preloader
Sign Up
Menu
Resources

In The Land Of A Thousand PenTesters, Context Is King

Posted by
On 22 June 2025
0 comments

In Partnership With

From the outside, cybersecurity looks like one of the most complicated jobs anyone could choose, but it is underpinned by a few simple, straightforward principles. No matter what the specific present challenge may be – responding to a new incident; understanding and agreeing to accept certain risks as a means of prioritising resources; briefing the board on supply-chain resilience; deciding which vulnerabilities need to be patched and which ones you can safely leave unattended – a thorough and holistic understanding of every aspect of the digital estate is a fundamental prerequisite.

Without that comprehensive visibility of assets and defences, nothing you do will make any sense. And there’s a very good chance everything you do will feel like time wasted when the attack you never imagined that leveraged the vulnerability you didn’t know you were exposed to takes your business out of the game at the worst possible time. If that understanding is to be as thorough, as up-to-date and as useful as you need it to be, it has to be informed by robust testing that replicates the real-world threats as accurately as possible, that stretches your defences realistically and honestly, yet won’t cripple the business in the process.

This is why the idea of always-on, 24-7, high-grade, very challenging, yet ultimately controllable penetration testing can seem, to many security leaders, to be something akin to a cyber professional’s Holy Grail. The metaphor works not only because the prize is precious, but because it is so rare as to seem, to all intents and purposes, something of a myth. All of which helps explain why Synack’s pitch – non-stop testing, delivered by a vetted pool of over a thousand researcher-hackers based around the globe – proved so persuasive to a roomful of senior security professionals at a recent RANT roundtable held in a restaurant perched high up above much of the Manchester skyline.

That elevated viewing position was appropriate: the talk began way up at the top level, and swiftly saw CISO after CISO swooping down into different detailed silos. What quickly became clear was that – as with all complicated challenges – the answers would for sure involve innovation and new technology, but would rely heavily on partnerships, pragmatism, and large amounts of good old-fashioned hard work.

Got To Know How To Pony

“Context, observability and visibility: you need to maintain those constantly, at all the layers,” one CISO said. “But also identity: that’s the biggest thing now. OK, Synack can give us continuous testing – but prioritisation? Context? How do you do that?”

“We start with understanding what you’ve got,” James Duggan, the company’s UK and Ireland solutions architect, said. “We’ll work with customer teams to find out what are considered the crown-jewel assets. But you’ve got other controls to prevent contagion propagating. It’s all about multiple layers. We do phishing services and testing; we provide attack-surface discovery. We’re increasingly moving towards data analytics and dashboards to show what are the common themes. But,” he added, emphasising that as much as his company can help, some challenges can only be met internally: “how well is your organisation doing with training? Why aren’t vulnerabilities being caught earlier in the development cycle?”

Another set of questions emerged over the implications of taking advantage of the increased fidelity of testing that Synack’s approach facilitates. If a company opts to test constantly rather than once or twice a year, there will be consequences of obtaining that enhanced level of awareness that need to be understood and managed.

“We would end up with information overload,” another senior leader suggested. “Say we do a pentest: we maybe end up with six or seven actions we need to complete afterwards. We’d have a lot more if we did it all year. Do you have customers who are shocked at the workload?”

“All the time,” Duggan replied. “But we work on custom playbooks based on what matters most to customers.” The Synack model, with its 1500 ethical hackers, each with a variety of specialisms and skillsets, means every test campaign can be individually tailored to the client’s requirements.

If, for example, that requirement set was based around ensuring protection of a number of key areas of the corporate network, the hackers would be incentivised to find vulnerabilities that would give them access to those parts of the network. Other weaknesses they found, but which did not assist in that goal, would not attract significant rewards, so they’re not going to be spending their time trying to find them, so they won’t appear in the reporting. For the client, the end result is workload prioritisation by default: they’re given insight into the vulnerabilities that are important to them, and aren’t going to end up swamped by other issues which exist but will have limited or zero impact on the business.

