You have leadership buy-in to invest in a proactive cybersecurity program to better protect your organization from security breaches that could put your organization at grave risk. And you’ve committed to building an ongoing and continuous vulnerability management program to guard against the potential threats to your assets. Now what?

Putting a successful vulnerability management program in place needs careful consideration up-front to ensure your organization is set up for success to remediate vulnerabilities for each application and system you have. The following checklist breaks the best practices process down and provides you with a planning roadmap to getting the most value out of a penetration testing and vulnerability management program.

Penetration Testing Program Plan of Attack


Elements of Success


Step One:
The Plan

Develop a plan that puts structure and strength around cybersecurity to include continuous vulnerability testing and patching, incident response plans, and training and security awareness programs. The ultimate goal? Decrease time to remediation and to close security gaps in your network.

Clearly define the scope, objectives, identification of testing, and the order in which they are to be performed.

Build a vulnerability management team. This could include both in-house talent as well as industry analysts or consultants. When choosing a pentesting service provider, ask about the credentials of their pentesting team, beyond technical competencies. Will your team be comprised of a dedicated work group or an outsourced group who haven’t previously worked together, for example. Team structure has implications on streamlined communications and in knowing who is inside your network.

Augment with careful preliminary risk planning with contingency plans should any services be unintentionally disrupted.

Types of penetration testing:

□  Develop a high-level vulnerability management plan – be sure to include non-negotiables such as scalability and continuous testing

□  Present your case to business leadership; gain agreement on budge

□  Refine plan and define ownership and scope of your program to include personnel and their roles and responsibilities

□  Develop policies, standards, and procedures

□  Determine merchandising strategy – to bring visibility to the program’s successes

Step Two: Scanning and Assessment

Layer in automated scanning functions that deliver results that can be easily sorted and acted upon with human capital to find and fix vulnerabilities.

Create an enumeration (list and count) of suspected vulnerabilities that are enumerated only after using multiple automated tools over time, not just one single tool.

Build in further analysis of suspected vulnerabilities using specialized tools and manual techniques as required.

□  Identify all assets you want to scan

□  Define vulnerability landscape:

  • Common vulnerabilities and exposures (CVEs)
  • Common configuration and enumeration (CCEs)
  • Architecture
  • Design

□  Define actionable reporting structure of vulnerabilities

□  Deploy automated vulnerability scanning, use authenticated mode to scan high-value resources

□  Prioritize pentesting cadence, beginning with an external network penetration test followed by internal network testing

□  Commence manual pentesting

Step Three: Preparing for Risk-Based Remediation

Develop a risk-based remediation plan commensurate with your program’s maturity level and appetite for business risk.

Employ a comprehensive verification of high-risk vulnerabilities including but not limited to safe exploitation of these vulnerabilities using both automated and manual processes, including the injection of malicious code when called for.

□  Rank vulnerabilities through an established remediation timeline. For example:

  • Critical = 7 days
  • High = 2 weeks
  • Medium = 1 month
  • Low = Patch driven updates

□  Assign application and system remediation owner

□  Build in business leadership approvals for long lead remediations

Step Four: Ongoing Reporting and Improvement

Automate your vulnerability management program as much as possible: spreadsheets, emails, and document sharing portals are insufficient for most organizations, large ones in particular. Automation enables 24/7 pentest report visibility with business leadership and continuous improvement.

Find a penetration testing reporting platform that is engaging and customizable to showcase what is most important to your business, one that can track and compare data over time.

Learn about the NetSPI Resolve™ platform.

□  Build a reporting framework – for the pentesting team and for business leadership

□  Identify continual improvement opportunities

□  Use comparison data to showcase progress over time and highlight successes

All organizations should aspire to have the people, processes, and tools necessary to effectively execute an ongoing vulnerability management program. Failure to do so may result in poor tool selections, testing mistakes, and faulty interpretation of vulnerability scanner and pentest results that often lead to a false sense of security and could put the enterprise at risk. By building out a vulnerability management plan, as depicted above, you can dramatically increase the security of your enterprise and can be better assured to reach your ultimate goal: to decrease time to remediation and close any security gaps in your network.