8 effective strategies for building trust in ethical hacking engagements
What does it take to build authentic trust and have a collaborative relationship with your customers?
How do you help them create meaningful change in their organization?
Which specific actions do you take to make an impact in how they tackle security issues?
If you’ve wrestled with these questions, we created this educational guide to help you get more clarity and cultivate meaningful relationships with your customers.
Empathy, honesty, clear communication, and understanding clients’ specific needs are some of the most effective strategies offensive security pros use to nurture these relationships with intent.
Check out all of them!
8 ways to build trust in ethical hacking engagements
Before the engagement, build credibility with customers (external or internal) by clearly communicating your hands-on experience and sharing your certifications.
Be very transparent with customers by sharing methodologies, examples of past reports, internal processes, and a guide on how you work to set clear expectations.
Be a true partner in enhancing their security posture by asking specific questions about their business context, challenges, and technical environment (e.g. Which environments are we testing: staging or production? How complex is the web app? Do you use any custom protocols?).
Engage the customer during the assessment process by sharing regular updates, high-risk findings as they come up, or discussing the next steps.
Communicate risk effectively through explicit attack scenarios and by assessing potential business consequences.
Develop the ability to remain calm in difficult conversations by using your understanding of the attacker mindset to show customers how a bad actor would target them.
Put yourself in the customers’ shoes by providing helpful feedback, acknowledging what they do well and highlighting areas for improvement, ideally aligned with their available resources to tackle them.
Offer actionable findings and clear remediation strategies by sharing a custom, comprehensive report with the impact of each finding, screenshots, PoCs, and other key recommendations that can make their environment more resilient against attackers’ go-to tactics.
Matei Anthony Josephs
Senior Penetration Tester at KPMG
Matei speaks from his pentesting experience and reminds us why communication is at the core of building trust in any professional relationship, even more so in cybersecurity.
Many aspiring penetration testers see pentesting as a field where guys wearing hoodies are locked in dark rooms for weeks on end without much human interaction other than paying the delivery person who brings them food or hardware, or perhaps, making mean jokes on hacker forums. This cannot be further from the truth, at least in ethical hacking.
In fact, penetration testers need to interact with clients, colleagues, and many other members of the cybersecurity community. Clients are an interesting case - coming in all shapes and sizes, from the very technical developers to the business-oriented C-level managers. Pentesters cultivate a special relationship with their clients, requiring them to build and maintain trust throughout every step of the penetration testing process.
When conducting a pentest, the tester employs the same techniques that a threat actor may use and, in some cases, the impact of an attack may be massive. So not only should the customer trust that the tester will not damage the systems, but also that the tester will not withhold information and use it for black-hat purposes.
From Matei’s perspective, customers won’t consider your feedback or advice if you don’t communicate clearly and effectively at any stage of your engagements.
Before the engagement, the tester should establish credibility. You could do this by discussing past projects, communicating your relevant experience and certifications. While scoping the engagement, the tester should discuss the client’s needs and set expectations.
Make sure you understand why the client is having this test and what their concerns are. During execution, the tester should discuss any hurdles as soon as they appear, provide regular updates, and notify the stakeholders if any critical findings come up.
He also adds the importance of delivering relevant, actionable information and a clear pentest report they can apply to improve their security posture.
The report should provide actionable findings as well as clear remediation strategies. Most importantly, the report should clearly show the impact of each finding! An interesting finding does not bring much value unless the impact is clearly explained (potentially providing a proof-of-concept). For instance, let’s say you found a cross-site scripting vulnerability. You could provide a screenshot of an alert saying “XSS” – this may start making a technical person’s wheels spin, but not all stakeholders are highly technical or security-minded.
You could, however, use the cross-site scripting vulnerability to deface the website or redirect to Rick Astley’s Never gonna give you up. This would definitely give non-technical stakeholders second thoughts as well. At the end of the day, building and maintaining trust is a win-win situation as it leaves the client’s systems more secure than they were and it also brings the client back to you in the future.
Aaron Boyd
System Engineer at Liberty Energy
Aaron’s vast experience in this space shows maturity and pinpoints essential aspects pentesters need to consider to build long-lasting relationships with their clients.
