{"id":27358,"date":"2023-02-21T01:11:04","date_gmt":"2023-02-21T01:11:04","guid":{"rendered":"https:\/\/www.esecurityplanet.com\/?p=27358"},"modified":"2023-03-23T20:53:31","modified_gmt":"2023-03-23T20:53:31","slug":"penetration-testing-program","status":"publish","type":"post","link":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/","title":{"rendered":"How to Implement a Penetration Testing Program in 10 Steps"},"content":{"rendered":"\n<p>Penetration tests find security vulnerabilities before hackers do and are critical for keeping organizations safe from cyber threats.<\/p>\n\n\n\n<p>You can either create your own pentesting program or hire an outside firm to do it for you. Penetration test services have become common, with many security companies offering them. But they can be expensive and should be done often, so if you have the expertise on staff, consider developing your own penetration testing program. The result will be greater control over this important vulnerability and risk management process, and a more knowledgeable and prepared security staff.<\/p>\n\n\n\n<p>Once you&#8217;ve decided to put together your own pentesting team, the first step is to create a plan that assesses your most critical assets so you can secure them.<\/p>\n\n\n\n<p><em>See the <\/em><a href=\"https:\/\/www.esecurityplanet.com\/products\/best-penetration-testing\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>Best Penetration Testing Tools<\/em><\/strong><\/a><em> and the <\/em><a href=\"https:\/\/www.esecurityplanet.com\/applications\/open-source-penetration-testing-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>Top Open Source Penetration Testing Tools<\/em><\/strong><\/a><\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_68_1 ez-toc-wrap-left counter-flat ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-66d6e5bbdcc7d\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"ez-toc-cssicon\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ffffff;color:#ffffff\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ffffff;color:#ffffff\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-66d6e5bbdcc7d\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#How-Does-a-Penetration-Testing-Program-Work\" title=\"How Does a Penetration Testing Program Work?\">How Does a Penetration Testing Program Work?<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#10-Steps-for-Building-a-Penetration-Testing-Program\" title=\"10 Steps for Building a Penetration Testing Program\">10 Steps for Building a Penetration Testing Program<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#Teams-to-Involve-in-the-Pentesting-Program\" title=\"Teams to Involve in the Pentesting Program\">Teams to Involve in the Pentesting Program<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#Bottom-Line-Starting-a-Pentesting-Program\" title=\"Bottom Line: Starting a Pentesting Program\">Bottom Line: Starting a Pentesting Program<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How-Does-a-Penetration-Testing-Program-Work\"><\/span>How Does a Penetration Testing Program Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing\/\">Penetration testing<\/a> differs from <a href=\"https:\/\/www.esecurityplanet.com\/networks\/vulnerability-scanning-what-it-is-and-how-to-do-it-right\/\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerability scanning<\/a> by using human pentesters to probe for vulnerabilities as hackers would.<\/p>\n\n\n\n<p>During penetration tests, security experts, also known as ethical or white hat hackers or &#8220;red teams,&#8221; simulate real attacks on a system. The simulations are designed for testers to identify vulnerabilities, errors, or <a href=\"https:\/\/www.esecurityplanet.com\/networks\/network-security\/\">weaknesses in network infrastructure<\/a> before an attacker can exploit them. Known as an offensive security approach, penetration testing keeps organizations one step ahead of cyber criminals.<\/p>\n\n\n\n<p>A penetration testing program goes beyond individual penetration tests and outlines a blueprint for an organization to follow. The program answers what, when, why, and where tests should run. Penetration testing programs should be ongoing, detailed, scheduled and revised as needed.<\/p>\n\n\n\n<p>The program should define a series of pentests to identify and remediate vulnerabilities in a system. Security leaders will know how many penetration tests to run as well as where and when to run them because the penetration program has been outlined. Even if an organization outsources all of its penetration tests, the program will provide a clear route when engaging with a vendor, a bug bounty program, or white hackers offering penetration testing as a service.<\/p>\n\n\n\n<p><strong>Also read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-vs-vulnerability-testing\/\" target=\"_blank\" rel=\"noreferrer noopener\">Penetration Testing vs. Vulnerability Testing: An Important Difference<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"10-Steps-for-Building-a-Penetration-Testing-Program\"><\/span>10 Steps for Building a Penetration Testing Program<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>In penetration testing, preparation is key. Asking vendors to run random tests against a system will not provide the information needed to evaluate and remediate flaws and improve performance and security.