Frequently Asked Questions

AttackSix's core competency is helping organizations gain actionable insight into how hackers could target their systems. We achieve this by simulating attacks through penetration testing and red team operations. Additionally, we offer services to evaluate cyber defenses based on your enterprise-wide security model and operating framework. As a result, our clients are able to remediate weaknesses in their people, processes, and technologies to be more resilient when adversaries engage.

Many organizations feel this way. The truth of the matter is: you're in the fight - whether you know it or not. Hackers do not discriminate when scavenging the internet for low-hanging fruit, and a single missed patch or misconfiguration could make your company the next victim of opportunity. In fact, many companies have such limited defensive capabilities that they are never even aware when they've been compromised.

Additionally, hackers are increasingly targeting third-party and fourth-party vendors and suppliers as means to ultimately compromise larger companies. The lack of cybersecurity maturity in many small-to-medium-sized businesses often makes them ideal targets for n-party attacks.

Again, many organizations feel this way. Understanding the criticality of your information assets is often difficult, especially if your company doesn't have experienced cybersecurity professionals among its leadership.

If you've not yet performed a business impact analysis or any sort of risk assessment, you do not have the information you need to determine the impact of various threats. Remember, your risks include all: confidentiality, integrity, and availability.

You could lose competitive advantage.
Your company's reputation could be tarnished.
You could lose the trust of your consumers.
You could lose important B2B relationships, or enable your own clients and vendors to be breached.
You could be making payments to fictitious vendors, or making fraudulent wire transfers.
Your systems could be taken offline, causing unrecoverable productivity, inventory, and sales losses.
You could be in violation of local, state, federal, and international laws.

... These are just a few examples. Feel free to reach out if you'd like to discuss your own concerns. AttackSix operators have practical insights into the threats facing many industries, and we can help you make informed decisions about how to address them.

If you truly don't know where to begin, it is likely that your organization would gain the most value from one or more of our traditional operations offerings, depending on the drivers for your assessment. With limited-to-no technical requirements from your team, AttackSix can execute comprehensive technical security assessments and deliver actionable recommendations to help make your company more secure.

Traditional operations are not only great choices if you're not sure where to begin, but also if you have specific testing needs, or if you just need to meet compliance requirements.

Eventually, as organizations mature security operations or expand the scope of assessment beyond compliance requirements, defense operations or flagship adversary operations may be more suitable.

We'd be happy to discuss your drivers for seeking security services. If we're not confident we are the best choice, we'll happily refer you to the competition.

Yes! Our experience, qualifications, and assessment methodology are all well-suited and acceptable to meet the compliance requirements of PCI DSS, HIPAA, HITRUST, SOC I/III/II, and more.

There are many philosophies (and compliance requirements) regarding the optimal periodicity of penetration testing and/or red team operations; however, the technical complexities, threat vectors, and overall risk profile of each organization create unique needs for all.

At an absolute minimum, we recommend engaging an independent party to perform some form of broadly-scoped penetration testing or red team operation at least once per year.

In the security community, you may find varying definitions of a "penetration test" or, especially, a "red team." AttackSix  differentiates penetration testing from red teaming based primarily on the distinct value proposition of each.

Penetration Test - The output of a penetration test primarily reflects opportunities to improve the maturity of the organization's vulnerability, patch, and/or configuration management programs. The final report focuses on delivering highly-specific recommendations for remediating the vulnerabilities exploited during the assessment as well any program-level improvement opportunities.

Red Team - The output of a red team operation primarily reflects the maturity of incident response personnel and processes, as well as endpoint detection and response ("EDR") technologies. In addition to delivering specific recommendations for remediating vulnerabilities exploited during an assessment, a red team operation seeks to document a detailed timeline of attacks and corresponding blue team detections, detection gaps, responses, and mitigations. The final report and debriefs focus on validating detection, response, and mitigation capabilities of blue team operators as well as closing detection gaps by walking through tactics, techniques, and procedures ("TTPs") and indicators of compromise ("IOCs") perpetrated during the assessment. Ultimately, your company's defensive operators will be better-equipped to identify, detect, and respond to evolving adversary tactics.

Engaging cybersecurity professional services can feel a lot like a show of smoke and mirrors. Ensuring broad knowledge of risk and deep technical competence of your service provider is critical to receiving robust, meaningful, and actionable insight into the threats facing your organization.

Generally, if you continue to receive valuable and actionable insights from your service provider, it may be fine to continue using their services. Ideally, you should incorporate a fresh perspective - at least every few years - in order to confirm or deny the level of service you are receiving by comparison.