Login

u/Alternative-Wish9912

if you deploy weekly and pentest annually, you have 50 untested deploys for every test. think about that.
▲ 0 r/netsec+1 crossposts

if you deploy weekly and pentest annually, you have 50 untested deploys for every test. think about that.

ship weekly = 52 deploys/year.

annual pentest = 1 evaluation/year.

51 of those deploys are untested at the time of the next test. and the next test will only find what's currently exploitable, not what existed for 6 months in between.

[the math on this gets ugly](refer link):

1/ annual model MTTD: ~180 days

2/ sprint-cadence model MTTD: ~14 days

3/ bugs caught early: 6× cheaper to fix

annual pentesting is compliance theater for any team shipping more than once a month. change my mind.

codeant.ai
u/Alternative-Wish9912 — 17 hours ago
▲ 6 r/sysadmin

delve fabricated 494 reports. but even the "real" SOC 2 pentests are mostly theater.

everyone's dunking on delve (deserved). but be honest - what does "real" SOC 2 compliance look like at most companies?

1/ pentest against staging

2/ no retest

3/ SLA says 48hrs, actual remediation: whenever

4/ cloud infra excluded

5/ risk acceptances with no owner

delve automated the fraud. most companies do it manually.

the actual requirements - https://www.codeant.ai/blogs/soc-2-penetration-testing-requirements : production testing, retest verification, timestamped remediation, cloud in scope, named risk owners. how many "legit" companies do all of this?

delve was the symptom. not the disease.

u/Alternative-Wish9912 — 2 days ago
🔥 Hot ▲ 93 r/cybersecurity

PSA: if you're on the receiving end of a red team test, the authorization letter protects you too

this doesn't get talked about enough from the blue team side.

if a red team engagement is properly authorized, there should be a sealed envelope held by legal that validates the whole thing. if you detect something weird, escalate it, and it turns out to be the red team, the letter protects everyone involved. you did your job by escalating. the red team did their job by testing.

but if the letter is vague or missing key sections, things get messy fast. i've seen blue teamers get blamed for "overreacting" when they called law enforcement on an unannounced physical test. and i've seen red teamers get in real trouble because the letter didn't cover what they were doing.

the authorization letter needs to define what happens at each detection stage:

1/ blue team detects, doesn't escalate - does red team continue?

2/ blue team escalates to CISO (who may not know) - who intervenes?

3/ law enforcement arrives - how is it verified?

4/ successful containment - what's the engagement outcome?

solid breakdown of all this here - refer link, if you want the full picture.

bottom line: the auth letter isn't just for the red team's protection. it's for yours.

codeant.ai
u/Alternative-Wish9912 — 2 days ago