Solving the Q4 Crunch for InfoSec Consulting

By Chris Elbring
Solving the Q4 Crunch for InfoSec Consulting

In information security consulting and especially in the area of bespoke penetration testing services, the fourth quarter tends to be a bit of a shit show for lack of a better term. It may have something to do with the nascent nature of information security budgeting processes, new managers, schedule pushes or all of these things and more combined. The truth of the matter is that a bunch of firms look for “emergency pen testing” in the fourth quarter and many consulting firms bend over backwards annually under the deluge of requests trying to grab as much business as possible.

At Anvil, we are working with our customers and attempting to have thoughtful conversations about their needs and requirements for the end of the year and the beginning of next year. As we look at September and what we have going on between now and the end of the calendar year, we are taking strides to understand what our current clients need and we are making adjustments which will allow us to appropriately handle a percentage of overflow (a buffer into which we are willing to comfortably bend).

Why “comfortably bend” rather than go for it and take as much business as possible? In line with our desire to provide our clients the best possible services and to do work that we find challenging and interesting, we do not want to overstretch. Overstretching would cause us to fail at providing the quality service that we want to provide and it would also fail our consultants and partners.

If you are a provider of penetration testing services, start talking to your clients right now and get your backup plans in place. Make sure you understand your bandwidth and the types of things you need to walk away from doing. Develop a list of partner firms that you can engage with or suggest to your own clients. This list should obviously be of firms that you feel would qualify to do the work as well as you would yourself.

If you are a purchaser of penetration testing services, know what type of firm you need; define your plans; and partner up with at least one firm to do your planning. Remember to have a backup plan and discuss this with your penetration testing partner. If they are unwilling to suggest other firms that can provide you with services, think seriously about finding a new partner that has your best security interests in mind and use this initial firm as your backup. Talk to your partner as early as possible so that they can plan together with you and make sure you get the best results possible. September is the time to be planning for tests that will need to get completed before the end of the year if possible. You know your organization so even sharing plans (under NDA of course) will help your partner with not being surprised at the coming work-load and to be able to give you options. And if you realize your partner is not giving you the service you deserve, find a new penetration testing partner.

In reality, what I am proposing is a short-term solution to making sure that your firm has appropriate plans in place to get quality penetration testing from a trusted partner within the context of what is happening today. What we, as an industry, will need to address eventually are the underlying issues that drive the Q4 madness. We will save that for another time.

About the Author

Chris Elbring is Managing Partner and CEO of Anvil Secure. Prior to founding Anvil, Elbring worked as CEO and CTO of a startup security software development firm, President of a boutique, regional security consulting firm, an independent technology and security consultant, Director of Software Development of a mobile, biometric firm and most recently as Senior Vice President of Research and Delivery at IOActive, Inc.


awstracer - An Anvil CLI utility that will allow you to trace and replay AWS commands.

awssig - Anvil Secure's Burp extension for signing AWS requests with SigV4.

dawgmon - Dawg the hallway monitor: monitor operating system changes and analyze introduced attack surface when installing software. See the introductory blogpost

nanopb-decompiler - Our nanopb-decompiler is an IDA python script that can recreate .proto files from binaries compiled with 0.3.x, and 0.4.x versions of nanopb. See the introductory blogpost

ulexecve - A tool to execute ELF binaries on Linux directly from userland. See the introductory blogpost

usb-racer - A tool for pentesting TOCTOU issues with USB storage devices.

Recent Posts