<\/p>\n\n\n\n<p>It is essential to know the inside and out of penetration tests and what you expect to achieve. Designing a penetration test program can be overwhelming. Here are 10 simple steps that can guide you through the process.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Secure budget and human resources<\/h3>\n\n\n\n<p>While penetration tests are cost-effective and have important benefits, organizations must first secure the budget and ensure they have the human resources to run them. Because tests should be ongoing for a long time, this should be the first step an organization takes. Organizations must make sure they have all the resources they need to get them through the program.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. Assemble a penetration test program team<\/h3>\n\n\n\n<p>The first thing an organization should do, even before starting to build the program, is finding the right team and talent. Define roles and responsibilities and ensure the team members have all the necessary skills and <a href=\"https:\/\/www.esecurityplanet.com\/networks\/cybersecurity-certifications\/\" target=\"_blank\" rel=\"noreferrer noopener\">certifications<\/a>. The team will also need to work with other departments and management to build the program.<\/p>\n\n\n\n<p>As you assemble your team and think about your objectives, think about the tools you&#8217;ll need for your pentest targets, and find or train staff to run those tests. Think about the possible attack paths and important assets to protect, like Active Directory or a critical application database or code repository, and then decide on the tests you need to run to test their security.<\/p>\n\n\n\n<p><strong>Also read:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.esecurityplanet.com\/networks\/red-team-vs-blue-team-vs-purple-team\/\">Red Team vs Blue Team vs Purple Team: Differences Explained<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.esecurityplanet.com\/products\/rapid7-insightidr-review\/\" target=\"_blank\" rel=\"noreferrer noopener\">Testing &amp; Evaluating SIEM Systems: A Review of Rapid7 InsightIDR<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3. Map the digital surface, and build an asset inventory<\/h3>\n\n\n\n<p>The penetration testing team should comprehensively map the entire digital infrastructure, networks, Internet of Things (IoT) devices, edge, and cloud resources. Additionally, the map should include a data and asset inventory with all relevant information about the data cycle, from input, generation, and gathering to distribution, sales, and disposal of data.<\/p>\n\n\n\n<p>A clear vision of the entire system helps to quickly identify where each component is located and provides a birds-eye view of what needs protecting. Make a note of future projects and include them in the map and inventory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">4. Define business objectives<\/h3>\n\n\n\n<p>Like any other program in operations, pentesting should be aligned with the business\u2019s mission, goals, and targets. Focus on assets critical for operations, such as a customer database or critical application. Business objectives may change over time and require revision. Therefore, the team must come back to this point as penetration tests are executed over time.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Set asset priorities<\/h3>\n\n\n\n<p>Business objectives may be to increase sales, adjust to the economic slowdown, pivot disruptions, or prevent customer churn. Whatever the company\u2019s objectives are, the security of the assets that drive their outcomes must be guaranteed and tested.<\/p>\n\n\n\n<p>Identify asset priority using the data inventory and digital surface map. If there are future projects in development that are critical, make sure to include them.<\/p>\n\n\n\n<p>Pentests can be done by brute force, or a black box approach, simulating an attack where hackers know nothing of your systems, or a white box approach, where they have knowledge of your system architecture. A blend of the two is called a gray box approach.<\/p>\n\n\n\n<p>A brute force attack simulation would involve probing your network, web applications and users for weaknesses, while a white box approach might use sophisticated code analysis to probe an application for weaknesses.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">6. Set level priorities<\/h3>\n\n\n\n<p>Your company will be running several periodical tests lasting several days or longer. Now that there is a clear idea of what needs to be secured, set priorities for tests that need to happen first and those that follow down the line.<\/p>\n\n\n\n<p>Additionally, running tests can be expensive, so consider spreading out tests for different systems depending on the priorities. Priorities usually include tests that check:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Vulnerability exploitation<\/li>\n\n\n\n<li>Code execution<\/li>\n\n\n\n<li>Lateral movement<\/li>\n\n\n\n<li>Data exfiltration<\/li>\n\n\n\n<li>Application vulnerabilities<\/li>\n\n\n\n<li>Input validation<\/li>\n\n\n\n<li>Authentication<\/li>\n\n\n\n<li>Authorization enforcement<\/li>\n\n\n\n<li>Vendor trust and supply chain security<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7. Define the type and number of tests, and schedule them<\/h3>\n\n\n\n<p>As a company expands into the digital world, its data, systems, networks, and digital assets will evolve. Penetration tests can only provide a view of a company\u2019s IT infrastructure at a specific moment.