RSA 2021 Conference Recap: Resiliency in the Face of Change

RSA’s 2021 virtual conference wrapped up last week and inspired attendees around the theme of resilience. While the definition of resilience is “the capacity to recover quickly from difficulties,” the conference was equally focused on how to adjust an organization’s security posture to focus and prepare for proactive protection and cybersecurity readiness rather than incident response. As we consumed the content from the conference, we saw three common themes that resonated with us around change as a concept, proactive protection versus incident response, and the workforce implications of 2020. Read on as we dig deeper on these subjects.

Cybersecurity at the speed of change

In his RSAC session, Cisco’s Chairman and CEO Chuck Robbins rightly observed that the world transformed over the past year as it adjusted to a new, hybrid workplace model. He pointed to the fact that every organization in every industry focused on keeping their business resilient while facing more complexity than ever before. Speaking of complexity, he points to the security landscape. According to Robbins, employees, by just having 30 extra minutes on their mobile devices, created 20 percent more vulnerabilities than we would have in a normal time, vulnerabilities that could open organizations to breaches, hacks, and bad actors.

With the monetary loss from cybercrime, estimated at $945 billion in 2020 according to McAfee, managing risk should be critically important for all cybersecurity teams. And reportedly CISOs are paying attention by devoting time, attention, and funding to cybersecurity initiatives. Reported in VentureBeat earlier this year, global cybersecurity spending is expected to grow 10% in 2021 as new types of threats emerge along with an increasing volume of attacks. With enterprises adapting their infrastructure to new cloud architectures and new work configurations, the need to address potential vulnerabilities is taking on greater urgency.

With organizations across the country now working through return-to-office and work-from-home issues, one thing is clear: cybersecurity teams must plan for the fact that a portion of tomorrow’s workforce will be working out of their homes permanently. Robbins says that end-to-end encryption is foundational to being able to deal with all users, data and applications in this scenario.

Succeed with a more proactive cybersecurity program

Mary O’Brien, General Manager for IBM Security, and Mauricio Guerra, CISO for Dow Chemical, discussed putting zero trust into action to manage security and enable business. They said that today’s security leaders are now responsible for helping their businesses deliver new capabilities grounded in security – while also managing threats and compliance – with the zero trust security concept a cornerstone of proactive security programs that can help achieve these objectives.

Relatively in its infancy in adoption, CSO Magazine defines zero trust as a security concept centered around the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. Historically, organizations focused on defending their perimeter. Now, however, some of the most egregious data breaches happened because hackers, once they gained access inside corporate firewalls, were able move through internal systems without much resistance.

While in support of zero trust planning, we counsel our CISO clients to also develop a business-aligned vulnerability management program that takes into consideration the vulnerabilities that would have the most significant, negative impact on the business. A vulnerability management program looks at the most relevant threats that could exploit those vulnerabilities and remediation strategies as well as the controls needed to counter those threats. Such a strategy is built on a framework that enables, implements, and maintains the program and informs all security initiatives, controls, and processes.

Additionally, adding threat modeling to an organization’s cybersecurity arsenal is also critically important as the process looks at a system from an architectural level and identifies potential security design flaws. This is critical because, based on experience and empirical data, we know that almost 50 percent of security issues are design level flaws. Organizations must start doing threat modeling to uncover the inner workings of how its systems are working and interacting together and whether they pose a threat. It is essential to identify who would want to attack your systems, and where the assets are to understand the potential attack vectors and to best enable the appropriate security controls. This analysis takes place during threat modeling.

Promoting workplace culture without relaxing security

2020 was full of challenges, not only for our NetSPI team, but also for our clients. A prediction of ours heading into 2021 was that there would continue to be more security jobs than people to fill the roles. Even with the pandemic subsiding this has proven to remain true. Security leaders have been challenged to fill roles that require candidates with mid- to senior- level experience, and entry level job openings have continued to be in high demand. Hiring and the workforce and culture implications were popular topics at RSAC.

