When implementing security consulting services, it is important to select a provider that offers the most appropriate and practical value for our business, beyond a simple cost comparison. Here are the key factors to consider when choosing vulnerability assessment, penetration testing, and red team test service providers.

1. Do they think and act like real attackers?

Ensure the provider relies not just on automated tools but conducts comprehensive and in-depth assessments by incorporating the insights of expert personnel and reflecting the latest attack trends.

Checkpoints:

• Expertise: Verify if the team is comprised of white hat hackers with expertise, such as winning records in domestic and international hacking competitions and a history of discovering major vulnerabilities.

• In-depth attack methodology: Look into whether they use asset management solutions, latest threat intelligence collection tools, and automated scripts to enhance the efficiency of initial diagnostics and subsequently implement a systematic methodology for precise analysis.

• Case analysis: It is advisable to identify if they have the ability to discover unexpected penetration paths and analyze the potential for actual proliferation through past successful penetration tests and red team tests.

2. Can they communicate immediately if problems arise?

If a critical vulnerability is detected during the check, or if there are concerns about server malfunctions, fast communication and actions are essential. It is important to verify if they have a system in place that offers real-time status updates and allows collaborative responses, beyond just submitting a report.

Checkpoints:

• Communication channel: Inquire whether they provide a dedicated platform to check the diagnostic status and resolve queries in real time beyond just emails or simple report submissions.

• Emergency response: It’s crucial to verify if there is a process in place to immediately share issues and discuss swift remedial measures upon discovering critical vulnerabilities.

3. Do they provide POC code beyond a simple report?

The ultimate goal of checklist, penetration testing, and red team services is to enhance corporate security level. It's important to consider whether they offer support that goes beyond merely providing a report listing vulnerabilities, such as detailed technology transfer for detected vulnerabilities and support to strengthen internal capabilities.

Checkpoints:

• Technology transfer: Check if they provide detailed information on detected vulnerabilities, exploitation techniques, and POC for defense against them.

• Follow-up management and collaboration: Verify if they continue to provide implementation checks and follow-up response consulting even after assessments by tracking the progress of vulnerability remediations. Furthermore, it can be a crucial criterion to determine if they assist in improving detection rules and response systems through collaboration with the internal defense team.