Roles and Responsibilities During a Penetration Test

Today we will review the various roles and responsibilities during a penetration test, from both the client and the Triaxiom vantage points. Every project is different and has its nuances, but for the sake of this article, we will assume that the project is a small external penetration test of 5 IP addresses for ACME, inc.

Roles and Responsibilities

  1. ACMEBusiness Contact(s): This person or persons will act as the business contact for ACME and assist in handling various tasks in support of the project, such as executing legal contracts, project invoicing, and scheduling. 
  2. ACME Technical Contact(s): ACME will be asked to designate technical contacts for the project that will provide the relevant information required for testing (IP addresses, URLs, compromise goals, etc.). One point of contact will act as the emergency contact within the Rules of Engagement and will be the first person Triaxiom contacts in the event of an emergency. In some cases depending on organizational structure, technical contact(s) could also serve as the business contact for a project.
  3. Triaxiom – Account Manager: Equivalent to the business contact, your Triaxiom Account Manager assists with the execution of legal contracts, invoicing, and scheduling. 
  4. Triaxiom – Lead Engineer: The lead engineer is the technical point of contact and emergency contact for Triaxiom. They are responsible for orchestrating and conducting the majority of testing during the engagement, and will ultimately deliver and present the final reports. They can be reached 24/7 during the engagement and ACME is provided with the engineer’s cell phone number.
  5. Triaxiom – Quality Assurance/Support Engineer: This engineer is responsible for validating and ensuring the technical accuracy of all findings as part of our quality assurance process. Additionally, this engineer may assist on parts of the active testing in order to ensure a comprehensive test is performed during the allotted time window.

In this stylized example, we have detailed a pretty straightforward and small project. As a project increases in scope and/or complexity, more roles may be required such as a dedicated project manager, additional engineers, and various other client contacts such as developers, DBAs, etc. All parties play a vital role in ensuring the penetration test is executed to plan and on schedule. Ensuring that the roles and responsibilities are clearly defined throughout the project ensures clear lines of communication and no delays. For any project, the Rules of Engagement document we provide, review during the Project Initiation Meeting or Kick-Off Call, and have the client sign will contain all the relevant contact information.