Jinan Budge with Forrester Research discussed the importance of putting people at the heart of security and aligning vision and approach to achieve strategic organizational security culture change. Further, we also believe strongly in the importance of culture within an organization, and that hiring for skills beyond the technical – like curiosity, memory recall, innovation – will foundationally help organizations grow and excel during times of talent shortages.

As CISOs focus on building strong teams with exceptional culture, organizations must also remain vigilant for insider threats. Protecting against internal threats should be part of any threat detection program; the SolarWinds breach also brought to light this under-discussed application security challenge. The frequency and financial impacts of insider threats—defined as a careless or negligent employee or contractor; a criminal or malicious insider; or a credential thief—has grown dramatically in just the past two years. In a recent Ponemon Institute study, the overall average cost of insider threats per incident increased by 31% from $8.76 million in 2018 to $11.45 million in 2020. In addition, the number of incidents has increased by a staggering 47% in just two years, from 3,200 in 2018 to 4,716 in 2020. This data shows that insider threats are still a lingering and often under-addressed cybersecurity threat within organizations, compared to external threats.

A thriving future

To quote RSA: “Because being resilient requires infinite strength. There can be no let ups. No breaks. No finish lines. Just an unending passion to evolve, adapt and do everything possible to protect the people and organizations that rely on us as their advocates. We will do more than survive. We will thrive.” Indeed. We stand fully behind RSA’s quote. The reality is that cybersecurity attacks today are inevitable and put organizations at grave risk making it imperative to stay one step ahead of adversaries by focusing on prevention-based security techniques. With a pat on the back to all professionals in this business, the cybersecurity profession not only survived the past 16 months, but all indicators also show that it is thriving.


Forbes: How Private Equity Factors In To The Colonial Pipeline Hack

On May 17, 2021, NetSPI President and CEO Aaron Shilts was featured in a Forbes article.

So it is perhaps not a coincidence that, just five days after the Colonial attack, KKR led a $90 million growth investment in a cybersecurity company called NetSPI. “The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” the company’s CEO, Aaron Shilts, said in a statement. “At NetSPI, we strive to stay one step ahead of hackers, breaches and bad actors.”

In the years to come, NetSPI will have plenty of changes to prove its worth—and hopefully help prevent other instances of infrastructure-crippling bitcoin blackmail.

Now, onto the rest of the things you need to know from the past week in private equity, M&A and beyond…

Read the full article here:


Minneapolis/St. Paul Business Journal: Cybersecurity company NetSPI raises $90 million from KKR, Ten Eleven

On May 13, 2021, NetSPI President and CEO Aaron Shilts was featured in the Minneapolis/St. Paul Business Journal.

Cybersecurity company NetSPI has raised $90 million in growth funding, it announced Wednesday.

The round was led by New York City-based investment firm KKR. Cybersecurity-focused venture capital firm Ten Eleven Ventures also participated.

Read the full article here:


Cyber Security Penetration Testing Leader NetSPI Secures $90 Million in Growth Funding Led by KKR

Investment to Fuel Innovation and Growth, Including Global Expansion and Product Innovation

Minneapolis, Minnesota  –  NetSPI, the leader in enterprise penetration testing and attack surface management, today announced it has raised $90 million in growth funding led by KKR, with participation from Ten Eleven Ventures. The investment will be used to further accelerate NetSPI’s rapid growth by expanding the company’s cyber security and client experience teams, investing in product innovation, and deepening operations across U.S. and international markets.

“The reality is that cyber security attacks today are inevitable and put organizations at grave risk,” said NetSPI President and Chief Executive Officer Aaron Shilts. “At NetSPI, we strive to stay one step ahead of hackers, breaches, and bad actors by focusing on prevention-based security techniques. Rooted in the founding tenets of the company, our goals are purposely aggressive to help our clients adapt to the constantly evolving threat landscape.”