Of course, some things are non-negotiable. “As soon as we find an exploitable vulnerability we report it immediately,” Duggan clarified. But always-on testing doesn’t mean a constant stream of busy-work that will dominate the defensive team’s lives and risk distracting them from their most important missions.

Somebody Help Me

Underlying this outcome is a philosophy that governs Synack’s operating methodology. Essentially, the tests only have value if they uncover vulnerabilities that the business needs to be worried about; so researchers are incentivised not to look for evidence of high-scoring CVEs that won’t affect core capabilities, or to go on the hunt for exotic zero-days that can only be exploited by someone using a specific device in the corporate HQ’s lobby while standing on their head and holding a rose between their teeth.

“You don’t get paid by Synack unless you demonstrate impact,” Jan Fisher, one of the freelance researchers from that 1500-strong private pentest pool, explained. “Low-impact vulnerabilities I’m probably not going to report. The key thing for me is what is the impact of what I’ve found.”

That determination is one that Synack and the client have to work through together.

“I worked on a test in the last month or so, and some vulnerabilities we found that we considered to be medium or high and were fully in scope, the customer at the time was questioning the impact,” he continued. “For me, the job was to demonstrate impact in a tangible way that meant something to them. I need to be able to show how and why the customer should be interested in it. And also, what’s the remediation? How can it be fixed?”

Ears began to prick up around the table at that.

“That’s what’s generally missing,” one CISO lamented. “A lot of the past [pentest] companies I’ve used, they’ve told me what they’ve found, then the remedy is, ‘Refer to this article’.”

“In our platform, those vulnerabilities come up in real time, and you can discuss with the team – in relative real time – on how to remediate,” Synack’s sales director, Dave Henderson, explained. But, he pointed out, that conversation about impact is always a live one.

“Risks change,” he said. “We had one large client, and we found 14 cross-site scripting vulnerabilities. They thought, ‘We’ll look at those later.’ A couple of days on, someone began to exploit them, and they then decided they wanted to fix them immediately. We can react to that kind of thing quickly because we’ve got the scale.”

I Like It Like That

At the start of the discussion, RANT’s guest host, World Wide Technology’s cybersecurity advisor Paul Harris, had noted three key themes the discussion was likely to pivot around – people, speed and scope: the first, because “social engineering beats policy every time,” he argued; speed, because “zero-days move faster than our audit cadence”; and scope, referring to the remit a pentest provider would be given before beginning work, because getting that right would determine the usefulness of any engagement. “You can’t protect assets you don’t know you own,” he pointed out. But as the group dug deep into and around each of those areas, the other key preoccupation that seemed to link them all was another that had been identified early on.

“I keep bringing it back to context,” one security leader said. “If I’m going to throw 100,000 vulnerabilities over 50,000 hosts, nobody will give a [expletive]. How do I make those metrics meaningful?”

“Context is always key,” another senior security staffer agreed. “What I want us all to take away from this is it’s not about the capabilities. A Ferrari goes fast, but you can easily crash it.”

“For organisations with small security teams, that’s what we need from the testers – context,” a third added. “Yes, it might be a bad vulnerability, but if you’re not using that package, let’s move on.”

“That’s where impact comes in,” Fisher said. “When I’m testing an asset I can find what seems to be a nice, meaty vulnerability, so I go in and look for some impact. But if I can’t pull out any data that’s impactful to the customer then it’s either not going to be rated high enough to be worth my while to cash out, or it’s rated lower to [the customer], which helps with prioritisation. When I was on the other side of the fence, and looking at Synack as a provider, one of the biggest things that was advantageous to us was the management I was able to get out of the platform. That made it very easy for us to demonstrate the value to the board that we were getting from the investment.”

Newer AI’s Rise Hasn’t Rewritten the Cybersecurity Rulebook: Why the Fundamentals Still Matter
Back to list
Older Priority Over Publicity Over Performance: What are the Key Steps to Efficient Patch Management