Frequently Asked Questions
Does a Penetration Test at Oneleet include DDoS?
No. At Oneleet, we recognize that such attacks increase the probability of operational disruptions or the risk of collateral damage. We firmly believe that there is no genuine advantage to conducting such tests during a penetration test.
Which Penetration Test Should I Choose: Black, Gray, or White Box?
Opt for a White-box Pentration Test if you’re prepared to provide the source code and configuration files to the penetration tester, or if the application is open-source, as it effectively simulates threats that have or had access to the source code. Select a Gray-box Penetration Test for a best-of-both-worlds approach, as it allows the penetration tester to uncover most vulnerabilities accessible to both external and internal attackers. Choose a Black-box Penetration Test if your main concern is about external threat actors.
Do I need to set up a staging environment?
We usually conduct tests in the staging environment and advise against testing in the production environment to minimize the risk of operational disruptions or collateral damage. Having said that, testing in staging is discouraged if it doesn’t accurately reflect the production environment or lacks representative data, as this will provide less value from a security perspective.
Can major system changes be made during the penetration test?
We advise against implementing significant system changes during the penetration test. While pushing small changes is acceptable, we recommend maintaining a stable environment throughout the engagement to ensure the accuracy and reliability of the testing process.
What should I expect on the penetration testing scoping call? Should I prepare something?
See this section.
What type of qualifications should I look for in a penetration tester to evaluate their skill level?
Technical background, certifications, communication skills. Evaluate a penetration tester’s technical background and certifications, starting with the industry-standard, the OSCP, and continuing with any other Offensive Security certification that you believe it’s relevant the penetration test, such as OSCE or OSWE. Effective communication is equally important — ensuring clear guidance from the initial scoping call, throughout the assessment, and through support with Letters of Attestation and Engagement.
What are the lead times for a penetration test?
The time from when we sign the contract to the start of the penetration test is usually a few days if there’s a rush, but it can be up to a week during peak times.
What are the consequences of 0 discovered vulnerabilities?
Although such engagements are highly unlikely, the outcome depends on the engagement scope and business size. For a startup with over 10 employees and a Gray-box penetration test, vulnerabilities are typically found, especially if it’s the first test. If the scope is limited or the application security is strong, there can be no vulnerabilities, but the tester should explain their methods, failures, and challenges.
Do I share the penetration test report with customers?
You may share the penetration test report if you will, but we provide a document designed specifically for this purpose. At Oneleet, we offer a Letter of Attestation, which provides a high-level overview of the penetration test, including the tester’s profile and the overall risk score or number of findings. We recommend the Letter of Attestation to be shared with stakeholders.