How to Staff a Pentest: The Importance of Matching Resources to Requirements

So far, in my “pentest quality” article series, I’ve talked about the importance of preparation, expectation alignment, and setting up a pentest. These are all essential steps within the pentesting lifecycle; however, even if these activities are not tackled perfectly, a well-staffed team can bridge the gap to drive quality throughout a pentest. In fact, staffing a pentest can actually make or break an entire engagement.

Finding the right pentesters for a project should be a high priority, yes--but staffing doesn’t just encompass selecting the ethical hackers themselves. Staffing should include several key team members: From customer success managers to project managers to technical writers. Below, I will offer an overview of each team member and the role they play at Cobalt:

Customer success manager:

At Cobalt, staffing begins with the customer success manager (CSM) and the relationship they have with a customer. The role of the CSM is to advocate for the customer receiving the pentest and ensure their needs, expectations, and concerns are brought to the attention of the team conducting the assessment. The CSM is responsible for ensuring all relevant customer details are shared via a brief with the pentesters and technical project managers who are responsible for the test. At Cobalt, this step of the staffing process offers two invaluable learning opportunities: (1) CSMs have an opportunity to build a rapport with the offensive security teams--and conversely, (2) the offensive security teams have an opportunity to learn more about customers’ businesses from the CSMs. This exchange establishes the trust our teams need to be successful. Of note, this step can also be automated as desired.

Technical project manager:

Once the project is fully defined, our technical project managers (TPM) take over and begin matching the right testers to the scope of work and methodologies at play. At Cobalt, TPMs are at the center of the pentest, collaborating with CSMs, pentesters, and our customers directly. TPMs are fully responsible for pentests’ operational lifecycles, while CSMs focus on customer relationships and pentesters hone in on their craft to deliver insights. The TPM is a critical role and one that shouldn’t be forgotten.

Technical writer or editor:

Next, we add a technical writer or editor to the team. Remember, at the end of a pentest engagement comes a written report that many C-level stakeholders will see. These reports are invaluable guidebooks to vulnerability remediation. It’s essential that the written reports are easy to understand, are of the highest quality, and contain all pertinent information--from an executive summary to actionable remediation steps. Technical writers are responsible for the quality and consistency of all written deliverables.

Pentesters:

Even if two tests are of similar size and cover the same methodology, it’s important to remember that each pentest engagement is unique. Therefore, each test has to be evaluated and staffed accordingly. Here are five considerations to evaluate before assigning a pentester to a project for maximum project success:

1. A tester’s timezone: While it is rare, at times, the network traffic generated by pentests can have a negative impact on a customer’s systems. That’s why pentests cannot be conducted when system owners are not online without warning. System owners must be available to triage and respond to issues in their environments to avoid unwanted, and potentially detrimental, outages as a result of a pentest. It’s a staffer’s responsibility to ensure a pentester’s time zone won’t affect the customer’s environment negatively.
2. A tester’s technical specialties: This consideration may seem obvious; however, I’ve seen it overlooked many times during my career--it’s important to make sure that the testers who are assigned to specific projects can actually do the work. Pentesters, like any other craftsperson, specialize in areas of cybersecurity. For example, a network pentester may not be well versed in application security, an application tester may not know how to phish, and a social engineer may not know how to navigate networks. Staff correctly, and make sure pentesters are best positioned to succeed for your customers.
3. A tester’s experience and track record: Ensuring a cohesive group is a must for success. Beyond their technical ability, which helps us determine what tests a pentester can be assigned to, it is also important to consider their experience and track record. Since all pentests are different, even if the same methodologies and technologies are at play, you must make sure the tester has the experience required to complement the other team members you’ve assembled. Your project managers should know the pentesters well enough to spot any potential issues before the project even begins.
4. Team availability: Again, this is an area that may seem obvious, but it can be easy to overlook. In the haste of staffing, sometimes individuals’ schedules are the last requirement considered. Keep in mind, it’s generally best to arrange a test for when all team members are available and can be responsive.
5. Continuity of testers: When pentesters are able to test the same customer environments over time, the results tend to be more precise and actionable. This is because they gain a precise understanding of the environment, how it operates, and how far they can push it, which frees them up to be more creative and discover new insights a first-time tester may not be able to. Staffers should try to book pentesters to test the same environments overtime when possible--it can be a huge benefit for customers.

Take time to consider all the players in a pentest engagement before the “game” officially begins. Have something to share about the staffing phase of the pen-testing lifecycle? Did I miss anything you find absolutely essential? Send me your thoughts at [email protected].