One Week Left to Get an 11" iPad Pro with Apple Pencil w/ OnDemand Training


To attend this webcast, login to your SANS Account or create your Account.

Putting your security assessment budget on a leash while avoiding the Pentest Puppy Mill

  • Tuesday, September 03, 2013 at 1:30 PM EDT (2013-09-03 17:30:00 UTC)
  • John Strand, Paul Asadoorian

You can now attend the webcast using your mobile device!



The goal of a penetration test should be to elevate your security, not line the pocket of the pentester. In this webcast, Paul and John discuss ways to structure your pentest so that you aren't paying for shells from a Pentest Puppy Mill, but instead paying for reproducible results that will provide a baseline for future testing.


  • What a good RFP should look like
  • Pentest puppy mill explained
  • Following the PTES standard so you don't get a vuln report
  • Explaining how the PTES standard helps organizations
  • Assess yourself before the red team shows up
  • Money saving tips:
    1. Crystalbox vs. Black
    2. VPN access vs. onsite
    3. Insist on report with ways to reproduce results to test your mitigations actually improved security
    4. Onsite only after external testing exhausted
    5. Test/QA/Dev environments vs. production

All the above should be done as if preparing for the NEXT year's pentest.

Speaker Bios

Paul Asadoorian

Paul Asadoorian GCIA, GCIH, Founder & Chief Executive Officer Paul Asadoorian has over 5 years experience working in the information security field. His work experience covers both major corporations and academic institutions. He currently holds two GIAC (Global Information Assurance Certification) certifications in intrusion detection (GCIA, GIAC Certified Intrusion Analyst) and incident response (GCIH, GIAC Certified Incident Handler). Paul also sits on the GCIA advisory board, has spent one year as a GCIA authorized grader, and continues to stay involved in the SANS (SysAdmin, Audit, Network, Security) Institute. His research has appeared in the book Network Intrusion Detection, 3rd edition, and also in the SANS Reading Room web site. Paul has presented for numerous organizations and conferences, including MIT Security Camp, and ISACA (Information Systems Audit and Control Association). Paul graduated from Bryant College with a bachelor of science in Computer Information Systems.

John Strand

John Strand is a senior instructor with the SANS Institute. He teaches SEC504: Hacker Techniques, Exploits, and Incident Handling; SEC560: Network Penetration Testing and Ethical Hacking; SEC580: Metasploit Kung Fu for Enterprise Pen Testing; and SEC464: Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education. John is the course author for SEC464: Hacker Guard: Security Baseline Training for IT Administrators and Operations with Continuing Education and the co-author for SEC580: Metasploit Kung Fu for Enterprise Pen Testing. When not teaching for SANS, John co-hosts PaulDotCom Security Weekly, the world's largest computer security podcast. He also is also the owner of Black Hills Information Security, specializing in penetration testing and security architecture services. He has presented for the FBI, NASA, the NSA, and at DefCon. In his spare time he writes loud rock music and makes various futile attempts at fly-fishing.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.