Pen Testing 2.0: A New Approach to Ethical Hacking

Not dying in volume. Penetration testing is still necessary for organizations to stay safe in the face of the rising risks and costs of cyberattacks. But dying in terms of respect. It was becoming a commodity.

The consequences were a decline in the relative quality of findings and services. Companies waiting in line at the gate of pen testing factories. Reports that highlighted the same vulnerabilities years in a row, without any resolution. Finally, decreased overall security – just the opposite of what pen testing is supposed to do.

Luckily, there’s a new way of doing penetration testing. Pen testing 2.0 is a holistic approach to the security journey that focuses on collaboration, aftercare, and making clients more secure.

Ethical hacking is going through a renaissance.

What does that mean exactly? Dan Haagman, CEO of Chaleit, explains.

After 20+ years in the industry, we did not want to form another “me too” cybersecurity pen testing business. We didn’t want to spend the next 10, 15 years doing it all in the same way again.

We created something that still had pen testing at its core but was wider and extended the usability of what we did. Above all, we wanted to make ourselves more accessible to help clients.

Many of our clients have been with us for 10, 15, and even 20 years now, as they’ve come back over and over again. We learned about their frustrations, challenges, and pain points and designed a service that was more valid and focused. That’s how our fresh approach was born.

It was one of our most recent clients, a big global name, that coined the term. When we shared our approach with them, they said: “This is Pen Testing 2.0!”. And we said, can we quote you that?

When you are on a journey with a client, you interact with them more, and then you learn from each other. This is something that is often missing in pen testing, which is traditionally more adversarial in nature.

We replaced the adversarial nature with consultancy. We are there to guide and help our clients. We still find the bugs, but it’s the way in which we interact to drive better engagements that makes the difference.

We encapsulate this in three services: Pen Testing with Aftercare, Cyber Digital Protection, and Shifting Left through DevSecOps. All these wrappers have a key thing in common: aftercare.

Pen testing is a skill, a capability, or a series of capabilities at its core. But the way in which you think, build programs, and scope things can be far more tuned, sophisticated, and applicable to what clients need than how it’s typically done.

If we understand our client’s environment better, we can ask more intelligent questions. If our client is engaged in a less transactional nature and more embedded with us, we can model things differently.

For example, in a traditional pen test, the scope might be a feature-rich app, but that won’t necessarily tell you much about the way in which the client has implemented secrets management. Often, the only time failures in deployments happen is when we see something that’s being breached. Then the hacker can elevate their privilege because of the failure of implementation of secrets management. Pen tests themselves, raw pen tests, don’t necessarily find that. That kind of interactivity and trying to answer more sophisticated questions as our clients mature is really important.

But also, if the client just needs the pen test for a compliance audit, we’ll get the job done. It’s down to their needs because our approach is very client-focused.

Here are a few more ways in which pen testing 2.0 is different from the traditional approach.

We go past the point of what we call cliff-edge consulting, where you find a client, send a report and an invoice, and then be pretty much inaccessible to them. Even if that’s not entirely the case, it’s usually a long, convoluted process to get the pen testing team back, especially the original team. On top of it, it’s expensive, time-consuming, and inefficient. It doesn’t help people.

Our business is built around values such as collaboration and acting as part of the client’s extended team. That’s why we offer aftercare and support in the remediation phase on all projects – single pen tests or a long-term collaboration.

We help scrutinize the results, see what is important, prioritize what needs to be fixed, and ensure that it gets done and that the solution is relevant. It’s about closing the loop.

We do the basics of pen testing still – and we do them well. But we also help clients drive maturity.

In pen testing, not everything’s critical. Pen tests may yield many results and the client doesn’t necessarily have the resources to get them all closed.

To solve that challenge, we work with our clients to validate and advise on the significance of the findings. Closing the loop is all about making sure we unearth things, but equally, that they get fixed. Ultimately, that reduces risk.

So many firms seem to take great pride in the fact that they’re busy. We don’t like the word busy because is all about me, not about you. We scrubbed the word busy, and instead, put in zero lead time.

We work super fast to onboard clients through the legal journey, and procurement, but also the technical scoping journey. We get on with work quickly. With some of the clients we are already in contract with, it can be a matter of hours, if not a day or two at most.

Even with new clients, we can onboard them immediately if they’re willing to do so. This starts that process of collaboration. They need us, we need them, we’re both willing, and we get together. Hence the zero lead-time component. The same goes for retesting.

Another thing we do differently is dynamic reporting.

Pen testing reports are still valid, and they can be an artifact that our clients need. Again, we do the basics well. We have a pen-testing reporting platform, and we export whatever is needed, from executive summaries to attestations through traditional reports.

But we also offer a dynamic reporting option. We typically use Jira, Confluence, Azure DevOps, Zendesk, or whatever platform is already used by our clients. Because it’s already used there, it’s within their systems, their realm of data protection and privacy, and in their own workflow. We simply integrate our findings into their projects and structure.

With this kind of dynamic reporting, it becomes super easy for clients to prioritize an issue and work on it. We collaborate either within a platform or with other standard tools such as Slack or Teams – whichever they use, to jump on calls at any time and find solutions.

It comes back to collaboration, help, and adding value in this process.

We’ve deliberately placed not just people around the world, but our senior leadership team in different countries and time zones. Our VP team sits in seven countries now.

Being global and diverse is part of our DNA and it allows us to work on our clients’ schedules while offering the same level of quality around the clock.

When you start collaborating with people in a different way – and not just running a transactional service, you build a wider relationship and start understanding your client’s world. When you’re let into their world, you start a dialogue that leads to much better results.

Many of our clients themselves are very sophisticated and we’ve worked with some of the best teams around the world. We’re very fortunate. And together we have innovated the process.

When you start to help people, amazing things happen. You start learning. Many of us have been in this game for 10, or 20 plus years – some of us. Chaleit has just turned two and our rate of innovation has gone through the roof.

Over the last two years, we have built a business that’s challenging the status quo. We’ve been listening to the market and giving clients a better set of outcomes to solve their frustrations.

Many of our clients feel that they have all the stacks, all this technology, yet they’re still concerned that they’re vulnerable to cyber attacks. The rate of cyber attacks is going up and the sophistication is significant.

We feel ready to talk about pen testing 2.0 now because we’ve matured a process that helps people with today’s challenges.

We are committed to bringing our pen testing vision 2.0 to the market and building strong partnerships to make it happen. For example, we are excited to be a part of Appdome’s Mobile App Defense Project, a community program aimed at improving mobile DevSecOps through collaboration with more than 50 renowned mobile app penetration testers around the world.

This blog has a wide audience in mind, from CIOs and CISOs, to technical people who are frustrated with existing providers offering services that don’t completely fulfill their needs. We’re here to help with more authentic, useful content – coming up in the following weeks, so stay tuned and follow us.

We want to build our community around real challenges. These are not veiled blog posts with hidden sales messages. We’d be delighted if people do come and work with us, of course. But what we want is to share our way of thinking and hopefully get people in the industry on board with this new much-needed approach.

Also, when you build something that is more engaging and has a vision, it helps with hiring and retaining some seriously talented people. We’ve built a happy culture where our own people are learning fast from their clients and feeling at ease in their work because it’s a different, deeper, and more honest relationship.