Since its founding, NetSPI has focused its services to help companies proactively defend themselves from cyberattacks through a robust and innovative technology platform, allowing NetSPI’s team of experts to thoroughly identify security vulnerabilities. At a time when cyber security spending is expected to exceed $200 billion per year by 2024, according to a recent Bloomberg Intelligence (BI) report, more companies are preparing to fend off sophisticated cyber-attacks and avoid reputational and business risks.

“Our clients rely on us to help secure their ever-evolving attack surface by leveraging our expertise in cloud, red team, application, and network security,” continued Shilts. “This investment from KKR and Ten Eleven Ventures allows NetSPI to better meet this demand while simultaneously fueling growth and innovation as a leader in the booming cyber security market. With our investors’ support, NetSPI will continue to transform the industry with a focus on attack surface management, enterprise security testing, and vulnerability management.”

“NetSPI has built a differentiated suite of tech-enabled services and test orchestration and reporting software that is not only enhancing cyber security for complex global enterprises across a wide range of industries, but is simultaneously disrupting the traditional penetration testing market in order for these enterprises to continuously test their applications, networks, and cloud infrastructures at scale,” said Ben Pederson, Principal at KKR. “We are excited to invest in NetSPI’s growth as they build and deliver these critically important offensive security solutions.”

Jake Heller, Head of KKR’s Technology Growth team in the Americas, added: “Aaron and his team have a deep appreciation for the needs of their customers and the increasing demand for best-in-class, tech-enabled cyber security systems.”

KKR is investing in NetSPI through its Next Generation Technology Growth Fund II. KKR and Ten Eleven Ventures have invested in market-leading cyber security companies including Darktrace, KnowBe4, Ping Identity, Cylance, ForgeRock, and ReliaQuest.

“Penetration testing is a critical component of any enterprise’s security program and will continue to be an important part of compliance and regulatory requirements in the future,” said Mark Hatfield, General Partner, Ten Eleven Ventures. “With its deep expertise and automated platform, NetSPI has developed an incredibly effective and efficient approach to penetration testing and attack surface management. We’re thrilled to partner with this exceptional team and look forward to drawing on our cyber security expertise to help NetSPI bring its technology to more companies across the globe.”

After spending its first several years as a bootstrapped, profitable business, in 2017 NetSPI partnered with Sunstone Partners, who has been instrumental to the company’s growth post-investment. Gus Alberelli, Managing Director of Sunstone Partners, said: “We’re incredibly fortunate to partner with NetSPI’s team and proud of the company’s extraordinary growth stemming from its technology-enabled penetration testing team. We are excited for KKR and Ten Eleven Ventures to join Sunstone Partners in supporting NetSPI’s growth journey.”

The investment is the latest transaction in a period of accelerated growth for NetSPI. Most recently, NetSPI acquired Silent Break Security and incorporated its proprietary Adversary Simulation and Red Team Toolkit software into the company’s offensive cyber security and attack surface management offerings. In 2020, NetSPI launched Penetration Testing as a Service (PTaaS) powered by its Resolve™ platform. Upcoming additions of risk scoring, vulnerability intelligence, breach and attack simulation, and more will continue to differentiate NetSPI’s technology offerings.

Goodwin Procter LLP advised NetSPI on the transaction and Latham & Watkins LLP advised KKR and Ten Eleven Ventures.

About NetSPI

NetSPI is the leader in enterprise security testing and attack surface management, partnering with nine of the top 10 U.S. banks, three of the world’s five largest health care companies, the largest global cloud providers, and many of the Fortune® 500. NetSPI experts perform deep dive manual penetration testing of application, network, and cloud attack surfaces, historically testing over 1 million assets to find 4 million unique vulnerabilities. NetSPI offers Penetration Testing as a Service (PTaaS) through its Resolve™ platform and adversary simulation through its Red Team Tool Kit. NetSPI is headquartered in Minneapolis, MN and is a portfolio company of private equity firms Sunstone Partners, KKR, and Ten Eleven Ventures. Follow us on FacebookTwitter, and LinkedIn.

