Many orgs ask for pen tests these days and only get scanning from a vendor (some orgs may only want this).
However, a proper pen test will walk through in detail the safeguards, configurations, and vulnerabilities in scope to determine what exploits may actually be realized.
A red team exercise (these days) builds on a pen test by attempting to exploit the vulnerability completely to determine if the org may actually determine if such an exploit is or has happened. Additionally, some orgs will engage in war gaming (or a red-blue / purple) exercise to determine if their SOC / MSSP can shut down the exploit attempt.
If an org wants to achieve compliance a scan, or something akin, is all that is needed. However, most orgs need to engage a third party at least annually for a pen test to prioritize investments in remediation. Finally, an org that is using a MSSP (external SOC) should certainly conduct a red / purple team exercise to determine the maturity of the provider.
No comments:
Post a Comment