Marcus Siess

Marcus Siess leads NetSPI's Solution Architecture team and works hand in hand with clients to understand and advise on security program goals. Marcus aligns NetSPI's manual testing services to improve clients’ security posture and elevate their security testing and vulnerability management programs. Prior to NetSPI, Marcus held positions at Firemon, Optiv and FishNet Security as a Product Manager and Director of Strategic Solutions.
More by Marcus Siess
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "129"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "129"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "129"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "129"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "129"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "129"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "129"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "129"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => 
			SELECT   wp_posts.*
			FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
			WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{9eb1a37443a419c60e5ea013102e1a28c3b92a9e51ba2d21740f5ede8192a6f0}\"129\"{9eb1a37443a419c60e5ea013102e1a28c3b92a9e51ba2d21740f5ede8192a6f0}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{9eb1a37443a419c60e5ea013102e1a28c3b92a9e51ba2d21740f5ede8192a6f0}\"129\"{9eb1a37443a419c60e5ea013102e1a28c3b92a9e51ba2d21740f5ede8192a6f0}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
			GROUP BY wp_posts.ID
			ORDER BY wp_posts.post_date DESC
			
		
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 28395
                    [post_author] => 129
                    [post_date] => 2022-09-20 09:00:00
                    [post_date_gmt] => 2022-09-20 14:00:00
                    [post_content] => 

You are unhappy with your current pentesting provider; automated testing isn’t providing the results you need; you are required to rotate your pentesting vendor annually; a budget request was approved for your organization’s first penetration testing program.  

Whatever the reason, most security leaders will find themselves taking part in the pentesting vendor selection process at some point in their career. 

Embarking on the search for a new vendor is no easy task. Especially in today’s marketplace with hundreds of partners that have varying methodologies and expertise. To effectively choose a penetration testing company that will be the best fit for your organization you must be careful in the questions you ask.

A penetration testing Request for Proposal (RFP) communicates essential information about the project and services you need – including the logistics of the project, such as objectives and timeline. A detailed and focused RFP questionnaire can set the trajectory for the success of your program.  

So, what exactly makes an effective penetration testing RFP? Let’s take a look at a few core components.  

Security Testing Objectives 

When writing an effective RFP, be sure to answer these questions:  

  1. How will we use the test results?
  2. What do you hope to achieve with these services? 

Clearly defining your test objectives at the start will help vendors better understand how your organization views pentesting, what services to recommend, and what methodology to use to achieve those objectives.  

Business Overview 

You can’t expect a vendor to recommend services without a baseline understanding of your business. What does your organization do? What types of data do you store or process? What’s at risk if you were to experience a security incident? 

Selection Criteria 

Establish clear criteria to weed out the outliers and create a pool of qualified partners. Define what you are looking for in your vendor partner and, if applicable, explain what was lacking in your past partner(s). 

Recommended Services  

Additional emphasis on “recommended.” Leave the services recommendations section open-ended to allow vendors to provide strategic suggestions that extend beyond your initial proposal if they see the need for it. 

Pricing Summary 

Pricing is one of the more foundational components of an RFP, or as some call it, a Request for Quote (RFQ). Beyond asking for a general quote estimate, ask vendors to break down how they price their services, how change orders are processed, how they handle out-of-scope adjustments, vulnerability retesting costs, and any other logistical information. This extra information will help you avoid hidden costs in the future. 

Penetration Testing Methodology 

The section digs into how the pentest will be performed. It is arguably one of the most important pieces of an RFP for penetration testing.  

Some questions to consider: How do they ensure consistency? What is their vulnerability validation process? How do they escalate the discovery of high and critical vulnerabilities? 

At a very high level, there are three core pentesting methodologies to keep an eye out for: 

  • Automated, technology-driven testing. Similar to a SaaS delivery model. 
  • Manual testing using available resources. 
  • Hybrid testing approach that leverages a combination of automated and manual testing. See: NetSPI’s Penetration Testing as a Service (PTaaS) approach. 

The methodology you ultimately choose should depend on your organizational objectives and needs.  

Vendor Risk Management Questionnaire 

Vendor risk management, third party risk management, supply chain security... regardless of what you call it, it’s crucial that you ask vendors what security practices they have in place to protect the integrity of your data. Here are five core initiatives to inquire about: 

  • Company policy for performing screening and background checks on employees to ensure that none of the people hired pose an information security threat. 
  • Training processes to inform employees on the privacy, security policies, and procedures necessary to meet the obligations of this project. 
  • How the vendor will protect and store your data at rest and in transit and how/when the data is purged from their systems. 
  • Third party risk management policies and details. 
  • Business Continuity Plan. 

References  

Now it’s time to evaluate the vendor’s ability to complete the project. Ask the pentesting vendor to provide 3-4 references for you to review. This is validation that they are familiar with your industry, your objectives, and the type of services requested. 

Download our Penetration Testing RFP Template 

The RFP process may feel administrative and tactical on the surface. But a strong pentesting RFP is foundational to your overall security program success.  

Choosing the wrong pentesting partner can leave organizations in a challenging and expensive situation.  

To help, NetSPI examined the thousands of RFPs we’ve participated in to create a comprehensive template RFP for penetration testing services. In the template, you’ll find prompts and example questionnaires for the above components – and much more. Best of luck with your search!

Penetration Testing RFP | Downloadable Template
[post_title] => Components of an Effective Penetration Testing RFP [post_excerpt] => Explore the top components to include in your RFP for penetration testing services and download our free pentesting RFP template. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => effective-penetration-testing-rfp-components [to_ping] => [pinged] => [post_modified] => 2022-09-15 15:43:22 [post_modified_gmt] => 2022-09-15 20:43:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28395 [menu_order] => 33 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) ) [post_count] => 1 [current_post] => -1 [in_the_loop] => [post] => WP_Post Object ( [ID] => 28395 [post_author] => 129 [post_date] => 2022-09-20 09:00:00 [post_date_gmt] => 2022-09-20 14:00:00 [post_content] =>

You are unhappy with your current pentesting provider; automated testing isn’t providing the results you need; you are required to rotate your pentesting vendor annually; a budget request was approved for your organization’s first penetration testing program.  