About KKR

KKR is a leading global investment firm that offers alternative asset management and capital markets and insurance solutions. KKR aims to generate attractive investment returns by following a patient and disciplined investment approach, employing world-class people, and supporting growth in its portfolio companies and communities. KKR sponsors investment funds that invest in private equity, credit and real assets and has strategic partners that manage hedge funds. KKR’s insurance subsidiaries offer retirement, life, and reinsurance products under the management of The Global Atlantic Financial Group. References to KKR’s investments may include the activities of its sponsored funds and insurance subsidiaries. For additional information about KKR & Co. Inc. (NYSE: KKR), please visit KKR’s website at and on Twitter @KKR_Co.

About Ten Eleven Ventures

Ten Eleven Ventures is the original venture capital firm focused solely on investing in digital security. The firm invests globally and at all stages, from seed to growth (the latter via its Joint Investment Alliance with KKR). Since its founding in Silicon Valley in 2015, Ten Eleven Ventures has raised nearly $US 500 million and invested in 30 leading cybersecurity companies including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit or follow us on Twitter @1011vc.

About Sunstone Partners

Sunstone Partners is a growth-oriented private equity firm that makes majority and minority investments in technology-enabled services and software businesses. Recently recognized as one of Inc.’s 2020 PE 50 founder-friendly private equity firms for entrepreneurs, the firm seeks to partner with exceptional management teams, often as their first institutional capital partner, to help accelerate organic growth and fund acquisitions. Founded in 2015, the firm has $800 million of committed capital to its first two funds. For more information, visit

Media Contacts:
Jean Hill, Maccabee PR for NetSPI
(612) 294-3154

Cara Major or Miles Radcliffe-Trenner
(212) 750-8300

Ten Eleven Ventures
Megan Dubofsky
(917) 576-5590


Star Tribune: NetSPI, a Minneapolis cyber security firm, raises $90 million from new investors

On May 12, 2021, NetSPI President and CEO Aaron Shilts was featured in the Star Tribune.

NetSPI, which works with companies to thwart cyberattacks, has raised $90 million in minority investments from KKR and Ten Eleven Ventures.

The new infusion of capital will help the 225-employee software firm develop and improve products, add clients and hire more people, NetSPI CEO Aaron Shilts said in an interview Wednesday.

Read the full article here:


Ten Eleven: Why We Invested in NetSPI

On May 12, 2021, NetSPI announced new funding from KKR and Ten Eleven. Learn why Ten Eleven chose to invest in NetSPI:

Today we’re pleased to announce our investment in NetSPI. In cybersecurity, understanding where weaknesses lie is a critical first step in defense. One crucial way to assess this is through penetration testing, where “ethical hackers” attempt to break into your systems before attackers can. Penetration testing is often required of technology vendors by their customers and a mandated part of certain required compliance programs and certifications, including SOC 2. Because of its importance, pen testing represents a $1.7Bn market growing at 22% a year – but companies are always looking for a way to do it in a faster and easier manner.

Read more here:


Q&A: How to Securely Manage Healthcare Data

The scope of healthcare data is remarkable. It’s no wonder healthcare cybersecurity is a growing concern as security professionals are challenged by managing and protecting the immense amount of personally identifiable information (PII) and protected health information (PHI) housed in their systems. 

Introduce a public health pandemic to the threat landscape, and the healthcare data management and security challenge grows exponentially. In 2020, more than 29 million healthcare records were breached due to the 25 percent year-over-year increase in healthcare data breaches, according to HIPAA Journal’s analysis of the U.S. Department of Health and Human Services healthcare breach data figures. 

During the 2021 Cyber Security Hub Healthcare Summit, NetSPI managing director Nabil Hannan and RxMx senior director of engineering Jesse Parente sat down to discuss the world of healthcare data management – notably, how to manage sensitive data securely. They explore the healthcare industry’s regulatory pressures and share insights on how to collect, store, and manage healthcare data securely and look at your data security program holistically using threat modeling and design review initiatives. Additionally, with the pandemic as a catalyst for digital transformation in the healthcare industry, cloud adoption has soared. Nabil and Jesse discuss the benefits of the cloud for data management, along with its security considerations. 

