Skip to content
NOW AVAILABLE Learn About New Metrics Capabilities in PlexTrac Priorities Learn more >>


Should I Outsource My Pentests?

Category: Pentesting, Service Provider / MSSP, Thought Leadership



Welcome to A Cup of Joe Espresso Shot, a small yet highly caffeinated shot of tips and tricks to make your business run smoothly and keep your employees happy.

Use cases from the field. This week PlexTrac is at FS Isaac Spring Summit. The Financial Services Information Sharing and Analysis Center is an industry consortium dedicated to reducing cyber risk in the global financial system.

Today we had an attendee come by with an interesting use case. Monica says we outsource all of our pen tests. She went on to say, as a large organization, we found that we can get better value out of outsourcing our pen testing and rotating teams every year. The fresh set of eyes ensures a unique perspective every time. But she said, we find that some of the value gets eaten by the extra time to interpret the test results and compare them against last year’s or last quarter’s results. See, each vendor had their own report template and worse, frequently had their own severity system, making it hard for us to do analytics. Monica asked can PlexTrac help? Well, Monica, the trend to rotate pen test teams has been something we’ve seen in the industry for a number of years, and it seems to be growing in popularity.

While having a lot of benefits, it can reduce some of the effectiveness of your testing in the ways that you’ve already observed similar results presented in different ways every time and inconsistency and risk assessments caused by each pen test practice wanting to put their own unique spin on it. I would suggest that there are also lessons learned that are lost every year due to a lack of communication between these teams. For example, the standard operating procedures that you have to communicate over and over again and the responses from certain tests that are lost. This tribal knowledge is invaluable in making the engagements efficient, but without a communication mechanism, that information is lost to silos and a competitive approach. However, PlexTrac can eliminate the siloing of information by providing a workspace for all engagement, regardless of the pentest company contracted to do the work. Our Customer Success Team can assist in setting up your reporting foundation, taking your templates and configuring the platform to use them every time. Now, it doesn’t matter if you’re using a consultant from the top five or from a boutique consultancy, each report will have the same look and feel and with it the ability to consistently report on the finding and severity.

Use the Flex Track platform as the centralized point of management by using the assessment modules to capture and retain scoping and engagement details. You can use the run books to document TTPs for Red and Blue team engagement or create test plans that ensure proper repetition of complicated attack chains, regardless of the company that you’ve contracted. So yes, Monica, Flex Track can give you the best of all worlds by allowing you to engage with a fresh set of eyes. Each test but without losing the lessons learned and allowing that information to follow through to the next group. This is Joe Perry, PlexTrac product evangelist from PlexTrac, wishing you happy reporting.