Hey everyone, I'm an MSP looking to provide free remote mini vulnerability scans as a way to showcase the security gaps before pitching a contract. I'm considering using tools like WordPress testing, NMAP, and OpenVAS to generate automated reports for my clients. However, I know that a contract needs to be signed first to authorize the pentesting. Are there any important factors I should be aware of? Or is there a better approach I should consider?
4 Answers
If you're doing this without a signed contract and any client information, you might be limited to basic scans. Trying to poke at their public website might not give a good representation of their entire infrastructure. Also, steer clear of any scare tactics like pointing out vulnerabilities on known services—it could backfire on you.
Using this as a sales tactic might not be the best move. If organizations are serious about their security, they’re likely already taking these steps. On the flip side, if they’re not, they might not see the value in your scans at all.
Just a heads up, what you’re planning is more of a vulnerability scan rather than a real penetration test. It’s important to clarify that with your clients to avoid any misunderstanding.
To be straightforward, what you're proposing sounds more like a vulnerability assessment rather than a full penetration test. It's crucial to be transparent with your clients about what services you’re offering. There's no such thing as a "mini pentest"; you either conduct a full test or you don’t do it at all. Misleading clients won’t serve anyone well in the long run.
I appreciate the honesty—I'll focus on being clear about my offerings moving forward!
Thanks for the tip! I’ll definitely make sure to communicate that clearly.