Penetration Testing

Overview

The Penetration Testing module helps you plan, execute, and track penetration testing campaigns. Penetration testing is included in every Bastion subscription — your vCISO coordinates the engagement, and Bastion's OSCP-certified pentesters carry out the tests. Findings are reported directly into the platform for tracking and remediation.

Why Penetration Testing?

Beyond Automated Scanning

Human Intelligence - Creative attack paths
Business Logic - Application-specific flaws
Chained Attacks - Multi-step exploits
Real-World Validation - Proof of exploitability

Compliance Requirements

Many frameworks require pentesting:

Framework	Requirement
SOC 2	Periodic testing
ISO 27001	Regular testing
HIPAA	Technical evaluation

Campaign Management

Creating a Campaign

Navigate to Infrastructure → Penetration Testing
Click Create Campaign
Configure:
- Campaign name
- Scope definition
- Start/end dates
- Pentester assignment
Save

Campaign Types

Type	Scope	Duration
Web Application	Specific application	1-2 weeks
Network	Internal/external network	1-2 weeks
Mobile	Mobile applications	1-2 weeks
Cloud	Cloud infrastructure	1-2 weeks
Full	Comprehensive	3-4 weeks

Scope Definition

Define what's in scope:

Target domains/IPs
Applications
Authentication credentials
Out-of-scope exclusions
Testing restrictions

Pentester Portal

Portal Access

External pentesters access via dedicated portal:

Navigate to Settings → Pentester Portal
Click Invite Pentester
Enter pentester email
Assign to campaign
Send invitation

Portal Features

Pentesters can:

View scope and rules
Submit findings
Upload evidence
Communicate with team

Portal Permissions

Permission	Access
View	See campaign details
Submit	Submit findings
Comment	Add comments
Upload	Attach evidence

Finding Management

Submitting Findings

Pentesters submit findings with:

Field	Description
Title	Brief description
Severity	Critical, High, Medium, Low
Description	Full details
Steps to Reproduce	Exploitation steps
Evidence	Screenshots, videos, logs
Recommendation	Remediation guidance

Finding Workflow

Submitted → Triaged → Confirmed → In Progress → Fixed → Verified → Closed

Finding Review

When findings are submitted:

Review for accuracy
Assess severity
Confirm exploitability
Assign to remediation team
Track resolution

Evidence Management

Evidence Types

Screenshots
Video recordings
Request/response logs
Exploit code (redacted)
Tool output

Evidence Storage

Evidence is:

Encrypted at rest
Access controlled
Retention managed
Audit logged

Reporting

Campaign Report

At campaign completion:

Executive summary
Finding summary
Detailed findings
Remediation status
Trend comparison

Report Formats

Format	Use Case
Executive	Leadership briefing
Technical	Engineering team
Compliance	Audit evidence

Remediation Tracking

Tracking Progress

Monitor remediation:

Open findings by severity
SLA compliance
Aging findings
Remediation velocity

Retest Coordination

Coordinate retesting:

Mark finding as fixed
Request retest
Pentester validates
Confirm or reopen

Campaign History

Past Campaigns

View completed campaigns:

Campaign details
All findings
Remediation status
Reports

Trend Analysis

Track improvements:

Finding counts over time
Severity trends
Time to remediation
Recurring issues

Infrastructure Issues -- All pentest findings sync to the central issue tracker
Attack Surface Assets -- Scope pentests using discovered assets
Compliance Frameworks -- Pentest reports satisfy SOC 2 and ISO 27001 requirements

Integration

Issue Integration

Findings sync with Issues module:

Automatic issue creation
Status synchronization
Unified remediation tracking

Best Practices

Test Regularly

Annual testing is minimum. Quarterly is better. After major changes is essential.

Define Scope Clearly

Ambiguous scope leads to missed vulnerabilities or wasted time. Be specific.

Communicate Continuously

Regular communication with pentesters ensures focus on priorities.

Track Remediation

Pentests are only valuable if findings are fixed. Track to completion.

Next Steps

Typosquatting

Detect domain impersonation

Issues

Manage all security findings

Overview​

Why Penetration Testing?​

Beyond Automated Scanning​

Compliance Requirements​

Campaign Management​

Creating a Campaign​

Campaign Types​

Scope Definition​

Pentester Portal​

Portal Access​

Portal Features​

Portal Permissions​

Finding Management​

Submitting Findings​

Finding Workflow​

Finding Review​

Evidence Management​

Evidence Types​

Evidence Storage​

Reporting​

Campaign Report​

Report Formats​

Remediation Tracking​

Tracking Progress​

Retest Coordination​

Campaign History​

Past Campaigns​

Trend Analysis​

Related Modules​

Integration​

Issue Integration​

Best Practices​

Next Steps​