Would you prefer a pentest where you find very little vulnerabilities and a short report, or a pentest where you find loads of vulnerabilities but a long report? 🤔 - ThreadSky

hakluke.com • 80 days ago

Would you prefer a pentest where you find very little vulnerabilities and a short report, or a pentest where you find loads of vulnerabilities but a long report? 🤔

Comments

matt.volkis.au•80 days ago

Definitely the second one. A report where you have to justify why you didn't find loads of stuff is the worst!

joshruppe.com•79 days ago

As long as the scope was fully executed and all avenues of testing were explored, the length of the report is irrelevent.

quibsy.bsky.social•80 days ago

It depends on what I’m trying to test. If it’s results that have been found and I thought were fixed that feels bad, or if I’ve made significant changes or improvements but it doesn’t resolve things. However, if I’m just trying to get ideas for where to go next or how to improve it feels better

quibsy.bsky.social•80 days ago

In both cases, length without action items would feel bad.

brank0x42.bsky.social•80 days ago

Loads of vulns, loads of funz. 😃😃😃

silviocesare.bsky.social•80 days ago

Either is fine so long that there is at least 1 page with “this page intentionally left blank”.

seven.modr.us•79 days ago

For the most part pentests are a compliance item, so short and sweet is most often fine.

But in general my issue with pentests in recent history is the quality of them, in that they tend to not be realistic scenarios that can happen under normal conditions.

The “have to find something” isn’t value

uusiitavaltalainen.bsky.social•80 days ago

The truth.
If a lot is found, then please explain what can and should be done even if it means having a huge report to go through.
If little has been found, then explain what you tried what was good, and how to improve further.

swiftsecur.bsky.social•80 days ago

I have no preference, if you have a good reporting system/engine it shouldn't be too much of a burden writing long reports. There is an art to writing short reports with few findings too...and it can open up discussions about other more interesting tests when done right!

nbk.bsky.social•79 days ago

Real world answer from a former CISO? Number 1. Because pentests are for compliance and might be shared with clients. Investing in the Red Team and BB program for actionable findings provides better ROI.

mubix.com•80 days ago

I would prefer a correct report, no matter it's length. I don't want fluff, and I want testers who can push the limits of my organization's security, no matter what level that is at the time.

Comments

Posting Rules

Reply