Penetration Testing

One of the most common questions that we are asked is “Do you do Penetration Testing?” We absolutely do — but we each engagement so that it contains the best elements from both a penetration test and a comprehensive vulnerability assessment.

When do I need a pentest?

  • Your organization has a robust, mature information security governance program at your organization

  • You information security team performs regular internal tabletop and purple team exercises to validate your internal policies and controls

  • You have a mature and regularly-tested information security incident response plan with a well-trained team that is integrated with disaster recovery and risk management teams outside of IT.

  • You’re about to launch a new service and want a security deep dive of a very specific platform or application.

  • You are not aware of any unmitigated vulnerabilities in your enviroment but want an independent evaluation of your security.

When you need a Vulnerability Assessment

  • You know or suspect that security vulnerabilites exist in your environment, but you don’t know the extent or scope.

  • You’ve had a recent security incident and you’re concerned that additional vulnerabilities may exist.

  • Your information security program is new or is still working to get to a level where roles and responsibiliteis are clearly defined, a security framework has been adopted, and security concerns have been shared with the organizaion’s broader risk management leadership.

  • Stakeholders, key clients, and other important individuals in your organzation have begun asking about the organiztion’s security posture, often in response to a cybersecurity event reported in the news or experienced at another organization.

  • Your organization has made the decision formalize your information security program, but you don’t know where to start.

The Cyber Stoics Difference

The first question we have for any potential client who is asking for a security assessment is “what are your goals?” It is important to clearly understand why an organization is undertaking a security assessment. We’ll then build a custom proposal that meets your technical, business, reporting, and compliance needs. Once we’ve come to an agreement about the type of assessment, scope, number of physical office locations to be assessed, types of cloud services to involve, and more, we can get started.

Many cybersecurity practitioners carry out vulnerability assessments simply by running an automated vulnerability scanning tool like Nessus or OpenVAS. These are automated scanners that do not require any skill or expertise on the part of the security engineer to run — the tool interrogates a networked environment, performs a series of automated tests, and generates a PDF. Many vendors simply add their logo and contact information to the PDF and deliver it to the customer.

At Cyber Stoics, we carry out comprehensive, engineer-driven vulnerability asssessments. We’ll use vulnerability scanners in the process, but they’re just one tool in our overflowing toolbox that we use to thoroughly identlyfy vulnerabilities across your environment..

How Does an Assessment Work?

While we customize our work plans for each client’s specific environment and requirements, the high level steps are fairly similar. Once we have an agreemenet, we will:

  1. Schedule and conduct kick-off meeting
    We’ll conduct this either in-person or remotely depending on our client’s preference.

  2. Carry out the technical assessment
    This is heads-down work carried out by the Cyber Stoics team. We won’t be using much of your IT staff’s time during the actual assessment, other than to answer any questions that may arise from your team.

  3. Prepare a comprehensive written report, which includes detailed findings and prioritized recommendations for remediation.

  4. Present the findings of the report to the IT and Infosec Teams

  5. Present the findings to senior leadership, the board, or other key internal/external stakeholders

Many of our clients will engage Cyber Stoics for a follow-up engagement to assist with remediation, to help launch a new information security program, or to simply keep the team “on track.” Unlike many other vendors in the cybersecurity space, we do not use our information security reports as a tool to drive future sales.

Our Services

  • Vulnerability Assessments

    We use the same tools, techniques, and procedures as real-world threat actors to identify vulnerabilities in your technical environment.

  • Security Architecture and Design

    The best way to build a secure system is to design it to be secure from day one. We can help you to incorporate secure design principles ino any upcoming deployments.

  • Incident Response

    Does everyone know what to do in the event of a cybersecurity incident? We’ll help your team design, test, and deploy a robust incdent response plan.

  • Risk Management

    We apply a risk mangement philosophy to our work with clients. A vulnerability rating score is meaningless if not considered in your organization’s unique context.

  • Virtual CISO Services

    Need a part time Chief Information Security Officer to help build, guide, or advise your security team? We can help.

  • Security Analytics and Threat Intelligence

    Want to know if the security of a product or service is up to your standards? We regularly perform indepenent evaluations against cloud and software providers to identify gaps between their offerings and your policy requirements.

  • Secure Cloud Computing

    Using services like Google, M365, AWS, Azure, or Salesforce? Security of your data in these platforms is still largely your responsibility. We can help.

  • Security Awareness and Training

    Do your users know what to do when they enounter a cyber security threat? Do they know how to identify one? We’ll help you to build an effective training program that isn’t seem as an annual chore by your staff.

  • Continuous Monitoring

    While prevention of threats is imporant, detecton is critical. We’ll help you to find a continuous monitoring solution that fits your needs. We are not a solutions reseller and will work with you to find the best product or solution for your organization.

  • Compliance and Regulatory Knowledge

    Many of our clients are inundated with questionnaires asking about their PCI, HIPAA, or SOX compliance, or are being asked detailed cybersecurity questions by auditors or insurance. We don’t believe in checkbox compliance, rather we’ll help you build an information security governance program that makes compliance obligations a breeze.

Meet the Team

  • Eric Smith

    Founder, Ethical Hacker & CISO

  • Owen Smith

    Ethical Hacker & CMO

  • Amelia Smith

    Ethical Hacker & COO

  • Biscuit

    Certified Therapy Dog