<\/p>\n\n\n\n<p>However, when designing a penetration testing program, companies can schedule yearly, quarterly, or monthly penetration tests to protect their systems over time as they change. Additionally, it\u2019s important to know how penetration tests work, including their phases and types, to understand which ones to run, while always focusing on identified asset priorities.<\/p>\n\n\n\n<p><strong>Also read:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-phases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Penetration Testing Phases &amp; Steps Explained<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">8. Establish communication channels and awareness<\/h3>\n\n\n\n<p>It&#8217;s critical to establish clear communication channels. Penetration testing should not be siloed and limited to IT and security teams. Executives, data engineers, developers, content creators, marketing and sales, production, and distribution teams should all be aware of the program.<\/p>\n\n\n\n<p>Penetration tests are all about learning about errors, misconfigurations, and weaknesses. Therefore, every worker may have a role to play in improving security. Feedback is always encouraged to create a strong security culture.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9. Choose penetration testers, and run the tests<\/h3>\n\n\n\n<p>Penetration tests can be run in-house, through a vendor, through bug bounty programs, or through organizations that offer penetration tests as a service.<\/p>\n\n\n\n<p>Each method has its pros and cons. While in-house tests allow for complete control, a team of experts is needed to execute them. On the other hand, outsourcing penetration tests can be expensive, depending on the vendor or program, but organizations can also increase the diversity of talent and resources with this option. In the end, it comes down to an organization&#8217;s resources, the importance of its data, and the level of confidence in security controls.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">10. Reporting, remediation, monitoring, and restarting<\/h3>\n\n\n\n<p>A penetration testing program does not end when tests conclude. Each test should reveal vulnerabilities and recommend patches and remediations. Fixing vulnerabilities is the most direct goal of penetration testing.<\/p>\n\n\n\n<p>Reporting, remediation, monitoring, and retesting take time and are essential; otherwise, you are just identifying weaknesses but not fixing them or checking to see if patches and mitigations were applied. This stage is critical to improving an organization&#8217;s learning and performance curves at all levels.<\/p>\n\n\n\n<p>It&#8217;s also essential to revise and adjust the program after every test and after the entire scheduled series of tests are completed. Simply put, step 10 is not the end; it is followed by a restart and step one.<\/p>\n\n\n\n<p><em>See the <\/em><a href=\"https:\/\/www.esecurityplanet.com\/products\/patch-management-software\/\" target=\"_blank\" rel=\"noreferrer noopener\"><em>Best Patch Management Software &amp; Tools<\/em><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Teams-to-Involve-in-the-Pentesting-Program\"><\/span>Teams to Involve in the Pentesting Program<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>No penetration testing program will be successful if it only includes security teams and IT departments. An organization\u2019s digital attack surface extends to every aspect of its operations.<\/p>\n\n\n\n<p>Boards and leaders need to know about security to make informed business decisions, developers need to learn from errors, and even the human element of security will be involved in simulated <a href=\"https:\/\/www.esecurityplanet.com\/threats\/phishing-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing attacks<\/a> during penetration tests. Therefore, everyone should have some role in the program, depending on their contribution.<\/p>\n\n\n\n<p>It&#8217;s also important to understand that some penetration tests may simulate attacks but never disclose to the company what they will be attacking or when. These blind attacks try to get as close as they can to real-world scenarios to test security teams&#8217; response performance and time \u2014 something closer to red-and-blue teaming.<\/p>\n\n\n\n<p>Hackers will also run attacks attempting to steal credentials from workers as cyber criminals do. If workers are informed about these simulations, the results of the tests will not be realistic.<\/p>\n\n\n\n<p>Engineers and product teams need to be mainly involved in the program&#8217;s reporting, remediation, and monitoring phases. Just like security teams, they will learn from simulations and improve their work.<\/p>\n\n\n\n<p>Executives can better understand the risks, consequences, and state of their security with penetration tests. This helps create a top-to-bottom security culture and common understanding that facilitates daily cybersecurity operations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Bottom-Line-Starting-a-Pentesting-Program\"><\/span>Bottom Line: Starting a Pentesting Program<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Even if you choose to outsource your pentesting program, you should still take the time to develop a pentesting program. It will make your security team and business managers better informed, and will also guide discussions with vendors and service providers.