We spoke to Teddy Guzek, CEO and founder of Shield Cyber and CEO of Hoplite Consulting for tips on how MSPs can tackle managing a pen test project
A penetration test is a unique project to manage. It often requires secrecy. And it has a unique scope. A pen test can be an expensive undertaking for your client and demands precise timing and significant preparation. To help you get it right, we spoke to Teddy Guzek, CEO and founder of Shield Cyber and CEO of Hoplite Consulting. Not only has he built a software tool that hunts for and alerts you to vulnerabilities continuously (without exploiting them), but he also runs a penetration consulting company that does high-level pen testing for MSPs.
A pen test is not like any other project, he says. “You are looking to find gaps in a network.” This is almost the opposite of a typical MSP-managed project. “Most MSP projects are looking to improve efficiency,” he says. “A pen tester will bring those processes into question.”
Do your homework
Before you schedule a pen test, make sure you are ready. There are a lot of wrong reasons for doing a penetration test.
“People sometimes come to us because they read the news and suddenly want a pen test thinking that will suddenly make them secure,” he says. But this is a that is designed to challenge systems after you’ve done your foundational cybersecurity measures ( (MFA, continuous vulnerability management, endpoint detection and response, and email filtering) to make your systems as secure as you can. “So, these companies end up spending tens of thousands of dollars on tests they didn't prepare for that find vulnerabilities that should be found on a continuous basis using industry tooling.”
If you start by asking why the client wants the test, it will help you prepare the client and scope the project.
“A pen test,” he says, “is like the final at the end of your college class. Think of preparing, patching, and doing preliminary testing as going to class, taking quizzes, taking tests, and things like that,” he says. “You are doing these things to prepare all throughout the semester or year. When you get to the pen test, you're testing yourself on things you've been working on.”
He recommends using exposure management software to help prepare. His company Shield Cyber offers a tool that allows you to see what an attacker sees on your network so you can apply common fixes that significantly reduce your risk. “It helps you take care of the low -hanging fruit,” he says.
“When you get to the actual pen test, it should be something that requires real expertise,” he says. “A real pen test is expensive, skilled, and targeted. It is not something a piece of software can do.”
If you don’t have software and/or processes around multi-factor authentication (MFA), continuous vulnerability scanning, endpoint detection and response (EDR), then getting into the world of penetration testing is just going to come up with results that you already know you need to do. It is important to have basic processes and technology in place before you get into penetration testing.
Be clear about the outcome
“Set your expectations and scope the project carefully,” advises Guzek. When you are ready to bring in a penetration tester, it’s important to set clear expectations – with the client and the tester – about what will be covered.
“Start off by understanding what the outcome would be,” he says. “What is the client trying to get to? Are they trying to check a box for compliance purposes? Are they looking to improve their security posture?” Either, or both, of these are good reasons. “But knowing what the end goal is and what they're expecting to walk away with helps the tester scope and price the project,” he says.
Be clear, in the beginning, on what is included in the pen test and what isn’t. Make it clear, to the client and the pen tester, if there will be a charge for things that exceed that scope. “A lot of times, the client says – halfway into the project – that their boss wants phishing emails or something like that. If that wasn't part of the initial conversation, it can end up turning into something where you lose your margin on or damage a client relationship.”
Decide who needs to know
Secrecy is frequently an element of penetration testing. Decide at the beginning who is on your need-to-know list and how you will discuss the project as it unfolds and as the results are communicated.
“Sometimes it's very secret,” says Guzek. “Sometimes we don't tell anyone. Sometimes we have one point of contact with the client and he or she hasn't told anybody else.”
If you are using a project management tool to monitor, collaborate over, and discuss the progress of the test, be careful of who has permissions. In Perfect Project for MSPs, you can set very precise permissions that limit who can see everything from tasks to the notes attached to them and the resources who are working on it.
“This goes against the typical MSP model where you might give as many people access as you can so you can get through those tickets quickly,” says Guzek.
Set up checkpoints
Guzek would love it if MSPs came to the penetration test with a project plan that covered the preparation for the test and the engagement.
“It would be super helpful to have a plan that starts 30 days before the engagement begins,” he says. “It should include a list of the things you need to gather from the client and a sense of the timeline.”
In the time leading up to the engagement, he would love it if the project included:
When the rules of engagement will be ready
When we will get a list of the systems we’ll be testing
When the report will be approved
A date for the kickoff meeting
A date for the first day of testing
When the necessary resources need to be reserved
Create a transparent testing plan
After the engagement starts, the project manager will largely only be helping to facilitate. The testers work in secret, sending daily start/stop alerts to the people in the know about the penetration test.
But Guzek would welcome an organized project manager who could create a transparent plan that everyone – client, MSP, pen testers – could follow.
“Currently we give the option of weekly or biweekly status meetings,” he says. “But those take time. If there was a transparent plan where the client could log in and see milestones the tester will be hitting and watch those things being checked off, I think a lot of clients would opt not to have status meetings unless critical vulnerabilities were uncovered, which would save everyone time.”
This would be easy to set up in Perfect Project for MSPs.
When you hire the pen tester, discuss what needs to be done before the engagement, settle on important dates, and ask the tester for a list of the steps that will happen during the engagement. Then build all of that into a project. Share the project – with a careful eye on the permissions and who is on your need-to-know list – with the client, pen tester, and anyone on your team who needs to know what’s happening. As the project unfolds, everyone can reach for a status update whenever they want one, without the need for a status meeting.
“That would be revolutionary,” says Guzek. “It would transform the way people do this. It would offer increased transparency for the client while incentivizing the tester to keep making progress.
We have testers that want to work 20 hours straight – going down a rabbit hole – and then take 20 hours off. This would give them milestones to shoot for along the way. This would be especially helpful with remote pen testing teams,” he says.
Set up a cadence for the retest
For the pen tester, when the report is delivered, most of the work is done until retesting.
But that report will have a list of vulnerabilities that need to be fixed on the client’s network. Your project should cover this phase so that work gets done and the pen tester knows when you will want a retest.
“Recently, a client came back to us after a year and said they were ready for a retest,” says Guzek. “We weren't prepared for that because we had no insight into their progress. They had gone dark on us.”
Once you have built a project that covers everything from the days leading up to the test, the engagement itself, the remediation, and the retest, save it as a template. That way, when another client asks you to run a penetration test, you will be ahead of the game and ready to, as Guzek put it, “revolutionize the process.”
To learn more about Teddy, connect with him on LinkedIn. To learn more about completing advanced projects like this at your MSP, explore Perfect Project today.