Penetration Testing mailing list archives
Re: [PEN-TEST] Pen-testing reports
From: bacano <bacano () ESOTERICA PT>
Date: Mon, 26 Mar 2001 22:04:31 +0100
hi2all From: "Mehmet Murat Gunsay" <mgunsay () BTKOM COM>
I'd like to have a general idea about the penetration testing reports that
people from this
mailing list offer to their customers. I'm not sure if the reports we
provide as a company
are adequate or even good enough.
Well ... I don't think that is usual to 'give away' just like that to competitors a template or something like it, so don't expect much ... (just a guess)
By finding the listening ports on a given subnet, we try to find what services or programs are running and so forth.
That is a way to find data for a report, but that output can't be the report it self.
However, as this approach sometimes may get too deep, pricing such a test
also becomes an issue. The approach MUST be deeper, but the report must compile the results of that approach in a more friendly language. Remember this: who will read your report? Regarding pricing, how much is your work hour? how many hours will you spend in a day? how many days will you need? ... mathematic can do the rest ... I must ask this, don't you have any kind of objective like "you must do a zero knowledge pen-test in two days, else you are out of work" ? :>
Is there a specific measure that some of you use for pricing?
I know how much is my work hour, you must find the right price for yours ... if it is too cheap your potencial customer will question the quality, if it is to high they will look elsewhere.
I believe replies for these questions will help us greatly in redefining
our standards and measures. Thanks in advance for
all the replies.
Being a good pen-tester in the technical point of view, is not enough for put a business running on that area. Usually the 'social' skillz of a pen-tester can be very usefull in the 'commercial' area ... use those in a positive way, but don't expect too much regarding competitors teaching you how to run your business. If some of them do that to you, can you trust that info? Remember, they are competitors ... You must read Sun Tzu Ping Fa: "Without subtle ingenuity of mind, one cannot make certain of the truth of their reports" =;o) [ ]'s bacano
Current thread:
- [PEN-TEST] Pen-testing reports Mehmet Murat Gunsay (Mar 26)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Max Vision (Mar 26)
- Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- Re: [PEN-TEST] Pen-testing reports bacano (Mar 27)
- Re: [PEN-TEST] Pen-testing reports Steve Goldsby (Mar 27)
- [PEN-TEST] RES: [PEN-TEST] Pen-testing reports Cristiano Lincoln Mattos (Mar 28)
- <Possible follow-ups>
- Re: [PEN-TEST] Pen-testing reports Peter Herzog (Mar 27)
- Re: [PEN-TEST] Pen-testing reports CyberCop (Mar 28)