Security Penetration Testing is no longer a niche activity, it is now a cornerstone in every enterprise organisations’ security programme. With the growth of the industry new trends have emerged, with more focus on automation and harnessing technology to deliver project management and reporting.
Atlan Digital believes that a careful balance between technology and the human element is critical. We sit in our own space in the industry. We combine highly experienced consultants, with robust and innovative in-house technology & research and hold it all together with human project management and quality assurance processes.
Plan and Prepare
Once we engage with a client our first step is a call to understand what your requirements are. For very small engagements these requirements can be gathered via a questionnaire if that suits you best. We can engage in varying project types and lengths:
Project Based - Fixed Man Day Project: Penetration Test & Red Team
Here we will sit with you to understand the scope of the work and your requirements; the targets of the testing, the urgency, and the reason for the testing.
We will then furnish you with a proposal based on our understanding of your requirements, outlining our methodologies, approach and the consultants that we want to bring onto the project.
Service Line Agreement (SLA) – 3, 6, 12 Contractor Placement
If you have a need for long-term, continuous presence in your organisation to augment your existing testing capability, deliver programme development, conduct custom research for an ongoing project or to engage in a long-term project such as an advanced intrusion test, we will understand your requirements, skillsets sought, and what your budget is.
We will then present candidate resumes from Atlan’s pool of consultants, who have been vetted, signed non-disclosure agreements, and have undergone our technical interview process and references collected.
During service delivery we will manage the consultant’s timesheets, augment the capability in the event of illness, change of business requirements or contractor issue, and provide technical management & support to our consultants even when they are embedded in your organisation.
PTaaS or RTaaS – Penetration Testing-as-a-Service and Red Team-as-a-Service
In this situation we will engage with you to better understand your requirements and skillsets sought, experience with certain technologies and present a solution whereby you can block buy man days per month.
We have a minimum of 10-man days per month with a minimum of three months commitment and will provide consultant resumes, who will be performing the testing.
We can augment this capability by using automation, or even developing custom tooling to perform daily, weekly, monthly scans of infrastructure, applications or source code and can provide PDF reports on a weekly/monthly basis or plugin into any project management software such as JIRA that you may use internally for vulnerability remediation
Client and Contractor Onboarding
Atlan maintains a pool of consultants all with a minimum of 5 years testing experience but generally around ten years. All contractors sign an NDA and are briefed on our security policies and procedures before we engage with them. We provide our consultants with:
Atlan corporate email account
Access to atlan digital communication platform and shared drives on Atlan’s internal systems.
Access to vpn and tooling where necessary on our cloud-based infrastructure
Reporting platform, reporting formats and vulnerability databases
We do not rely on automated platforms to manage our consultants, and provide technical oversights and project management throughout every project we deliver. In the event we have provided a consultant to deliver a fixed term, PTaaS or RTaaS scoped project, and the consultant expected is no longer available, we will present another resume of a consultant to replace the rolling off contractor of equal experience and skillset to be approved by the client prior to continuing.
Atlan will comply with all client’s reasonable demands, and present our data handling policy, sign Non-Disclosure agreements, provide our corporate information and accounting information where necessary.
Again, here you deal with people rather than automated systems, and we have on hand our internal team to manage any challenges, respond to queries and provide documentation promptly for your legal and compliance teams.
Testing Window and Engagement Management
1. Kick Off
At the beginning of the project, Atlan’s internal team and technical manager will bring the consultants onto a kick off call with you to introduce the testing team and client over a video conference. This assures that the client and consultants are in line with each other’s expectations and is an opportunity to raise any risks or concerns around the engagement.
Throughout testing Atlan will technically manage the project, providing technical leadership, project management and remain on standby to assist with all client issues.
Where critical issues have been identified, or Atlan is aware of a risk to the client organisation we will engage with the client immediately.
3. Red Team & PTaaS/RTaaS weekly update
While conducting any long term phases of Penetration Testing or Red Teaming, Atlan will host weekly washup calls running the client through testing activities and milestones achieved throughout the week. This call will also be an opportunity for the client to provide additional steer or make additional requests. Urgent requests can be made by the client on an ad hoc basis via email.
These updates will be provided over video conference and a PowerPoint presentation will be used to present the milestones achieved, and any risks that need to be highlighted outside of normal reporting channels (whether final PDF or into JIRA or similar project management software).
4. Project Finish Debrief
Once the project is finished and we have delivered the report, Atlan’s internal team and consultants will be on hand to deliver a project debrief call to address any testing limitation sand questions.
Reporting and Quality Assurance
Project Based Reporting:
Where Atlan has been engaged for a single project whether systems Penetration Testing or Red Teaming, the final deliverable will be a PDF report.
Once the consultants allocated to the project have written their findings and submitted their evidence to Atlan’s report format, our comprehensive multi stage technical QA process begins:
Initial technical QA
Where there is a requirement for us to use the report format of an end client or reseller partner, our team will adapt our reporting process to present findings in this format.
Our consultants are freelance testers who have experience of working with multiple report formats from varied consultancies and international clients.
PTaaS and RTaaS:
Where we are delivering a continuous service based on 20-man days per month we can provide issues and vulnerabilities identified in the following formats:
Monthly PDF Reports
We can populate internal Jira or similar ticketing systems with findings, or if necessary, develop plugins from our reporting to system to populate these findings in your own
Excel findings – we can provide issues identified on a weekly or monthly basis in excel format outlining all risks identified either according to our own internal grading system or to match yours.
How can we help?
Whether you represent a corporate, a consultancy, a government or an MSSP, we’d love to hear from you. To discover just how our offensive security contractors could help, get in touch.