Skip to content


Pentest Program Metrics

Portfolio Coverage
    An organization should apply security controls in a risk-based manner across its entire software portfolio
    • Goal: conduct a pentest on every DC
    • Question: what percentage of DCs have been tested in the last 12 months?
    • Metric: % = # DC tested / total # of DC in portfolio
Pen Test Frequency
    An organization should conduct a penetration test on critical applications once a quarter
    • Goal: conduct a pentest on DC once a quarter
    • Question: how many DCs were tested this quarter?
    • Metric: # DCs tested this quarter / total # DCs
    Critical findings should be fixed as soon as possible
    • Goal: fix critical findings as soon as possible
    • Question: what’s the average time-to-fix for critical pentest findings?
    • Metric: average(time-to-fix for critical pentest findings)

Pentest Engagement Metrics

Talent Ratings
  • The most important attributes of any security researcher are their skillset, experience, and performance
  • You want a security researcher to:
    • have skills that are matched to your application’s technology stack
    • have many years of professional experience conducting security tests
    • be highly rated by team members and clients on their past performance
New Issues Found
  • It's impossible to know if all of the security bugs have been discovered in a given pen test
  • But an indicator that can be counted and tracked is the number of new high criticality issues which were found in the most recent test
  • Metric: % = # new findings / # total findings in the most recent pentest
Vulnerability Types
  • By visualizing and analyzing how many instances of each vulnerability type have been found in a pentest, an organization can begin to strategically eliminate certain types of vulnerabilities by focusing prevention strategies on a particular category
  • Metric: count the number of security defects of each vulnerability type
Findings Criticality
  • Some findings are more critical than others
  • Metric: count the # of pentest findings at each level of criticality
Issues Fixed
  • Finding is great, but fixing is what actually improves application security
  • An organization should track how many issues found in each pen test actually get fixed
  • Metric: # security defects fixed / # security defects found