As the number of cyber attacks increases, the demand for penetration tests \u2013 to determine the strength of a company\u2019s defense \u2013 is also going up. People are worried about their companies\u2019 networks and computer systems being hacked and data being stolen. Plus, many regulatory standards such PCI and HITRUST require these tests to be performed on at least an annual basis.\nThe demand for these tests is only going to increase as attackers get more sophisticated. And it\u2019s essential these tests catch all possible vulnerabilities.\n\nBenefits and gaps of penetration tests\nPenetration tests involve live tests of computer networks, systems, or web applications to find potential vulnerabilities. The tester actually attempts to exploit the vulnerabilities and documents the details of the results to their client. They document how severe the vulnerabilities are and recommend the steps that should be taken in order to resolve them.\nThe benefit of performing a penetration test is that an organization will know their weak points and where they need to invest in stronger security controls. For example, a pen test can find insecure network setups or configurations, open ports, and insecure routers and switches.\nThe problem, however, is that results can vary significantly depending on who performs the test. There is no comprehensive national execution standard defined to perform penetration tests. That leaves a lot of room for security vulnerabilities to be missed, which can lead to many organizations not knowing how strong their security controls are.\nFor example, one cybersecurity firm can test a network and identify 10 vulnerabilities, while another could find only two. This is a concern, and something should be done to address this.\nSolution: National\u00a0pen test execution standard\nOne way to close the gap on this problem is to create a national penetration test execution standard that cybersecurity testing firms would have to comply with.\nThis standard would need to go much further in detail than the existing NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, which provides only general guidelines for performing penetration tests. While that guide has good information, it does not go far enough in providing details on exactly what type of activities should be completed during the test and does not provide up to date information on an attacker\u2019s behavior and how to perform it during a test.\nThis new standard would need to include a list of recommended tools and standard targets within environment that must be tested. It would include application and network-based requirements that must be tested on the internal and external network segments. It should also detail the various types of attacks that systems should be tested against.\nThe FBI and Department of Homeland Security have some of the most up-to-date information about attack tactics and can help ensure that these are covered in the testing standard.\nWith the basics of a penetration test complete following the standard, then companies can conduct their own, more creative tests, which are essential because many companies use their own customized tools and processes.\nFor a standard approach to succeed, though, the penetration test standard would have to be updated regularly. Attackers are constantly changing tactics, and those need to be incorporated as they are discovered.\nHaving this national penetration execution standard that cybersecurity firms follow as part of their process will help businesses appropriately assess their cyber risk so they can focus on investing their resources in areas they\u2019re needed the most.