The procurement part of Penetration test is DEAD. If you pick your Penetration Testing company based on having to rotate companies, PLEASE ABORT THIS CONCEPT. If you do the same type of test each year but keep choosing a different company, you will likely just keep running into similar results. What you SHOULD be doing is build out a strategic approach during a long term duration, each year testing new and unique areas. It is important to progress your tests and important to have a company help you to do this. Penetration Testing of course consists of attack emulation on the network, web and or human element.
Below are three simple suggested progressive testing types:
The focus of this test is identifying and attacking vulnerabilities on the in scope assets independent of each other. This test is good if you do not conduct regular vulnerability scanning and if you have extremely sensitive systems that may experience system crashes through more aggressive testing methods.
The emphasis of this test is how exploitable vulnerabilities can be leveraged to exploit the holistic network. In this test, an attempt is made to breach the network, emulating an external threat actor or operating as an inside (malicious insider) with or without credentials. There would be a specific objective of the test and the testing team would attempt to move latterly through the network and achieve set agreed upon objectives during testing. This type of testing would be the closest to emulation to an actual attack that an organization might experience.
In addition to the steps in Level 1 and 2, Level 3 provides a deeper holistic analysis to identify the root cause of various discovered risks. The goal of this test would be to discover not just the exploitable risks but why these risks exist and what mitigations can be leveraged to prevent it from happening in the future. In addition to traditional testing methodology, questions would be asked on the environment post penetration test as well as interviews conducted to discover foundational risks that should be addressed. This helps gain a deeper understanding on what is flawed and why it is flawed.
The levels listed above are examples. But most important is to have a strategic, progressive testing plan that your Penetration Testing partner can help with.