Frequently Asked Questions

What is penetration testing?

Penetration testing (pentesting) is a security assessment where authorized security professionals simulate real-world attacks against your systems to identify vulnerabilities before malicious attackers find them. We use the same techniques and tools that actual attackers would use, providing you with realistic findings and remediation guidance.

What is the difference between penetration testing and red teaming?

Penetration testing focuses on finding vulnerabilities in specific systems and applications. Red teaming simulates a complete adversary attack to test your organization's ability to detect and respond to breaches. Red teams work toward specific objectives and may use social engineering and physical security testing, while pentests focus primarily on technical vulnerabilities.

Is penetration testing legal?

Yes, penetration testing is legal when conducted with explicit written authorization from the organization being tested. All Sheepdog Cyber Defense engagements require signed agreements that clearly define scope, objectives, and authorized testing boundaries. Without proper authorization, unauthorized testing would violate computer fraud and abuse laws.

Why should we do penetration testing?

Penetration testing helps you:

• Identify vulnerabilities before attackers do
• Understand your actual security posture
• Prioritize security investments based on real risks
• Meet compliance and regulatory requirements
• Satisfy cyber liability insurance requirements
• Demonstrate due diligence to stakeholders and customers

What makes Sheepdog Cyber Defense different?

Sheepdog is veteran-owned and operated by security professionals with practical experience. We combine automated tools with manual testing to find real vulnerabilities, not just scan results. We provide clear, actionable remediation guidance and prioritize findings based on business impact. We're focused on helping you improve security, not just generating a report.

How long does a penetration test take?

Timeline varies based on scope and complexity:

• External testing: 1-2 weeks
• Internal testing: 2-3 weeks
• Web application testing: 1-2 weeks
• Red teaming: 2-4 weeks
• Report and debrief: 1 week after testing

We provide a detailed timeline estimate before beginning.

How much does penetration testing cost?

Penetration testing costs vary based on scope and complexity. External testing typically starts at $2,500 for small organizations, internal testing from $3,500, web application testing from $2,500, and red teaming from $15,000. We provide detailed quotes after scoping your specific requirements.

Will penetration testing disrupt our business?

Penetration testing is designed to have minimal impact on production systems. We coordinate testing windows with your team, carefully scope our testing to avoid critical systems, and avoid destructive testing. We'll work within your operational constraints and can schedule testing during low-traffic periods if needed.

What systems should we include in scope?

For external testing, include all internet-facing systems (websites, email servers, VPNs, cloud services). For internal testing, include your internal network, servers, and applications. For web application testing, include all web apps and APIs. You define what's in scope and what's off-limits. We'll work with you to establish appropriate boundaries.

How often should we do penetration testing?

We recommend annual penetration testing as a baseline. However, you should also test after major infrastructure changes, new application deployments, security incidents, or regulatory requirement changes. Many compliance frameworks (PCI-DSS, HIPAA, SOC 2) require annual testing. Your cyber liability insurance may also require regular penetration tests.

What's included in a penetration testing report?

Our penetration testing reports include:

• Detailed findings with technical descriptions and proof of concept
• Step-by-step reproduction steps for each vulnerability
• Risk ratings (Critical, High, Medium, Low) with CVSS scores
• Specific remediation recommendations
• Screenshots and evidence of findings
• Executive summary for leadership
• Recommendations for security improvement

How are vulnerabilities prioritized?

We prioritize vulnerabilities based on multiple factors: CVSS score, business impact, exploitability, and the organization's operational context. A vulnerability might be rated High because it's easily exploitable and affects critical systems, even if the technical CVSS score is slightly lower. We help you understand which findings require immediate attention.

What should we do after receiving penetration testing results?

We recommend:

• Prioritizing findings based on risk rating and business impact
• Assigning remediation tasks to your team
• Establishing timelines for fixes
• Testing fixes as they're deployed
• Scheduling a retest to verify remediation

We offer retest services to confirm that vulnerabilities have been properly addressed.

Do you offer retesting after we fix vulnerabilities?

Yes, we offer retest services to verify that vulnerabilities have been properly remediated. This typically takes 3-5 days depending on the number of findings. Retesting is a great way to confirm your fixes are effective before considering issues closed.

How do we know if our remediation is effective?

The best way to verify remediation is through retesting. We can validate that your fixes address the original vulnerability and that new vulnerabilities haven't been introduced. We provide guidance on proper remediation during our debrief and can answer questions about whether your implemented fixes are sufficient.

Do you test for compliance requirements?

Yes, many compliance frameworks require penetration testing. We have experience with PCI-DSS, HIPAA, SOC 2, NIST, and other compliance requirements. Our testing can be tailored to meet specific compliance standards. We can help you understand what your regulations require and deliver testing that satisfies those requirements.

Will penetration testing help us pass a security audit?

Yes, penetration testing is often required for security audits and assessments. It demonstrates that you've conducted due diligence in testing your security posture. However, passing an audit requires addressing findings as well. We help you understand what auditors are looking for and provide findings that satisfy audit requirements.

Do you work with cyber insurance companies?

Yes, many cyber liability insurance policies require annual penetration testing. We can work with your insurance requirements and provide reports in the format your insurer requires. We're familiar with common insurance requirements and can ensure our testing meets those standards.

What is CVSS scoring?

CVSS (Common Vulnerability Scoring System) is a standardized method for rating vulnerability severity. Scores range from 0-10, with higher scores indicating more critical vulnerabilities. We provide CVSS scores for each finding to help you understand severity and prioritize remediation. However, we also consider business context when prioritizing fixes.

Are your testers certified?

Yes, our team holds industry-recognized certifications including:

• CRTO (Certified Red Team Operator)
• PNPT (Practical Network Penetration Tester)
• GWAPT (GIAC Web Application Penetration Tester)
• eCPPTv2
• PWPA
• CEH (Certified Ethical Hacker)

We stay current with the latest security research and attack techniques.

How experienced is your team?

Sheepdog Cyber Defense is founded by security professionals with years of experience in military, government, and private sector cybersecurity. Our team has conducted hundreds of penetration tests and red team engagements across various industries. We bring practical, real-world experience to every engagement.

What tools do you use?

We use industry-standard tools including Nmap, Burp Suite, Metasploit, Cobalt Strike, and many others. However, tools are only part of the equation. Our expertise and manual testing skills are what find real vulnerabilities that automated tools miss.

How do we get started?

Contact us using our contact form or call us directly. We'll discuss your security concerns, understand your environment, and provide a detailed proposal. Once you're ready, we'll sign an engagement agreement and begin scoping the assessment.

What information do you need from us?

For a basic assessment, we need:

• Scope definition (what systems to test)
• Contact information for coordination
• Preferred testing windows
• Any constraints or sensitive systems to avoid

We can provide more detailed requirements based on your specific testing needs.

How is the engagement structured?

A typical engagement includes: (1) Scoping call to understand your needs, (2) Proposal with detailed timeline and cost, (3) Engagement agreement with rules of engagement, (4) Testing period, (5) Report generation, (6) Debrief call to discuss findings. We keep you informed throughout the process.

Do you provide a written contract?

Yes, all engagements include a signed Master Service Agreement (MSA) and Statement of Work (SOW). These documents clearly define scope, timeline, pricing, confidentiality terms, and rules of engagement. We take legal and professional boundaries seriously.

What's your confidentiality policy?

Your security information is completely confidential. All findings and reports are protected and shared only with authorized representatives of your organization. We never disclose client information or findings to third parties without explicit permission.