How to order a Pentest. When you are on the CISO side | by Vicente Aceituno Canal | The CISO’s lair | January 2024


When we are on the side of the CISO

photo by Andrea Zenga on Unsplash

There are a wealth of resources available on how to conduct a penetration test, but there is a dearth of advice on commissioning and orchestrating such a test. While large cybersecurity services often have in-house penetration testing teams, this is often impractical for small and medium-sized businesses. Outsourcing a penetration test isn’t just dictated by size; other factors include the desire to leverage diverse skills across various tests and the need to demonstrate that the test was completed independently – an especially valuable aspect in regulated environments. I will omit all the details regarding the procurement process, such as approvals and invoicing, because they are very different between companies. The whole process usually goes like this:

You need to create a document that should describe the pentest project more or less following the following structure. I leave italics text that can be used as a boilerplate:

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —


Description of the Company’s activity. The specific objective of this penetration test is to find and correct any vulnerabilities presenting a real risk to the Company’s applications.


The subject of this project is the information systems that support the Company.


The Company requires Pentest services for the application which constitutes the front end of the Company’s products and services.

Front-end and back-end specifications

  • Number of web pages:
  • Number of unique entries:
  • Customers can upload documentsand any other functionality that may represent a risk.
  • The language used is
  • List of URLs to test:

Access to the test environment

Indicate whether testing takes place in the production or test environment.

Leave a comment