Pen Testing: It's All a Matter of Scope
Dan Haagman
CISO & Cyber Strategist | CEO - Chaleit | Former co-founder of Cyber firms NotSoSecure & 7Safe (both acquired) | Designer of Cyber MSc(s) | Commercial Helicopter & Aeroplane Pilot | JetPack Pilot | Sat-Radio Nerd
Can you pen test your way secure?
?
The answer is no — and it's all a matter of scope.
?
While we've traditionally viewed pen testing as a process to find system flaws and ensure security, I believe we've lost our way, allowing a compliance-driven mindset to overshadow the true spirit of cyber security.
The fundamental issue? Pen tests create a documented trail of work that, without proper prioritisation, can overwhelm organisations.
The scope problem becomes evident when we see organisations with well-secured applications but vulnerable single sign-on systems. Providers often look in the wrong places, focusing on narrow scopes that miss the broader attack surface. After all, why break into an application when you can breach corporate infrastructure and access the same data with fewer obstacles?
Too often, businesses get trapped in a cycle of annual pen testing, mechanically working through findings without asking the crucial questions: "So what?" and "Why should we?" When clients tell us they're finding the same issues year after year, it signals we're asking the wrong questions and looking at the wrong scope.
I'll say it again: pen testing applications cannot alone make a company secure.
While pen testers might find an occasional major flaw, they often create noise while missing critical vulnerabilities in areas like cloud infrastructure, containerisation, APIs, and corporate security.
We must move beyond the "yearly pen test" mentality and rigid scopes.?
I advocate for quick, targeted assessments that might not be exhaustive but often reveal critical vulnerabilities that justify more focused, in-depth testing. It's about being smart with scope — starting narrow but being ready to expand when necessary.
Security is a journey, not an annual or cyclical event. So, I propose we view pen testing as a partnership — it's how we operate at Chaleit, by the way.?
A partnership model offers several advantages:?
?
Consider this: when hiring a major accounting firm, you don't challenge them to prove they can access your financial records. Instead, you provide full disclosure and tacit knowledge, working together through the process. Why should cyber security be any different?
领英推荐
?
For the best results, we need to work within the client's context.?
Security findings are only valuable if they're actionable within an organisation's workflow. This means integrating our reporting and communication into their existing systems — whether JIRA, Confluence, or other project management tools. It's not just about finding vulnerabilities, it's about making the findings accessible, trackable, and manageable.
This extends to the remediation phase as well. We've learned that staying involved after a pen test is crucial. In busy organisations, it's challenging to think through abstract problems and develop solutions in isolation. That's why we offer advisory support during remediation — even for single projects, we provide this as a courtesy.
Let me share an industry secret: Re-tests usually take only 15-20 minutes. Some PT firms unnecessarily extend this to a full day, causing delays and forcing companies to do batch tests. True frictionless service means being ready when you are and efficiently handling re-tests.
It's about streamlining the process and achieving security improvements within the client's operational reality. This collaborative approach turns theoretical findings into practical security improvements.??
The partnership approach also replaces the old practice of rotating pen testers, which just isn't efficient. While it makes sense when service quality is lacking, why discard accumulated knowledge and understanding of an organisation's systems?
Our most successful engagements are with long-term partners where we can go deep together, critique each other, and raise our collective game.
?
The future of effective penetration testing (we call it pen testing 2.0 ) lies in true partnership, where both consultancies and clients step up to work together. We need to:
?
?
The key to preventing breaches and improving security isn't periodic audits — it's a consistent, collaborative effort built on thinking together and mutual trust and understanding, with a scope that evolves as threats and business needs change.
I'm curious to hear your perspective: How does your organisation determine the scope of security assessments? Is it driven by compliance, risk, or a combination of factors?
#cybersecurity #CISO
Award Winning Human-Centric Cybersecurity Specialist | Founder @NMCYBER | Empowering SMBs to Thrive in and With Cybersecurity | Consultant | Speaker |Technical Trainer | DFIR Specialist | Entrepreneur | Mentor |
4 周Very informative Dan Haagman. Good read ??