In the world of cybersecurity, the role of a penetration tester is not just about identifying vulnerabilities but also about building a relationship of trust with the client. This trust is essential for the client to take the advice and feedback seriously and act on it. Here's how to establish and maintain this crucial trust.
Here are 5 key elements you need to focus on when cultivating genuine relationships with your customers:
1. Building trust: More than just pointing out flaws
As a penetration tester, the initial interaction with a client sets the tone for the entire relationship. It's crucial to establish that you are not there to simply point fingers or highlight what they are doing wrong. Instead, the goal is to be a partner in enhancing their security posture.
2. Showcasing strengths in reports
While it's important to identify vulnerabilities and risks, it's equally vital to acknowledge the strengths of the client's current security measures. This balanced approach in reporting not only instils confidence but also demonstrates that you appreciate their efforts and successes.
3. Meaningful and actionable recommendations
Your findings and recommendations should be clear, meaningful, and, most importantly, actionable. For example, if you discover a vulnerability in their network, your report should not only detail this issue but also offer a step-by-step remediation plan. This approach shows that you understand their environment and provide tailored advice, not just generic suggestions.
4. Understanding clients' needs and challenges
During the scoping phase, engage in dialogue to understand what the client has been trying to achieve but couldn't, due to constraints in resources, be it personnel, processes, or technology. This understanding allows you to tailor your testing and report in a way that not only identifies vulnerabilities but also helps them justify the need for additional resources. For example, if they have struggled to implement a certain security protocol due to budget constraints, your report can provide the necessary evidence to support the investment.5. Collaborative approach: A partnership rather than a service
One of the most effective ways to build trust is by involving the client throughout the assessment process. Regular updates, sharing findings as they come up, and discussing the next steps keep the client in the loop. This collaborative approach ensures there are no surprises in the final report and positions you as a trusted advisor rather than just a service provider.
For instance, during a network penetration test, you may discover a critical vulnerability. Instead of waiting to include this in your final report, immediately inform the client and discuss potential immediate actions. This not only helps in timely mitigation but also reinforces the collaborative nature of your relationship.
In summary, building trust as a penetration tester is about much more than just uncovering and reporting security weaknesses. It involves establishing a relationship based on understanding, collaboration, and a genuine desire to help the client improve their security posture.
By highlighting their strengths, providing actionable recommendations, understanding their challenges, and working closely with them throughout the process, you position yourself as a trusted advisor and partner in their cybersecurity journey.
Nis Peder Bonde
Experienced cybersecurity architect specializing in DevSecOps and GRC
To bridge the gap between technical expertise and business understanding, cybersecurity professionals must communicate the implications of cybersecurity threats and vulnerabilities in a way that resonates with business leaders.
Risk assessments provide a powerful tool for this, framing technical issues in explicit scenarios that illustrate the potential risks to the company based on the likelihood of an attack and its ultimate consequences.
By involving business management in the risk assessment process and having them assess business consequences, they are empowered to take ownership of the cybersecurity challenges faced by their organization. This leads to mutual respect, shared responsibility, and a better understanding of the potential risks and threats.
He also adds that understanding cybersecurity is key to companies focused on securing their digital assets.
With a more comprehensive understanding of cybersecurity, business management can make informed decisions and take proactive steps to mitigate risks and protect their organization from potential cyberattacks.
Spencer Alessi
Hacker & Penetration Tester at SecurIT360
He also points out that building trust boils down to these four aspects:
Empathy, honesty, and humility. I think you first have to understand where that person is at, what their needs are, and what their goals are. You have to be able to identify what the client needs help with and they need to feel heard. You also have to be honest. If you don't know the answer immediately and you need time to research or do your homework, you need to be honest.
The humility part is the ability for you to say you don't know or you need some time to research. Pretending like you know does not serve you or the customer well and in reality, it could even be harmful.
Hands-on experience. People want advice from people who have gone through their struggles before and have figured out a solution. It's hard to give advice that you've never taken yourself. It's hard to give insights on something you don't have experience with.
If you want customers to trust you, it helps to have been in their shoes before or at least have experience with the problem you're trying to solve for them.
