#NSBCS.080 - Why might I need a ‘pentest’? Tips for a non-cybersecurity buyer
Source: NSB Cyber
Why might I need a ‘pentest’? Tips for a non-cybersecurity buyer
When it comes to ‘penetration testing’ (or ‘pentesting’ for short), we often encounter the following question from non-cybersecurity people. “I’ve heard about pentesting but I’m not sure why I need it, nor when should I have one commissioned. It’s honestly confusing!”.
We 100% agree. Pentesting, along with other cybersecurity services out there, can be extremely confusing for a non-cybersecurity buyer. Part of our mission is to demystify and simplify cybersecurity and help clients understand the ‘why’, as well as understanding when a pentest may be needed.
Whilst there can be a myriad of reasons for a pentest, we wanted to share some key reasons and scenarios that we see for when and why you may need a ‘pentest’.
#Reason 1: You’re concerned for the cybersecurity of your new application, and need it ‘security tested’ before it’s released
Imagine your IT and marketing teams have worked on a shiny new mobile Android and iPhone app for your business. The “gamechanger” is what it’s being dubbed internally, as none of your competitors have released anything remotely close to what your app can do!
Perhaps gnawing in the back of your mind is the question about whether this app has been secured, as it has access to sensitive customer data and performs financial transactions.
In this scenario, you may consider commissioning a pentest before the app is released to the world as a means to fix security holes and ease your mind.
Tip: A good practice is to ensure your teams consider security in their project timeline and budget well before your app go-live date, and cater for time to remediate critical pentest findings.
#Reason 2: You need to satisfy your third party requirements
There’s an increasing scrutiny not only from regulators (e.g. OAIC and ASIC) but also from cyber insurers and even possibly your key third parties to know about your cybersecurity! Quite often, one of the questions these parties ask as part of their checklists is whether you have recently received a ‘pentest’ or ‘independent security assessment’. Having undergone a pentest to not only help you technically validate your cyber risk but also help tick these 3rd party checklists, can be an important business enabler!
Tip: If you’re being mandated by a third party to receive a pentest, clarify to your best ability the third party’s exact requirement in terms of a pentest type and scope. Understanding this may mean the difference between getting a pentest quote for few thousand dollars versus a hundred thousand dollars.
#Reason 3: You’ve recently had a cyber incident, and you want to know if you’re still vulnerable
If your organisation has suffered a recent cyber incident, you may have experienced the heightened risk environment following the incident. A good incident response team would have set you up with key recommendations to tighten up your security to prevent a similar breach from occurring in the future.
A pentest is also a good follow-on exercise, especially if the incident was substantial or highlighted critical misconfigurations. Imagine you’re reinforcing your home after a recent break-in; it could be helpful for an independent party (‘pentester’) to role play as the intruder to check your gates are reinforced, window screens and back door locks properly installed, and security cameras pointed correctly. You may also go as far as to tell your pentester "the root cause of the last break-in was a weak side gate lock and lack of window guards, so I want you to validate those entry points are adequately secured!”
Tip: If the root cause or if there were unanswered questions around how a threat actor did a certain action in an incident, in certain circumstances it may also be useful to engage a pentester to do a very scoped assessment to try ascertain the answer. The pentester (being the crafty individual they are) may be able to ascertain the likely answer by logically determining what they would do if they were the threat actor!
Final Note
These are just a few reasons and scenarios for when you may need a 'pentest’. It can be a bit daunting when it comes to buying pentests, so be sure to reach out to the experts to have a discussion!
For information on NSB Cyber’s Cyber Offensive Security capabilities or to book a meeting with our team, click here.
What we read this week
CitrixBleed 2: New NetScaler Flaw Exposes Sessions, MFA Bypass - A new critical vulnerability (CVE-2025-5777), dubbed CitrixBleed 2, impacts Citrix NetScaler ADC and Gateway, enabling unauthenticated attackers to extract sensitive memory contents, including session tokens and credentials. Devices configured as Gateway or AAA virtual servers are affected. Like the original CitrixBleed, leaked tokens could be replayed to hijack sessions and bypass MFA. A second flaw (CVE-2025-5349) permits improper access to management interfaces. Citrix urges administrators to upgrade to patched versions and forcibly terminate all active sessions post-patch. Over 56,000 NetScaler endpoints are currently internet-exposed, increasing the risk of compromise if left unremediated.
Salt Typhoon Exploits Cisco flaw to Breach Telecom Networks - The Canadian Centre for Cyber Security and the FBI have issued a joint alert on state-sponsored Chinese actor Salt Typhoon targeting global telecom providers. In mid-February 2025, the group exploited a critical Cisco IOS XE vulnerability (CVE-2023-20198, CVSS 10.0) to access configuration files from three devices at a Canadian telecom firm, modifying one to establish a GRE tunnel for data exfiltration. The campaign appears broader than telecoms alone, with operations suggesting both reconnaissance and persistent access. This aligns with prior attacks observed by Recorded Future in the U.S., Italy, and South Africa exploiting the same Cisco flaws for espionage.
Chinese APT Builds Covert Router Botnet with ShortLeash Backdoor - SecurityScorecard has uncovered LapDogs, a stealthy espionage campaign by China-linked APT UAT-5918, targeting IT, media, and infrastructure sectors across the US and Southeast Asia. The threat actor maintains an operational relay box (ORB) network of over 1,000 compromised SOHO routers, primarily Ruckus Wireless and Buffalo AirStation models, infected with the ShortLeash backdoor. These routers—vulnerable to CVE-2015-1548 and CVE-2017-17663—act as persistent, covert infrastructure, evading detection by spoofing TLS certificates as "LAPD." The campaign overlaps with the PolarEdge ORB network but appears to operate independently, focusing on long-term access and evasion over disruption, using credentials, web shells, and lateral movement post-compromise.
French Police Dismantle BreachForum, Arrest Five Hackers - French authorities have arrested five key operators behind BreachForum, a major hub for trading stolen data, in coordinated raids across multiple regions. The suspects—operating under pseudonyms including “ShinyHunters” and “IntelBroker”—allegedly took over the forum after its original founder, “Pompompurin” was arrested by the FBI in 2023. BreachForum succeeded RaidForums and facilitated widespread credential sales, with ties to high-profile breaches targeting French organisations like SFR and France Travail. The operation, led by Paris’s Cybercrime Brigade (BL2C), highlights growing international cooperation. With these arrests, experts expect a slowdown in data leak trade and disruption to the broader cybercrime ecosystem.
US Bans WhatsApp over Data Security and Spyware Risks - The US House of Representatives has banned WhatsApp on government-managed devices, citing security concerns flagged by the Chief Administrative Officer (CAO). The decision stems from WhatsApp's lack of transparency in data protection, concerns over stored data encryption, and recent zero-click spyware campaigns. Meta pushed back, noting its default end-to-end encryption surpasses that of many approved apps like Microsoft Teams and Signal. The ban follows Meta’s December 2024 mitigation of a Graphite spyware campaign linked to Paragon. WhatsApp now joins a list of restricted apps that includes TikTok, ChatGPT, and Copilot. CAO-approved alternatives remain in use for official communications.
References
https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/
https://thehackernews.com/2025/06/china-linked-salt-typhoon-exploits.html
https://www.securityweek.com/chinese-apt-hacking-routers-to-build-espionage-infrastructure/
https://cybersecuritynews.com/five-hackers-behind-breachforum/
https://securityaffairs.com/179297/mobile-2/us-house-banned-whatsapp-on-government-devices.html