Continue reading for highlights from the discussion or watch the full session online here

In a compliance driven industry, such as healthcare, why is risk-based security so critical?

Jesse Parente: Risk-based security in general, regardless of the industry, is critical. At the end of the day, security is about managing risk. The easiest, and the most obvious answer in healthcare is, it can cost you if you’re not focusing on risk. I was looking into the 2020 breach analysis report by IBM and Ponemon Institute and healthcare breaches were the costliest. That’s mostly due to the fact that it’s a very regulated market. You’ve got laws like HIPAA, which was formed and assigned in 1996, so it’s rather old now. And it’s actually a fairly low bar if you think about it. For example, encryption was considered an optional item back then. But in 2009, the HITECH Act was signed into law, and that gave HIPAA some teeth: Breach notification requirements and additional fines for non-compliance. There were almost 730 reported breaches in the last two years. If you do some simple math, that’s about a breach a day… reported breaches. Now, the average cost per record is about $150-$200 and the average number of records exposed or lost was over 3,000. It’s costly to not focus on risk. 

Nabil Hannan: Speaking of breaches and the data involved, ultimately securing personal data is important. People understand why their personal, non-public data should be kept private. If someone else has that information, they could easily impersonate you and ruin things like your credit, or your records, or even steal your identity. And that’s a problem. But we also want to think about healthcare data and the complexities that surround it. For example, there are a lot of children whose data go into medical systems because they go see the doctor. But for a lot of non-adults, when that happens, their parent’s information is also associated with that record. Now you have multiple people whose information is available, their insurance information, home address, financial information in many cases. The importance of securing personal data, especially in the medical field, becomes exponentially more important because of the complexities of your family and relatives whose data may also be associated with your personal records. And the challenge there too, is personal information is something that you can’t easily change. If you, for example, were part of a breach where an attacker accessed your credit card number, you can call up the company and immediately change that number and a new card sent to you. If your social security number gets breached, you can’t change that. Or if your home address is breached, you’re not going to move in order to change that. There are certain data types that are permanent and cannot be changed, data that presents a higher risk if breached – data that is often found in healthcare systems. 

How can healthcare IT and security leaders securely collect, store, and manage data?

Jesse: Before you even collect data or store it or manage it, it’s really important to understand what the data is. Also, there’s a concept of minimum necessary. Do you need this data? You have to do an analysis to understand what the data is and if it is sensitive. Classifying data is a really important piece when you’re going to collect and store it. Additionally, pay attention to where that data goes downstream. This is the management aspect of it. Do the vendors that you work with need or have access to some of this data? In 2013, there was a final Omnibus ruling, which was an addition to HIPAA, and this essentially held business associates or vendors that you work with, accountable for non-compliance as well. So, you also have an obligation to make sure that your vendors are doing the right thing, when it comes to collecting, storing, and securing healthcare data.

Nabil Hannan: There is the actual safe way to store and manage data and then there’s the part of making sure you have the data that’s relevant, and you’re only storing and managing the data that you truly need to maintain your business functionality. A significant amount of breaches lately, over the last five years or so, happened because of simple misconfigurations of data storage. So often we see that you may have data stores, such as Amazon S3 buckets, that are meant to be private and internal, but because of the misconfiguration, they’re publicly available to the internet. Understanding what you’re collecting and how it needs to be stored and, then, have automation and processes regularly checking to ensure that the attack surface that your data is exposed to is managed correctly is really important. That’s ultimately the first step: Making sure you have processes in place to ensure that you’re not inadvertently making a configuration change that leaves you exposed. 

What can healthcare organizations do now to evaluate their current security posture?

