A Black Hat Pen-Test will show you if a hacker can break into your organization, but does it fall short? The answer is; it depends on who is doing the Black Hat Pen-Test and how they do it.
Methodology is important in pen-testing, it will show you how the pen-test firm will conduct the penetration test, and it will also show you what the report will look like. Many organizations receive a lacking report and go searching for another pen-test firm for next year. Let’s talk about what I said above when I say lack of findings. In a Black Hat Pen-Test, we have many options, ill mention a few below:
- You provide URLs for a web app or API – no credentials
- You provide nothing- we will perform discovery and OSINT to determine targets
- You provide a company name, we do the rest
A Black Hat Pen-Test is great for determine your external exposure and the defenses you have against an external hacker. A Black Hat Pen-Test however will not show you critical vulnerabilities hiding inside systems and networks of the hacker cannot get a foothold inside. When it comes to penetration testing, there is a variety of exercises that will produce different results. You can use these exercises to determine ways to strengthen your security posture, each pen-test style will identify different pathways that a hacker could take when targeting your organization.
A Black Hat Pen-Test will show you these 4 things:
- The mindset of the hacker
- Tools the hacker used to perform research and the results of the research (OSINT)
- Targets that the hacker was able to discover and how he created an attack narrative around them. (Attack Path/Attack Narrative)
- Results of the engagement (findings)