For many organizations, stakeholders are nothing more than the people who have to buy into a pentest to make it happen. While it’s true that, to a certain extent, getting started is the most important step – making the most of a pentest means involving the people who matter – both during the pentest and after it. That isn’t always applicable in a traditional pentest – where all interaction with the pentester is handled through a PDF report and a call to discuss the findings. But, with pentest-as-a-service and platforms like those offered by Cyver, that changes.
Rather than receiving a limited and old-fashioned PDF report and a call, Cyver delivers pentest deliverables as tickets, with interactive reports, direct communication between devs and pentesters, and free retesting for the first 30 days after the pentest. This shift in the delivery model is designed to make it easier to actually remediate vulnerability findings and to introduce real cybersecurity. At the same time, it means shifting mindset from the perspective of the organization requesting the pentest – because you have to involve teams and stakeholders. Making the most of your pentest means deciding who’s accountable for what, who needs to be involved, and setting process.
Pentest Reports as an Interactive Dashboard
In traditional pentest reporting, you receive a static PDF document. With Cyver, you receive vulnerabilities, delivered in our secure pentest management portal as they’re found. At the end of the test, your pentest lead will deliver a summary report – with findings mapped to any specific compliance requirements relevant for your organization. But, instead of having to break the report down to share findings with the people responsible for delivering fixes, you can simply onboard them to the platform. If you onboard teams and set responsibilities, such as ownership of an asset, that person receives notifications as vulnerabilities are released. That means they can immediately bring those vulnerabilities up as part of the next sprint, can immediately work on remediation, and can take steps to secure the asset.
Selecting Key Stakeholders for Vulnerability Remediation
Receiving findings as tickets means you can skip the middleman and push those findings directly to the people responsible for fixing them. That means changing process from a top-down push of vulnerabilities to teams to a more Agile environment in which devs and IT receive findings directly from the pentester.
- Who’s responsible for which asset/module?
- Can you hand one person final ownership of each asset, so they are responsible for ensuring a fix?
- If you have a small company, does it make sense to onboard the full dev team? Can you still set a lead?
- Does it make sense to export vulnerability fixes to Jira for easier accountability and work management?
Eventually, the idea is to set ownership to drive accountability and transparency across fixes. If you know who’s responsible for a vulnerability finding or for all vulnerabilities related to an asset, you know where to go to make sure they’ve been fixed. And, by assigning specific responsibility, you ensure that vulnerability fixes don’t become a backlog item to be lost forever.
Integrate High-Level Oversight
It doesn’t make sense to share specific details about vulnerabilities with non-technical people. However, it’s still important that those people be able to see what’s happening, what’s being done about it, and when. Cyver delivers report dashboards with high-level views, such as findings mapped by assets, by criticality, and to compliance frameworks. This means you can generate reports and share information on a need-to-know basis, so the people who have to see cybersecurity do. Here, you can onboard those stakeholders to the platform directly – where they can interact with a security dashboard and metrics in real time – or you can generate a PDF report to give them a more traditional pentesting experience.
This kind of data is important for board members, compliance officers, and for finance because it allows them to make key decisions – both relating to cybersecurity and to budgeting for pentests in the future.
Plus, with Cyver’s integrated vulnerability management features, you can always share real-time status of reports. That means you can see time-to-fix or remediate rates, you can see how many open vulnerabilities are tracked to each asset and share what the severity of each is.
Onboarding stakeholders like devs, IT, and compliance officers can make a huge difference in how pentests are seen and managed. Today, most developers view pentests as disruptive and likely to interrupt time to fix. Making them stakeholders with ownership of results and a direct line of communication to the pentester can change that – by building a collaborative process where everyone is working towards the same goal – a secure end result.
Of course, you shouldn’t forget traditional stakeholders and you still need buy-in from finance and other key decision-makers. But, Cyver offers plenty of tools to offer those stakeholders the specific information they need, in the form of interactive dashboards and living documents that can be updated as vulnerabilities are remediated. If you want to learn more about our pentest platform, visit How it Works here.