Nabil: There are a lot of common security tactics that healthcare organizations are using today. They are performing regular security scans using automated tools, making sure that their external attack surface is not easily reachable by script kiddies that are also running similar tools on the internet, performing penetration tests with manual humans testing and breaching systems to identify exploitable areas. To take these initiatives to the next level, start looking at things that tools and automation cannot identify, which is design flaws. To describe this, I typically use home inspection as a parallel. If you’ve bought a house, you’ve probably completed a home inspection. A person shows up and they inspect the house at a basic level, checking the locks, windows, insulation, furnace, roof, etc. to see if they work. But looking at a home from the outside in, you cannot truly determine if the house was designed properly. To understand if the load bearing wall has enough support or not, or to understand if the studs are spaced correctly or not, they have to look at the blueprint and look at the internals of how the house was designed. Similarly, for any system, you have to look at the threat model and how the different components of a system interact with each other. Threat modeling is so important because it is a manual process. Tools are not able to tell you what the greatest risks are. It requires a human to think critically and be clever. With threat modeling, you’re identifying what the assets are in your systems and the threat actors that you should care about. Based on that, you define the threat vectors that the attackers would use to try and get to your assets. With this information, you can start assigning trust zones within your systems and determine how those interactions occur and review whether you have the right controls in place, like authentication, authorization, encryption, error handling and logging and things of that nature. I think threat modeling is the next step we need to take as an industry because there is a whole different classification of vulnerabilities and issues that come from the design side. Empirically, we see 50 percent of security issues are at the design level and 50 percent are what we call bugs. We have to start doing threat modeling to uncover the inner workings of how our systems are working and interacting together and whether they pose a threat.

Jesse: I think what organizations can do to evaluate their posture is get a baseline. There are tons of ways to do this with frameworks and certifications. One of my favorites is the Cloud Security Alliance, an organization that’s purpose built to support the transition to the cloud. They have something called the Cloud Controls Matrix that helps organizations align to various frameworks, whether that’s NIST, ISO27001, or HIPAA. When it comes to data, oftentimes the software world is pushing these activities to the left, or the idea of shifting left, and that means doing these security-based activities earlier on in a software development lifecycle. A great example is threat modeling. In the design phase, understand what your threats are and figure out ways to mitigate them. In the cloud, we’re shifting, too. The four walls and the castle approach of securing a perimeter, those days are gone. There is this shift in the landscape changes as well, as we now see a lot of organizations operating partially in the cloud. Because the data is potentially publicly available, we have to find ways to identify where the data is, where the data is going to go, and how to secure it. There are many cloud providers out there, and with that there are many services to help you manage the data and have visibility into the cloud. And for me, that visibility is one of the key things that has helped my organization manage healthcare data securely. Organizations not leveraging the cloud do not necessarily have that visibility. The last thing to remember is that we need to hold our vendors accountable, understand their security posture and what activities are they doing to help secure the data we share.

How has the pandemic triggered the increased adoption in the cloud?

Jesse: Almost overnight, many organizations were forced to have data and resources available remotely and externally accessible. VPNs were overloaded and people scrambled to find a physical space to work outside of the office. The cloud was – and is – an opportunity to make things available. As we saw in our viewer poll, 42 percent of participants are operating partially in the cloud. It’s clear people are experimenting with the cloud and this comes with its own challenges, as organizations haven’t had the opportunity to fully vet and evaluate the cloud. Remember, we should consider cloud providers vendors and need to evaluate them as such – and that requires time. That’s the challenge that’s missing from this rush to make things available and it can create serious problems.

Nabil: There is another gap in our knowledge as employees don’t necessarily know how their organization manages its data. It may be completely invisible to us on whether an organization increased adoption of the cloud. And that’s how it should be. The whole purpose of cloud-based systems is the ability to scale as needed and have elasticity. Teleconferencing systems are a good example of this. The reason Zoom could support the huge demand of users as the pandemic started was because of the cloud. If they were not using cloud infrastructure for their systems, they would not have been able to support the large number of users because it was not expected or planned. And then there are security considerations to think about too. Just because you’re in the cloud and the cloud providers are providing you with certain baseline of security controls and protection, that doesn’t mean that you don’t have to think about security anymore. Ensure you understand the implications of your transition from a traditional data center deployment to the cloud, and ensure you’re maintaining regular best practice initiatives around things like configuration reviews, design reviews, and threat modeling. Be sure to understand the risk implications of the decisions you’re making. 

healthcare data protection in a pandemic driven world

10 Questions to Ask Penetration Testing Companies Before You Buy

Choosing the best pentesting company for your organization is not a simple decision given the hundreds of providers vying for your business, each offering varying levels of expertise, testing methodologies, and technologies to perform penetration tests.

