Thoughts from one of our founders on how we conduct pentests...
CISSP | PenTest+| CYSA+ Cybersecurity people leader helping others avoid the mistakes I've made in the past (both cybersecurity and otherwise)...
Can you tell me the exact tools and techniques you'll use during the penetration test? - if I had a nickel for every time I have been asked that, well, I'd probably only have two or three bucks, but I still feel it's a question that needs to be addressed. No, we can't predict the tools and techniques that we will use prior to a test. There are a few likely candidates - responder for network tests, and burp suite for web app tests, but in general we don't know what we are going to find until we get into the network and perform the initial reconnaissance of the network or application. A lot of people think that knowing the tools and techniques the red team are going to use during a test will help the blue team perform better during the test, but in reality, is a real threat actor going to tell the blue team what they are going to do? The whole point of the test is to test the security controls of the network in a manner as close to reality as possible.