Next Level Pentesting: Why the classic pentest approach is reaching its limits

25. February 2021

For more than 25 years, we have been helping companies achieve more security and monitoring developments and trends. In this interview with Matthias Göhring, Head of usd HeroLab and Sebastian Puttkammer, usd Managing Consultant IT Security and Head of HeroLab Tools, we talk about why classic approaches in the field of penetration testing no longer do justice to increasingly complex environments and what future-proof solutions look like.

What do you understand by the classic pentest approach?

Matthias Göhring: “Classic pentests, as they are conducted by companies today, are a black box for customers. There is a lack of overarching standardization in the way they are carried out: test depth, test coverage and scope vary from provider to provider, but are impossible to compare. In addition, the results reports only include identified vulnerabilities and the tests that do not result in a vulnerability are usually not documented.”

Why is this transparency in the testing process important?

Sebastian Puttkammer: “Without transparency and standardization, it always remains unclear to the customer as to what has been tested during the pentest. Since pentests are carried out across different industries, the requirements for execution and documentation also vary. There are already security standards that stipulate the traceability of the test steps performed. It is not possible to map these adequately with the approaches used to date. In addition, with the classic pentest, customer-specific requirements cannot be mapped in most cases.”

How do you plan to solve the problems you’ve highlighted?

SP: “We have really taken our penetration testing to the next level in terms of transparency and standardization per pentest category in recent years. We laid the foundation for this with our toolchain. It allows us a high degree of automation, which goes hand in hand with comparability, reproducibility and efficiency. This gives our pentesters more time for targeted and manual testing, which increases the quality of the analyses by, among other things, testing more for logic errors.”

MG: “In addition, we can integrate customer-specific requirements more easily with the help of the toolchain. Thanks to the complete and transparent documentation, the individual test steps are comprehensible for our customers. Especially since we also record the test steps in the report where no vulnerabilities were identified. An important requirement from the customer’s point of view.”

In which way will the HeroLab toolchain be further developed?

MG: “Our know-how and experience are constantly being incorporated into the further development of our tool landscape, resulting in ingenious synergy effects: For example, we are increasingly discovering so-called zero days and, through Responsible Disclosure, are supporting software providers in closing critical gateways for hackers in a timely manner. Thanks to our tool landscape, we are also creating a constantly optimized training environment for our internal training program, the “usd HeroLab Certified Professional”. This guarantees that our analysts always perform their security checks at the highest level. And we still have a lot up our sleeve for the future!”


Learn more about the usd HeroLab toolchain and how it supports our customers and security analysts on the path to more security in our English-language webinar “Next Level Pentesting” on March 18th 2021.

Also interesting:

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

AI Vulnerability Storm: When a Lack of Speed Becomes a Risk

Current developments in AI systems show that vulnerabilities are found more quickly, suitable exploits are developed more quickly, and attacks are increasingly implemented automatically. This significantly reduces the time between discovery and exploitation. What used...

Bafin Publishes 9th Amendment to MaRisk

Bafin Publishes 9th Amendment to MaRisk

On 30 June 2026, all credit institutions and financial services institutions in Germany received an important circular: Following the consultation phase, the German Federal Financial Supervisory Authority (Bafin) published the 9th amendment to its Minimum Requirements...

usd AG Listed as EPI Partner for Mobile Security Evaluations

usd AG Listed as EPI Partner for Mobile Security Evaluations

The popularity of mobile payments is growing, and with it, the demand for verified security. usd AG is expanding its activities in the EPI environment and will also conduct Mobile Security Evaluations in the future. This places us among the few EPI-listed Security...

Categories

Categories