accuracy and proper rating of findings. This process helps us maintain a consistently high quality in our deliverables. It is important to us that your report be clear and actionable and that, to the best of our knowledge, it accurately reflects the risk to your business.
Once the review is complete, we will deliver the report to you with the label draft. You then have the opportunity to provide feedback over the following two weeks.
Once the review period is complete, we will discuss and incorporate the feedback you have provided and issue a final version of the report. We will also perform any final steps you have requested, such as issuing a letter of attestation or scheduling a final presentation of the findings.