Penetration Testing Methodology

NetSPI’s team of experts uses a wide variety of tools and manual testing techniques to drive results based on insight—not just scanner output. Our disciplined, consistent methodology is the key to delivering outstanding results.

Penetration testing focuses on two key areas:

1. The testing process, which is vital to effectively gathering the information required to identify areas of weakness in your current environment; and then
2. Turning that raw testing data into usable, actionable information that provides the structure needed to achieve repeatable, reliable results over the long term.

In addition to thoroughly testing your environment using a combination of automated testing tools and manual processes, we accelerate remediation by:

1. Walking your team through our detailed vulnerability data to ensure you fully understand the implications of each finding.
2. Delivering an exact roadmap of what must be done to address the weaknesses that have been identified.
3. Offering alternative approaches based on our experience in similar environments in your industry.

NetSPI Six-Phase Testing Methodology

Phase I: Information Gathering

Each engagement begins with a kick-off meeting that includes representatives from NetSPI and Client to ensure our collective team is in agreement regarding the scope, expectations, timeframe, resource requirements, and logistics of the assessment. During the meeting, a Client executive/project sponsor is identified who will be responsible for ensuring all parameters are addressed throughout the assessment and that work performed meets or exceeds your expectations.

NetSPI may also ask to schedule interviews with key Client representatives, as well as research and review Client’s current security protocols to identify and scope known areas of risk. This may include detailed reviews of your existing security program, policies, guidelines, and procedures.

Phase 2: Testing and Evaluation

Once our team understands the background and specifics of your environment, we begin testing for vulnerabilities and potential entry points—first using automated scanning tools, and then moving on to more sophisticated manual testing.

Phase 3: Data Analysis

Next, the NetSPI team analyzes and validates all related findings to identify vulnerabilities and areas for improvement. The analysis is based on information gathered in Phase 1 interviews and research, knowledge of the applications and systems being tested, and detailed test results at the application, system, and network layer level. Based on the results of our analysis, we create specific recommendations for remediation and improvement. These findings, vulnerabilities, and recommendations are outlined in a Preliminary Report.

Phase 4: Collaboration/Prioritization

No matter how much information we gather about your unique environment and security protocols, we can’t possibly know everything about how our findings and recommendations will impact your business. That’s why Phase 4 is designed to be a highly collaborative exchange between NetSPI’s security experts and the internal team at. We begin by presenting an overview of our findings, and then reviewing the preliminary report with the entire assessment team. Together we will work through any additional feedback, comments, or challenges to the findings to ensure the final recommendations are as accurate and complete as possible. Once NetSPI and have agreed to any necessary changes to the report, NetSPI will amend the preliminary report to create a final findings report.

Phase 5: Findings Presentation

As each assessment during the subscription term is completed NetSPI presents our final report to Client. The final report includes detailed findings, recommendations for immediate improvements, as well as recommendations for longer-term improvements to Client’s security practices. To make the report as actionable as possible, it is delivered through The NetSPI Platform to streamline collaboration between Client security and development teams. Findings can be exported to a variety of formats including a detailed PDF report, CSV file, and XML. If requested, we are also happy to deliver a client-facing letter of attestation to help provide your end-customers with greater peace of mind knowing that your systems have been properly tested and are as safe as possible from potential security breaches.

Phase 6: Continuous Testing

As a PTaaS client, you can select to enhance your standard penetration tests with recurring touchpoints throughout the year. Between your deep-dive manual penetration tests, you can connect directly with your assigned NetSPI team in The NetSPI Platform to request additional testing for the supported service lines.