Working together in projects

Pentesting is most fun and has the best quality if pentesters work together. This is why we try to do pentests in groups (usually, 2-3 persons). This is, however, dependent on the time box available for the pentest.

Small timeboxes (5 person days or less) are best done alone, from the timing perspective. If two pentesters work on a 5 person days (pds) project, time is up after 2.5pds, which covers setup, initial testing, and report writing. There is not enough time for thorough testing.

We, however, run many projects with 5pds (due to reasons). This is how we try to approach the situation:

One pentester has the lead, finishes up-front tasks and initial testing. On day 3 of the pentest, the lead tester onboards another pentester, who is then testing one person day together with the lead pentester. Day 4 is dedicated to reporting (done by the lead pentester).

This approach might not always work in real life. If this doesn't work, one pentester can also test alone. We try plan in a way that pentesters don't have multiple projects in a row in which they must test alone.