Here’s a breakdown of the steps security teams have to take to schedule a pentest via traditional vendors. Notice that more than half of them are just to set the pentest up.
This process can take weeks, if not months, and no part of it is efficient or cost-effective. Our platform aims to change that by automating and streamlining these steps.
SANS analyst Matt Bromiley recently produced a white paper that reviews our platform, stating that...
“within a matter of minutes, we could add an asset and schedule a test against it, allowing us to address business risks in a matter of moments.”
In this article we’ll summarize the features that enable this result and, more importantly, what the impact can be on efficiency and productivity.
Share asset info straight in the platform
One of the first features Matt appreciated was the ability to store asset information directly in the platform as plaintext, or via related documents he could drag and drop. For his review he wanted to pentest a Linux virtual machine in Microsoft Azure, and the platform allowed him to share details on the system, what it’s used for, and testing credentials.
Why would he want to share this information? As Matt put it, “Successful penetration tests begin and end with proper asset classification. If you are asking someone to test your environment, you should have knowledge about what you are testing and expect to receive from the test.”
The platform guides users on how to provide the necessary information, either with clear questions or templates. One example is the “Description template” icon in Matt’s screenshot. When users click it, it expands and shares suggestions on what to include in the associated field, so that Cobalt has enough information to source the right talent for the pentest.
As a result, teams can set up pentests at a time and place suited to them.
Define your assets once, and schedule recurring tests in minutes
Another valuable point Matt highlighted is the potential to repeat pentests with consistency. Even when the first pentest is done, our platform stores asset information and enables teams to schedule multiple tests against it in the long run.
Scheduling becomes a matter of a couple of clicks. This also enables teams to compare findings over time, link performance data and make more strategic decisions around remediation.
“One of the biggest inconsistencies we see in the industry is that tests may not be cognizant of previous tests, essentially reinventing the wheel each time. Cobalt eliminates this problem, and we loved it.”
That being said, changes happen and teams can update their asset descriptions with ease. If the “why” behind the pentest has also changed, teams can specify new objectives and instructions.
Launch tests as you see fit with on on-demand scheduling
Once Matt had provided all the relevant information on his Linux virtual machine, he clicked on “Start a Pentest” and observed the status changes on his dashboard. His test was up and running in less than 2 business days, which is our commitment to every Cobalt customer.
When teams have access to pentests in such short notice, they can respond much more quickly to changes in their environment, discoveries of new threats, or customer/compliance requirements.
To read the full SANS review of our Pentest as a Service platform, make sure to download the white paper.