Preparing for a Penetration Test: Insights from Tim Medin, CEO of Red Siege Information Security

By Tim Medin | November 13, 2023

As the CEO of Red Siege Information Security, I’ve had the privilege of building an outstanding team of ethical hackers to conduct numerous penetration tests for organizations across many industries. Over these years, I’ve come to realize that one of the most underestimated aspects of a successful penetration test is the power of asking the right questions. So lets dive into some of my experiences and insights into how asking the right questions can be a game-changer in penetration testing.

Embracing the Dumb Question

The most important idea when it comes to penetration testing is understanding what is more important to the business or organization. Consultants should never hesitate to ask:

“What data or process, if lost, stolen, compromised, or destroyed, would have the biggest impact to the organization?”

( I made sure to slap this question on the front of our website for good measure.)

The truth is, the testers’ educated guess often matches the client’s response. The key is, knowing when your assumption is wrong!

When it comes to conducting a penetration test, there’s no room for assumptions. I regularly tell my team, “I’d rather ask a ‘dumb’ question, than be wrong. I hate being wrong!” It’s crucial to seek clarity and understanding, even if it means asking what might appear to be a “dumb” question.

Understanding this key point puts the entire penetration test in the right context. It helps the testers understand the real risk to the organization, and not just guess as to what matters. One simple question, can drastically change the value of this type of test. These unexpected insights highlight the importance of thorough preparation for a penetration test.

The Eye-Opening Experience: Pricing as Critical Information

Allow me to illustrate the significance of asking the right questions with a memorable experience from a penetration test we conducted for a major e-commerce platform. This platform, akin to Amazon but specializing in tools and equipment, taught me a lesson I’ll never forget.

Rewind 15 years, back when I was young, head strong, and over confident. At the beginning of the test, I made assumptions about what constituted critical data. I assumed it revolved around credit card information, client data, and sales records – the usual high-value targets. However, during the course of the engagement, the organization’s representative shared an unexpected revelation. They considered the most critical information for their business to be:

“The pricing at which they sold their products.”

I was shocked, since this pricing information was effectively public on their e-commerce site. He went on to explain, that if a competitor can get the price of everything they sell, they could then sell everything for a penny less, and my client would be out of business. The products sold by competitors in this industry are often identical, sourced from the same manufacturer, making the price became the sole differentiator. In a world where buyers hunt for the best deals, this pricing advantage could have a catastrophic impact on the business.

I assumed because the information was public that it wasn’t critical, and I couldn’t have been further off. This taught me a valuable lesson:

“Never assume” and to ask the “dumb” question.

The Lesson Learned: Never Assume Anything

My experience highlights a critical lesson for penetration testers and security professionals – never make assumptions. What may seem trivial or publicly accessible data could hold immense value for an organization, depending on its business model and competitive landscape. This revelation also underscores the importance of gaining a nuanced understanding of the client’s operations and priorities.

The simple question, “What is the most important data or process to you?” should not be perceived as a trap for the organization being tested. Instead, it serves as an opportunity to gauge the experience and maturity of the testers and, more importantly, to align expectations between the testers and the client. As an experience professional, sometimes the organization needs help identifying what is important. An experience consultant can ask about other data or processes and guide them down the path to better understanding.

Preparing for a Penetration Test: Key Takeaways

1. Foster Open Communication

  • Establish open and transparent communication with the organization being tested. Encourage them to share their priorities and concerns.

2. Avoid Assumptions

  • Never assume what constitutes critical data. Always inquire about the most vital processes and information.

3. Grasp the Business Context

  • Understand the client’s business model, competitive landscape, and industry-specific challenges to tailor the penetration test accordingly.

4. Embrace Continuous Learning

  • Encourage a culture of continuous learning and adaptability within your penetration testing team. Every engagement offers new insights.

5. Document Diligently

  • Document the client’s responses and priorities meticulously. This information will inform the testing strategy and help align expectations.

6. Test for Maturity

  • Use the question as a litmus test for the maturity of the organization’s security posture. It can reveal whether they have considered the potential risks comprehensively.

In conclusion, preparing for a penetration test requires more than technical expertise; it demands a keen understanding of the organization’s unique context and priorities. My experiences have taught me that success in penetration testing hinges on the power of asking the right questions and never making assumptions. By following these principles, both testers and organizations can collaborate effectively to enhance cybersecurity and safeguard critical data.

If you are looking to perform a penetration test for the first time, sharpening up your skills as a penetration tester, or a business/organization looking to learn more about what goes into a penetration test and what to do after –Myself and the Red Siege Information Security team have created a unique version of our SiegeCasts dedicated to breaking down all the steps for you in this 3-part series.

The information from this article is just a small section of part one.

Click the link below to learn more!

Reject Passwords, Return to (Security) Keys

By Red Siege | November 28, 2023

from Ian Briley, Security Consultant The weakest link in your information security chain will always be the human behind the keyboard. No matter how much death by PowerPoint security training […]

Learn More
Reject Passwords, Return to (Security) Keys


By Red Siege | October 5, 2023

In this blog post I wanted to share a few tips and tricks I’ve found in Burp that have really helped me in the past. Double Click and Right Click […]

Learn More

Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks

By Red Siege | September 22, 2023

from Jason Downey, Security Consultant In our digital world today, where cyber stuff keeps changing all the time, there’s this sneaky attack method that’s been popping up more and more […]

Learn More
Vishing: How to Protect Your Business from Phone-Based Social Engineering Attacks

Find Out What’s Next

Stay in the loop with our upcoming events.