To help you identify the best penetration testing companies for your needs, it is important to ask the right questions. To get started, here are 10 essential questions to ask potential pentesting companies during the RFP process – and what to look for in their responses.

  1. Are your resources contracted resources?  If not, what are your hiring practices?  
    Ask this question to understand how a company sources its pentesters, project managers, and other day-to-day practitioners working on your assessment. Would you prefer working with a team that works together often or a team of outsourced experts? The answer should also provide insight into the effort an employer puts into finding the best talent. It is especially necessary for you to understand how the company trains and ensures the resources have the expertise needed for your testing.
  1. Which regulatory bodies and compliance frameworks does my organization need to be aware of?
    Test the industry knowledge of the pentest companies you are evaluating. Learn how well they understand the external pressures your organization is facing and the additional expertise they can bring to the table.
  1. Can you share a breakdown of the tool-based vs. manual effort that goes into a typical penetration testing engagement?
    Find the right balance between automated scanning and manual testing based on the requirements of your organization. The answer should also reveal the company’s testing methodology and give you an understanding of the vulnerability management tools they use. Remember, to find critical business logic vulnerabilities, manual testing is required. 
  1. How do you ensure your team is up to date on the latest certifications and training? 
    The answer to this question will be an indicator of how much the company values its employees continued education and advancement. A company that strives for innovation will have a long list of processes, checklists, peer reviews, and more. Beyond external trainings and certifications, be sure to ask about the technology the organization is leveraging to ensure that the product of an assessment isn’t directly related to the tenure of the individual assessor. 
  1. How do you ensure return on investment (ROI) from each engagement?
    Ensure your testing partner is maximizing your investments to find business impactful vulnerabilities, not focusing on administrative tasks. ROI for security initiatives can be difficult to measure – and pentesting is no exception. Pentest efficiency is a great place to start. Ask the prospective companies how they reduce or eliminate the administrative burden of de-duplication and vulnerability tracking, how they enable multiple testers to work simultaneously, and learn about the automated processes they have in place to enable their pentesters to perform a test efficiently and thoroughly.
  1. How do you contribute to the greater security community?
    Instead of asking an organization to, “Describe your culture” ask this question. Explore the various ways a pentest company participates in the security community to gauge its drive to innovate. Review its open source tools, GitHub repository, public trainings, conference participation, community involvement, and more. This will specifically ensure their mission/vision statement is actually being delivered in their day-to-day efforts. 
  1. What do you consider your specific focus areas?
    A straightforward question that can reveal a lot about a pentest company. Which types of pentesting (application, infrastructure, cloud, mobile, red teaming, etc.) are they hired for most? Do they have specific industry niches What types of companies do they work with and in what industries? Which technologies enable their services?
  1. How do you ensure consistency and repeatability across all engagements? 
    Consistency is key in penetration testing. How can you ensure that your results don’t vary by tester? In this response, look for how they maintain centralized communication, repeatable processes, validate vulnerabilities, and track the progress of each test.
  1. How do you plan to grow with my organization over time? 
    Maintaining a relationship with one pentest company over time has its benefits, but only if that company can scale with your business. Talk about the plans for your organization and learn how each company can support you at every part of your growth journey. 
  1. What areas are not addressed within this RFP?
    A key benefit of working with a third-party penetration testing company is that it should be able to look at your security program holistically. Ask this question to explore other possible areas of risk and, as a bonus, learn how the company delivers its recommendations.
Download our 4-part guide: How to Choose the Best Penetration Testing Company

Discover why security operations teams choose NetSPI.