Alexei Doudkine
Co-founder | Offensive Security Director at Volkis
Alexei highlights why (and how) any work they perform for customers starts with trust and transparency. He also shares one key thing that we need to practice more: empathy.
We are asking permission to hack them and possibly/probably gain access to their most sensitive information. How can they be sure we don't just run off with their data? Or, maybe more commonly, why should they believe the advice we provide? We have countless little ways that we build trust with clients, but I'll just get into the top 2.
Here are 2 evergreen recommendations Alexei and his team use to build trust:
Firstly, we try to publish anything that isn't confidential in our Handbook. This includes methodologies, past reports, internal processes, and a guide for how we work and who we are. We hope that being hyper-transparent provides clients with assurance on what to expect from us. We're asking for their data; it's only fair we give them some of ours.
The second biggest way is our culture of empathy. I encourage all my staff to be completely honest with our clients and provide advice in their best interest. We try to do this straightforwardly - avoiding industry jargon, and really getting to the roots of what our clients really care about (spoiler alert: it's rarely just "to be secure").
We all have a passion for infosec and I want our whole team to speak with a passionate voice rather than a corporate one. The hope is that through empathy, honesty, and passion, we begin building trust with clients.
Segev Eliezer
Sr. Penetration Tester at SecurityScorecard | Global top 0.1% at TryHackMe & HacktheBox
Here are 3 key aspects of building trust Segev emphasizes to share with your customers: expertize, clarity, and constant updates on how the project is going.
Getting a customer's trust develops across multiple phases of a project: from before the project is signed to the end when the report is debriefed. A customer first picks a security team based on the team’s credentials.
This includes assessing a professional's certifications, GitHub, write-ups, among other cyber-related professional content. After a statement of work is signed and the project kick-off starts, the security professional must give the customer confidence in the engagement by offering any necessary information to perform a successful and smooth operation. This includes gaining necessary access to the system(s) or network to test, refining the scope, and clarifying the rules of engagement.
When the engagement starts, the team should keep the customer updated on any critical or high findings discovered. Every finding should be detailed with specific steps on how to reproduce the findings and how to remediate them.When the report is debriefed to the customer, all findings should be clearly explained and address all questions from the customer in a concise, detailed, and easy-to-understand manner. The entire engagement should be completed before the deadline that was promised to the customer.
Segev shared his team’s experience and way of doing things with a particular customer:
A client was at first skeptical of the small pentesting team we have at SecurityScorecard. However, we are a flexible team that covers all time zones and pentesting services, and we were able to meet their strict deadlines with high-quality reports.
The client was regularly updated on the progress of the engagement, and at the end of the project, we went through each finding in detail. This client has since signed with us multiple times and is a regular customer.
Adrian Iovita
Senior Security Engineer at American Greeting
With 5+ years of hands-on experience in network security, Adrian emphasizes the importance of active listening to your customers.
I think it’s important to be a good listener and don't give the impression that you are a know-it-all person.
When you give advice or feedback, try to put yourself in the customer's shoes and that way you can make yourself pleasant and understood.
Here’s a practical example:
In my previous job when I worked with customers and I had to give them advice or feedback, I always strove to be nice and included phrases that would increase the trust "This is best practice or based on my experience or from previous cases that we worked".
Try to combine business language with technical terms so the feedback or advice is not overwhelming for the client.The clients are always looking for results so it’s best to provide them with details about the end goal or what they’ll accomplish by following your advice/feedback.
People are all different so you need to have an open mind and the ability to keep calm in difficult conversations.
And let’s not forget that a key factor here is how you handled previous services for that specific customer, which will reflect in feature interactions.I follow the motto: Work hard and be nice.
Why building trust is key to genuine relationships with customers
Alethe Denis, our first guest for the We think we know podcast, said during any ethical engagement you need to build trust between your team and the other team so they believe it’s a collaborative service working together for a positive outcome.
Many thanks to all the 7 offensive security professionals who shared their actionable tips on how to build trust and integrity - and act on it! Their generosity confirms we’re part of a community with wonderful people who focus on sharing knowledge and helping others.
Eager to dive deeper into the hacker’s mindset and learn from other infosec pros?
Check out our community wisdom category on the blog where we gather thought-provoking perspectives, which are worth exploring and pondering.
