What Can You Expect From Schellman’s Penetration Test Team?

When it comes to cybersecurity, you can never be too careful—especially when it comes to placing your trust in those who help you understand and secure your environment.

With all its variances, pen testing itself can be tailored to your needs. Those needs, plus a myriad of other factors, will play into who you finally turn to for testing. Given the stakes, this decision is an important one and we want to make it a little bit easier.

Maybe you’re already in discussions with Schellman’s team, or maybe you’re already considering Schellman’s team. Regardless, we want to help inform your decision on whether to move forward in talks with Schellman as a potential penetration test provider.

That’s why, in this article, we’ll delve into Schellman’s approach and our team’s unique qualities that will affect your pen test experience. We have ten differentiators that we believe set us apart from other firms, and you’ll read about them all.

In the end, it’ll be for you to decide if we’re the right pen test team for you, but the information we’ll present here will make that decision easier.

10 Things You Can Expect from Your Schellman Penetration Test Experience

1. Wide Range of Experience

At Schellman, we like to say we’re “renowned for expertise tempered by practical experience,” which is certainly true of our pen testers.

Regarding expertise, the Schellman Pen Test Team is comprised of subject matter experts with varying backgrounds. As such, each person lends a valuable different perspective that can be beneficial in different use cases. But no matter their previous knowledge, all members of our team have passed a Schellman capture-the-flag (CTF) skill assessment—that’s a requirement prior to their coming aboard here.

Moreover, to ensure that we conduct adequate testing, all our engagements will feature an experienced Penetration Tester. But you can rest assured that every Schellman Pen Tester—no matter their background—will all have the same ambition and goal to secure your environment.

2. A Thorough Preparatory Approach

We’ll take special care to learn and understand your environment and applications.

For any complex, specialized applications, our testers will review your online documentation to establish a knowledge baseline of your platform. This helps us identify the primary risks facing your organization, as well as less pertinent risks.

Such preparation also helps our team develop niche attacks, such as those to discover business logic vulnerabilities, which are impossible to identify with poor insight and automated tools.

3. Certified Professionals Doing the Work

Experience and preparation go a long way, but industry-standard certifications help as well, and here’s what you can expect from your Schellman team:

  • Senior Pen Testers on our team have our profession’s coveted Offensive Security Certified Professional (OSCP)
  • Every member of our team has at least 150 hours per year to dedicate to personal development.
    • In using that, many have obtained more prestigious or targeted certifications—for example, the Offensive Security Experienced Penetration Tester (OSEP) certification, or the Burp Suite Certified Practitioner certification.

4. No Third-Party Contractors

With all that said, we also do not outsource any of our pen test work. All of our testers are:

  • Directly employed by Schellman
  • Have passed a background check 

5. Secure Transfer of All Information. (Through Our Platform AuditSource)

During your pen test, none of your pen testers will be subcontracted, and we’ll use Schellman’s proprietary secure file transfer and communication portal—AuditSource—to facilitate the transfer of information between you and the testing team.

That means we will not submit any confidential information via e-mail – all data will reside within our secure platform. Additionally, AuditSource will only permit specific users from your company to access your assessment data.

6. Constant Communication / “No Surprises” Policy

Speaking of communication, it will be constant as we work together. Every week, we’ll provide you with a status update, which will contain new findings as well as testing impediments or concerns. We’ll also make ourselves available for a weekly readout of the status update.

What’s more is that our pen test team has a “no surprises policy.” Meaning that if we identify any high-risk findings, we will notify you within 24 hours of verification so that you’re not caught off-guard at any point.

7. No False Positives

In the same vein, you should understand that our pen tests are not merely vulnerability scans. We will confirm and validate all findings and potential findings to ensure they aren’t just hypothetical possibilities.

Therefore, we will only report findings that have been exploited, are exploitable, and/or present true business risk within the final report.

8. High-Quality Deliverables

Once we complete testing, we’ll provide a thorough report that will have been reviewed by three individuals on the management team that focuses on technical accuracy, overall completeness, and readability.

We’ve designed our deliverables to be read by everyone from C-Suite executives to your administrators that will be performing the remediation. We’ll provide you with all our findings, of course, but you’ll also get:

  • Quantitative data provided within the Executive Summary
  • Visual evidence to justify each finding
  • An explanation behind the vulnerability and business impact within each finding outline
  • Remediation details for your technical team, including a step-by-step procedure to help your team validate findings

9. Retest Included

Should you contract for a penetration test with Schellman, that will also grant you a request to retest against all originally identified findings.

Upon completion of the retest, we’ll issue a separate deliverable stating which findings were remediated.

10. Proven Track Record of Results

In just the last year, Schellman conducted over 200 penetration tests. All findings are confidential, so we can’t detail them here, but we will float the idea that there’s a reason our clients come back year after year.

Next Steps for Your Penetration Test with Schellman

At Schellman, we take our work in helping you provide assurances to your customers very seriously. When it comes to our pen test team, we’ve cultivated a passionate group with ample and diverse experience bolstered by coveted industry certifications. Our methodology has been tailored to ensure that you're put into an informed position for remediation.

We admit that we might be a bit biased when we say all this, of course. But having read this, you now have an understanding of why we would be a good fit as your penetration test provider.

If you find yourself interested, we’d love to speak with you further on how we can help your organization specifically. Please feel free to complete our scoping questionnaire so that we can reach out and have a tailored conversation surrounding your needs and concerns.

About the Author

Austin Bentley

Austin Bentley is a Penetration Tester with Schellman, based in Kansas City, Missouri. Prior to joining Schellman, Austin worked as a Penetration Tester for a large financial institution, specializing in Application Security and Internal Pentesting. Austin also led and supported various other projects, including security automation and code review.

More Content by Austin Bentley
Previous Article
What is a "Significant Change" Within an Environment?
What is a "Significant Change" Within an Environment?

Not sure if an update you've made is a "significant change?" We overview PCI DSS's definition of such while...

Next Article
Vendors vs. Subservice Organizations: What’s the Difference?
Vendors vs. Subservice Organizations: What’s the Difference?

Not sure how to determine whether your vendor is a subservice organization? We provide all the details you ...

×

First Name
!
Success
Error - something went wrong!