Penetration testing or red team exercises are conducted at least annually
Vulnerability scanners find known CVEs but miss logic flaws, misconfigured access controls, weak authentication implementations, and the ways that small issues chain together into serious attacks. Penetration testing puts a skilled attacker against your real environment to find what scanners miss. Annual testing provides a point-in-time assurance check and often surfaces findings that have been present for years without detection.
Implementation steps
- 1
Define scope and objectives for annual penetration testing
Define what is in scope: external network, internal network, web applications, APIs, social engineering, or a combination. Define objectives: are you testing for a specific threat scenario, assessing a new product, or meeting a compliance requirement? Scope affects cost and depth; be specific rather than asking for a generic assessment. Get legal sign-off on rules of engagement before testing begins.
confluence google-docs notion - 2
Engage a qualified third-party penetration testing firm
Use a qualified third-party firm with relevant certifications such as OSCP, CREST, or GPEN. For web application testing, look for GWAPT or BSCP credentials. Review sample reports before engaging to ensure they provide actionable findings, not just automated scan output. For sensitive environments, verify that testers have background checks and sign NDAs.
cobalt synack hackerone bugcrowd - 3
Track findings to closure and validate remediation
All findings from the penetration test must be tracked in your issue tracker with owners and due dates. Critical and high findings should be remediated within 30 days of the report delivery. For significant findings, request a retest to confirm the fix is effective. Store the final report and retest attestation for audit purposes.
jira linear servicenow drata vanta
Evidence required
Penetration test report and remediation tracking
Evidence that a penetration test was conducted in the past 12 months and that findings are being tracked to closure.
- - Penetration test report dated within the last 12 months with tester credentials
- - Remediation tracking showing open findings with owners and due dates
- - Retest attestation for critical and high findings
Related controls
Vulnerability scanning is performed regularly on all systems
Vulnerability Management
CISA Known Exploited Vulnerabilities are remediated on priority timelines
Vulnerability Management
Critical and high vulnerabilities are remediated within defined SLAs
Vulnerability Management
Internet-exposed attack surface is identified and minimized
Vulnerability Management