&nbsp;<\/p>\n\n\n\n<p>A penetration testing program goes beyond identifying weaknesses before criminals can detect them and use them against you. It provides a vision of the organization&#8217;s performance, security, awareness, and culture and can help you achieve business targets and goals. You need to know what&#8217;s critical before you can figure out how to protect it.<\/p>\n\n\n\n<p><strong>Read next:<\/strong> <a href=\"https:\/\/www.esecurityplanet.com\/threats\/threat-hunting\/\">What is Cyber Threat Hunting? Definition, Techniques &amp; Steps<\/a><\/p>\n\n\n<div id=\"ta-campaign-widget-66d6e5bbd992d-popup-wrapper\" class=\"ta-campaign-widget__popup-wrapper\">\n    \n<div\n    style=\"\n        --ta-campaign-plugin-primary: #3545ed;\n        --ta-campaign-plugin-button-text: #fff;\n        --ta-campaign-plugin-button-hover-background: #3231b4;\n        --ta-campaign-plugin-button-hover-text: #fff;\n        --ta-campaign-plugin-button-toggle-background: #3231b4;\n        --ta-campaign-plugin-button-toggle-text: #3231B4;\n    \"\n    data-ajax-url=\"https:\/\/www.esecurityplanet.com\/wp\/wp-admin\/admin-ajax.php\">\n    <div\n        id=\"ta-campaign-widget-66d6e5bbd992d\"\n        class=\"ta-campaign-widget ta-campaign-widget--popup\"\n        data-campaign-fields='{\"properties\":{\"campaign_type\":\"popup\",\"campaign_category\":false,\"sailthru_list\":[\"cybersecurity-insider\"],\"popup_type\":\"exit_intent\",\"appearance\":{\"colors\":{\"primary_color\":\"#3545ed\",\"button\":{\"button_text_color\":\"#fff\",\"hover\":{\"button_hover_background_color\":\"#3231b4\",\"button_hover_text_color\":\"#fff\"},\"toggle\":{\"button_toggle_background_color\":\"#3231b4\",\"button_toggle_text_color\":\"#3231B4\"}}},\"custom_scss\":\"\"},\"behavior\":{\"opt_in_enabled\":true},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}},\"identifier\":\"66d6e5bbd992d\",\"campaign_id\":26045,\"campaign_type\":\"popup\",\"popup_type\":\"exit_intent\",\"newsletters\":[\"cybersecurity-insider\"],\"behavior\":{\"opt_in_enabled\":true},\"appearance\":{\"colors\":{\"primary\":\"#3545ed\",\"button\":{\"text\":\"#fff\",\"hover\":{\"background\":\"#3231b4\",\"text\":\"#fff\"},\"toggle\":{\"background\":\"#3231b4\",\"text\":\"#3231B4\"}}},\"custom_css\":\"\"},\"language\":{\"tagline\":\"Get the Free Cybersecurity Newsletter\",\"subtagline\":\"\",\"content\":\"Strengthen your organization&#39;s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday\",\"email_placeholder\":\"Work Email Address\",\"opt_in\":\"By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.\",\"subscribe_button\":\"Subscribe\"}}'>\n\n                <div class=\"ta-campaign-widget__exit\">\n            <svg class=\"w-8\" fill=\"none\" stroke=\"currentColor\" stroke-width=\"1.5\" viewBox=\"0 0 24 24\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\">\n                <path stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M6 18L18 6M6 6l12 12\"><\/path>\n            <\/svg>\n        <\/div>\n        \n        <div class=\"ta-campaign-widget__wrapper\">\n            <div class=\"ta-campaign-widget__header mb-6\">\n                                <h3 class=\"ta-campaign-widget__tagline\">\n                    Get the Free Cybersecurity Newsletter                <\/h3>\n                \n                \n                                <p class=\"ta-campaign-widget__content mt-6\">\n                    Strengthen your organization's IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday                <\/p>\n                            <\/div>\n\n            <form class=\"ta-campaign-widget__form\">\n                <div class=\"ta-campaign-widget__input mb-4\"  data-field=\"email\">\n                    <label\n                        class=\"sr-only\"\n                        for=\"email-66d6e5bbd992d\">\n                        Email Address\n                    <\/label>\n                    <input\n                        class=\"ta-campaign-widget__input__text\"\n                        placeholder=\"Work Email Address\"\n                        id=\"email-66d6e5bbd992d\"\n                        name=\"email\"\n                        type=\"email\">\n                <\/div>\n\n                                <div class=\"ta-campaign-widget__checkbox mb-4\" data-field=\"opt_in\">\n                    <div class=\"flex items-start\">\n                        <input\n                            id=\"opt-in-66d6e5bbd992d\"\n                            class=\"ta-campaign-widget__checkbox__input mr-2\"\n                            name=\"opt-in\"\n                            type=\"checkbox\"\/>\n                        <label\n                            class=\"ta-campaign-widget__checkbox__label\"\n                            for=\"opt-in-66d6e5bbd992d\">\n                            By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.                        <\/label>\n                    <\/div>\n                <\/div>\n                \n                <button class=\"ta-campaign-widget__button\" type=\"submit\" >\n                    Subscribe                <\/button>\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n\n<style>\n<\/style><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Penetration tests find security vulnerabilities before hackers do and are critical for keeping organizations safe from cyber threats. You can either create your own pentesting program or hire an outside firm to do it for you. Penetration test services have become common, with many security companies offering them. But they can be expensive and should [&hellip;]<\/p>\n","protected":false},"author":293,"featured_media":25617,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_gazelle_contributing_experts":"","footnotes":""},"categories":[14],"tags":[2369,3790,3414,31708,730,22929,5277],"b2b_audience":[33,35],"b2b_industry":[],"b2b_product":[382,394,395,377,381,31780,31775],"class_list":["post-27358","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-networks","tag-cloud-security","tag-cybersecurity","tag-network-security","tag-pentesting","tag-security","tag-vulnerability-management","tag-web-security","b2b_audience-awareness-and-consideration","b2b_audience-implementation-and-support","b2b_product-application-security-vulnerability-management","b2b_product-email-security","b2b_product-firewalls-and-intrusion-prevention-and-detection","b2b_product-gateway-and-network-security","b2b_product-network-access-control-nac","b2b_product-patch-management","b2b_product-web-applications-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Implement a Penetration Testing Program in 10 Steps<\/title>\n<meta name=\"description\" content=\"Developing a penetration testing plan can prove to be a daunting task. Learn how to build a pentesting program today.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Implement a Penetration Testing Program in 10 Steps\" \/>\n<meta property=\"og:description\" content=\"Developing a penetration testing plan can prove to be a daunting task. Learn how to build a pentesting program today.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\" \/>\n<meta property=\"og:site_name\" content=\"eSecurity Planet\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-21T01:11:04+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-23T20:53:31+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Ray Fernandez\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:site\" content=\"@eSecurityPlanet\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ray Fernandez\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\"},\"author\":{\"name\":\"Ray Fernandez\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/811d855b75a75a5e65a0367075eec422\"},\"headline\":\"How to Implement a Penetration Testing Program in 10 Steps\",\"datePublished\":\"2023-02-21T01:11:04+00:00\",\"dateModified\":\"2023-03-23T20:53:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\"},\"wordCount\":1804,\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg\",\"keywords\":[\"cloud security\",\"cybersecurity\",\"network security\",\"pentesting\",\"security\",\"Vulnerability Management\",\"Web security\"],\"articleSection\":[\"Networks\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\",\"url\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\",\"name\":\"How to Implement a Penetration Testing Program in 10 Steps\",\"isPartOf\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg\",\"datePublished\":\"2023-02-21T01:11:04+00:00\",\"dateModified\":\"2023-03-23T20:53:31+00:00\",\"description\":\"Developing a penetration testing plan can prove to be a daunting task. Learn how to build a pentesting program today.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg\",\"width\":2560,\"height\":1707,\"caption\":\"penetration testing pentesting\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esecurityplanet.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Implement a Penetration Testing Program in 10 Steps\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#website\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"name\":\"eSecurity Planet\",\"description\":\"Industry-leading guidance and analysis for how to keep your business secure.\",\"publisher\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esecurityplanet.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#organization\",\"name\":\"eSecurityPlanet\",\"url\":\"https:\/\/www.esecurityplanet.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png\",\"width\":1134,\"height\":375,\"caption\":\"eSecurityPlanet\"},\"image\":{\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/eSecurityPlanet\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/811d855b75a75a5e65a0367075eec422\",\"name\":\"Ray Fernandez\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/Ray.Fernandez-headshot-Ramiro-Fernandez-1-150x150.jpg\",\"contentUrl\":\"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/Ray.Fernandez-headshot-Ramiro-Fernandez-1-150x150.jpg\",\"caption\":\"Ray Fernandez\"},\"description\":\"Ray is a Content and Communication Specialist with more than 10 years of experience. He currently works as a Senior Copywriter for Wunderman Thompson and writes as a freelance technology journalist for several tech media. His work has been published in Microsoft, Slash Gear, Screen Rant, OOSKA News, Bloomberg, and Nature Conservancy, among other places.