Whatever the reason, most security leaders will find themselves taking part in the pentesting vendor selection process at some point in their career. 

Embarking on the search for a new vendor is no easy task. Especially in today’s marketplace with hundreds of partners that have varying methodologies and expertise. To effectively choose a penetration testing company that will be the best fit for your organization you must be careful in the questions you ask.

A penetration testing Request for Proposal (RFP) communicates essential information about the project and services you need – including the logistics of the project, such as objectives and timeline. A detailed and focused RFP questionnaire can set the trajectory for the success of your program.  

So, what exactly makes an effective penetration testing RFP? Let’s take a look at a few core components.  

Security Testing Objectives 

When writing an effective RFP, be sure to answer these questions:  

  1. How will we use the test results?
  2. What do you hope to achieve with these services? 

Clearly defining your test objectives at the start will help vendors better understand how your organization views pentesting, what services to recommend, and what methodology to use to achieve those objectives.  

Business Overview 

You can’t expect a vendor to recommend services without a baseline understanding of your business. What does your organization do? What types of data do you store or process? What’s at risk if you were to experience a security incident? 

Selection Criteria 

Establish clear criteria to weed out the outliers and create a pool of qualified partners. Define what you are looking for in your vendor partner and, if applicable, explain what was lacking in your past partner(s). 

Recommended Services  

Additional emphasis on “recommended.” Leave the services recommendations section open-ended to allow vendors to provide strategic suggestions that extend beyond your initial proposal if they see the need for it. 

Pricing Summary 

Pricing is one of the more foundational components of an RFP, or as some call it, a Request for Quote (RFQ). Beyond asking for a general quote estimate, ask vendors to break down how they price their services, how change orders are processed, how they handle out-of-scope adjustments, vulnerability retesting costs, and any other logistical information. This extra information will help you avoid hidden costs in the future. 

Penetration Testing Methodology 

The section digs into how the pentest will be performed. It is arguably one of the most important pieces of an RFP for penetration testing.  

Some questions to consider: How do they ensure consistency? What is their vulnerability validation process? How do they escalate the discovery of high and critical vulnerabilities? 

At a very high level, there are three core pentesting methodologies to keep an eye out for: 

  • Automated, technology-driven testing. Similar to a SaaS delivery model. 
  • Manual testing using available resources. 
  • Hybrid testing approach that leverages a combination of automated and manual testing. See: NetSPI’s Penetration Testing as a Service (PTaaS) approach. 

The methodology you ultimately choose should depend on your organizational objectives and needs.  

Vendor Risk Management Questionnaire 

Vendor risk management, third party risk management, supply chain security... regardless of what you call it, it’s crucial that you ask vendors what security practices they have in place to protect the integrity of your data. Here are five core initiatives to inquire about: 

  • Company policy for performing screening and background checks on employees to ensure that none of the people hired pose an information security threat. 
  • Training processes to inform employees on the privacy, security policies, and procedures necessary to meet the obligations of this project. 
  • How the vendor will protect and store your data at rest and in transit and how/when the data is purged from their systems. 
  • Third party risk management policies and details. 
  • Business Continuity Plan. 

References  

Now it’s time to evaluate the vendor’s ability to complete the project. Ask the pentesting vendor to provide 3-4 references for you to review. This is validation that they are familiar with your industry, your objectives, and the type of services requested. 

Download our Penetration Testing RFP Template 

The RFP process may feel administrative and tactical on the surface. But a strong pentesting RFP is foundational to your overall security program success.  

Choosing the wrong pentesting partner can leave organizations in a challenging and expensive situation.  

To help, NetSPI examined the thousands of RFPs we’ve participated in to create a comprehensive template RFP for penetration testing services. In the template, you’ll find prompts and example questionnaires for the above components – and much more. Best of luck with your search!

Penetration Testing RFP | Downloadable Template
[post_title] => Components of an Effective Penetration Testing RFP [post_excerpt] => Explore the top components to include in your RFP for penetration testing services and download our free pentesting RFP template. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => effective-penetration-testing-rfp-components [to_ping] => [pinged] => [post_modified] => 2022-09-15 15:43:22 [post_modified_gmt] => 2022-09-15 20:43:22 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28395 [menu_order] => 33 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [comment_count] => 0 [current_comment] => -1 [found_posts] => 1 [max_num_pages] => 0 [max_num_comment_pages] => 0 [is_single] => [is_preview] => [is_page] => [is_archive] => [is_date] => [is_year] => [is_month] => [is_day] => [is_time] => [is_author] => [is_category] => [is_tag] => [is_tax] => [is_search] => [is_feed] => [is_comment_feed] => [is_trackback] => [is_home] => 1 [is_privacy_policy] => [is_404] => [is_embed] => [is_paged] => [is_admin] => [is_attachment] => [is_singular] => [is_robots] => [is_favicon] => [is_posts_page] => [is_post_type_archive] => [query_vars_hash:WP_Query:private] => fde57ad754e70703c2d41342e0c5f1c1 [query_vars_changed:WP_Query:private] => [thumbnails_cached] => [allow_query_attachment_by_filename:protected] => [stopwords:WP_Query:private] => [compat_fields:WP_Query:private] => Array ( [0] => query_vars_hash [1] => query_vars_changed ) [compat_methods:WP_Query:private] => Array ( [0] => init_query_flags [1] => parse_tax_query ) )