So far, in my “pentest quality” article series, I’ve talked about the importance of
Finding the right pentesters for a project should be a high priority, yes--but staffing doesn’t just encompass selecting the ethical hackers themselves. Staffing should include several key team members: From customer success managers to project managers to technical writers. Below, I will offer an overview of each team member and the role they play at Cobalt:
At Cobalt, staffing begins with the customer success manager (CSM) and the relationship they have with a customer. The role of the CSM is to advocate for the customer receiving the pentest and ensure their needs, expectations, and concerns are brought to the attention of the team conducting the assessment. The CSM is responsible for ensuring all relevant customer details are shared via a brief with the pentesters and technical project managers who are responsible for the test. At Cobalt, this step of the staffing process offers two invaluable learning opportunities: (1) CSMs have an opportunity to build a rapport with the offensive security teams--and conversely, (2) the offensive security teams have an opportunity to learn more about customers’ businesses from the CSMs. This exchange establishes the trust our teams need to be successful. Of note, this step can also be automated as desired.
Once the project is fully defined, our technical project managers (TPM) take over and begin matching the right testers to the scope of work and methodologies at play. At Cobalt, TPMs are at the center of the pentest, collaborating with CSMs, pentesters, and our customers directly. TPMs are fully responsible for pentests’ operational lifecycles, while CSMs focus on customer relationships and pentesters hone in on their craft to deliver insights. The TPM is a critical role and one that shouldn’t be forgotten.
Next, we add a technical writer or editor to the team. Remember, at the end of a pentest engagement comes a written report that many C-level stakeholders will see. These reports are invaluable guidebooks to vulnerability remediation. It’s essential that the written reports are easy to understand, are of the highest quality, and contain all pertinent information--from an executive summary to actionable remediation steps. Technical writers are responsible for the quality and consistency of all written deliverables.
Even if two tests are of similar size and cover the same methodology, it’s important to remember that each pentest engagement is unique. Therefore, each test has to be evaluated and staffed accordingly. Here are five considerations to evaluate before assigning a pentester to a project for maximum project success:
Take time to consider all the players in a pentest engagement before the “game” officially begins. Have something to share about the staffing phase of the pen-testing lifecycle? Did I miss anything you find absolutely essential? Send me your thoughts at