\",\"url\":\"https:\/\/www.esecurityplanet.com\/author\/rfernandez\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Implement a Penetration Testing Program in 10 Steps","description":"Developing a penetration testing plan can prove to be a daunting task. Learn how to build a pentesting program today.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/","og_locale":"en_US","og_type":"article","og_title":"How to Implement a Penetration Testing Program in 10 Steps","og_description":"Developing a penetration testing plan can prove to be a daunting task. Learn how to build a pentesting program today.","og_url":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/","og_site_name":"eSecurity Planet","article_published_time":"2023-02-21T01:11:04+00:00","article_modified_time":"2023-03-23T20:53:31+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg","type":"image\/jpeg"}],"author":"Ray Fernandez","twitter_card":"summary_large_image","twitter_creator":"@eSecurityPlanet","twitter_site":"@eSecurityPlanet","twitter_misc":{"Written by":"Ray Fernandez","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#article","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/"},"author":{"name":"Ray Fernandez","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/811d855b75a75a5e65a0367075eec422"},"headline":"How to Implement a Penetration Testing Program in 10 Steps","datePublished":"2023-02-21T01:11:04+00:00","dateModified":"2023-03-23T20:53:31+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/"},"wordCount":1804,"publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg","keywords":["cloud security","cybersecurity","network security","pentesting","security","Vulnerability Management","Web security"],"articleSection":["Networks"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/","url":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/","name":"How to Implement a Penetration Testing Program in 10 Steps","isPartOf":{"@id":"https:\/\/www.esecurityplanet.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg","datePublished":"2023-02-21T01:11:04+00:00","dateModified":"2023-03-23T20:53:31+00:00","description":"Developing a penetration testing plan can prove to be a daunting task. Learn how to build a pentesting program today.","breadcrumb":{"@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#primaryimage","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/10\/cyber-attacks-scaled.jpg","width":2560,"height":1707,"caption":"penetration testing pentesting"},{"@type":"BreadcrumbList","@id":"https:\/\/www.esecurityplanet.com\/networks\/penetration-testing-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esecurityplanet.com\/"},{"@type":"ListItem","position":2,"name":"How to Implement a Penetration Testing Program in 10 Steps"}]},{"@type":"WebSite","@id":"https:\/\/www.esecurityplanet.com\/#website","url":"https:\/\/www.esecurityplanet.com\/","name":"eSecurity Planet","description":"Industry-leading guidance and analysis for how to keep your business secure.","publisher":{"@id":"https:\/\/www.esecurityplanet.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esecurityplanet.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esecurityplanet.com\/#organization","name":"eSecurityPlanet","url":"https:\/\/www.esecurityplanet.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2020\/10\/eSecurity_logo_MainLogo.png","width":1134,"height":375,"caption":"eSecurityPlanet"},"image":{"@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/eSecurityPlanet"]},{"@type":"Person","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/811d855b75a75a5e65a0367075eec422","name":"Ray Fernandez","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esecurityplanet.com\/#\/schema\/person\/image\/","url":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/Ray.Fernandez-headshot-Ramiro-Fernandez-1-150x150.jpg","contentUrl":"https:\/\/assets.esecurityplanet.com\/uploads\/2022\/06\/Ray.Fernandez-headshot-Ramiro-Fernandez-1-150x150.jpg","caption":"Ray Fernandez"},"description":"Ray is a Content and Communication Specialist with more than 10 years of experience. He currently works as a Senior Copywriter for Wunderman Thompson and writes as a freelance technology journalist for several tech media. His work has been published in Microsoft, Slash Gear, Screen Rant, OOSKA News, Bloomberg, and Nature Conservancy, among other places.","url":"https:\/\/www.esecurityplanet.com\/author\/rfernandez\/"}]}},"_links":{"self":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/27358"}],"collection":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/users\/293"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/comments?post=27358"}],"version-history":[{"count":0,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/posts\/27358\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media\/25617"}],"wp:attachment":[{"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/media?parent=27358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/categories?post=27358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/tags?post=27358"},{"taxonomy":"b2b_audience","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_audience?post=27358"},{"taxonomy":"b2b_industry","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_industry?post=27358"},{"taxonomy":"b2b_product","embeddable":true,"href":"https:\/\/www.esecurityplanet.com\/wp-json\/wp\/v2\/b2b_product?post=27358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}