Develop targeted goals for the engagement.
Hay, whose firm offers pen testing services, says companies need to be very clear what they want from their third-party penetration tester. It doesn't make any sense for the company to have all its systems, servers, and applications tested. It's better to tell the pen tester to run a test on two or three specific external IP addresses, and then focus on the most important Web app. For example, a healthcare company might want to focus on medical data. And banks will want to key in on financial data.
Quentin Rhoads, director of professional services at Critical Start, adds that companies need to identify the scope: how many servers to test and the number of Web apps. Armed with that information, the pen tester can offer a realistic price and set goals they can meet.
Image Source: Adobe Stock: Leowolfert