Pentesting as a 3PAO?

old.reddit.com / @/u/vintagenewstart, https://old.reddit.com/user/vintagenewstart

After reviewing the SAP/SAR I was wondering to myself if 3PAOs have the skillset to do the pentesting side of the assessment.

In my past jobs we used vulnerability scanning tools to identify issues and automated tools to remedy (or manually if need be).

Do 3PAOs use pentesting companies to test, remediate and write the reports or do most have the skillset to do this?

Also, what tools are commonly used during this process?

I would imagine open source tools like kali (nmap, burp, msploit etc...) would not be authorized and there would be a defacto toolset that has been appropriately vetted for federal systems.

Any guidance would be very helpful, thanks in advance!

submitted by /u/vintagenewstart
[link] [comments]

published about 2 months ago


Previous

FedRAMP less granular?
published about 2 months ago

Next

Memo 23-02, “Migrating to Post-Quantum Cryptography” and new Template - how is everyone handling it?
published about 2 months ago
See all items from the same source