How to Gain More Value with Continuous Pen-Testing
Posted by: Victor Wieczorek
Over the last several blogs, we’ve taken a deep dive into the different types of penetration tests:
As noted in the last blog, continuous assessments are enabled by a lot of the great automation platforms we’re seeing emerging in this space. Generally speaking, more mature security organizations are in a better position to take advantage of continuous, collaborative pen-testing.
When planning for a continuous pen-test, it is critical to:
- Ensure collaborative threat modeling, which let’s face it is foundational for what pretty much any pen test. In a siloed, or autonomous assessment, the red team must conduct the threat model themselves to understand what they can find about an organization and then pair that with what they know.
Now in a collaborative or continuous assessment, it’s important to leverage the experience and expertise of the defending team, which knows the crown jewels – what is critical and core to the business that those attackers are trying access. The most effective threat modeling is when the red and blue teams are working together to understand both perspectives. - Set clear goals and objectives to ensure you maximize the value of a pen-test. Communication is critical. Set the common goals and objectives from those involved, and ensure the feedback during a test is instant. There has to be a method that allows the defenders and the attackers to communicate back and forth, and adjust as necessary.
In this blog series, we’ve reviewed the three most common types of penetration testing with the hopes of helping you identify which style is right for your organization. Ideally, you will continue to mature your security program and process and as part of that explore how to gain more value out of your penetration testing efforts.
We’ve found that the most effective and efficient penetration test assessments typically include both manual, human elements as well as automated tests and technology. Building a more collaborative effort between the offensive and defensive staff on your team, setting clear goals and objectives from a more holistic perspective, and determining where you can automate certain tasks, and where to put the effort in from a manual perspective are key to ensuring you get the most value out of your penetration test.
Contributing Author
Victor Wieczorek, Practice Director, Threat & Attack Simulation. Victor is an information security professional with a broad range of experience in both defensive and offensive security roles. His prior work included delivering various security projects to a wide spectrum of clients with a primary focus on penetration testing, social engineering, and security architecture design. As a penetration tester holding both the Offensive Security Certified Expert (OSCE) and Offensive Security Certified Professional (OSCP) certifications, he has helped organizations identify a multitude of weaknesses with a focus on root cause remediation.
About Guidepoint Security
GuidePoint Security provides trusted cybersecurity expertise, solutions and services that help organizations make better decisions that minimize risk. By taking a three-tiered, holistic approach for evaluating security posture and ecosystems, GuidePoint enables some of the nation’s top organizations, such as Fortune 500 companies and U.S government agencies, to identify threats, optimize resources and integrate best-fit solutions that mitigate risk. Learn more atwww.guidepointsecurity.com.
Resources
On-Demand Webinar: Maximizing Value Through Pen Testing
White Paper: Examining Which Style Of Penetration Test Is The Best Fit For Your Organization
Victor Wieczorek
VP, AppSec and Threat & Attack Simulation,
GuidePoint Security
Victor Wieczorek drives offensive security innovation at GuidePoint Security, leading three professional services practices alongside the operational teams behind that work. This creates a feedback loop that makes delivery better for everyone. His practices (Application Security, Threat & Attack Simulation, and Operational Technology) cover the full offensive spectrum: secure code review, threat modeling, and DevSecOps programs; red and purple team assessments, penetration testing, breach simulation, and social engineering; OT risk assessments, framework alignment, and critical infrastructure security.
Before GuidePoint, Wieczorek designed secure architectures for federal agencies at MITRE and led security assessments at Protiviti. He holds OSCE and OSCP, and built depth in governance and compliance (previously held CISSP, CISA, PCI QSA) to bridge offensive work with risk communication. His teams operate with a clear philosophy: enable clients to be self-sufficient. That means detailed reproduction steps with real commands, no proprietary tooling that obscures findings, and deliverables designed so organizations can act without dependency. Under his leadership, GuidePoint achieved CREST accreditation and he was named to CRN's 2023 Next-Gen Solution Provider Leaders list.
His current focus reflects where the industry is heading. As AI agents move into production, both as threats and as security tools, Wieczorek has been thinking through what governance looks like for autonomous systems. His view: the more capable the technology, the more essential human accountability becomes. He speaks on this through various webinar series, industry podcasts, and annual conferences.