Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/JohnsNotHere/statuses/113082627765354376">JohnsNotHere :verified: (johnsnothere@infosec.exchange)'s status on Thursday, 05-Sep-2024 11:46:12 JST</a><a href="https://infosec.exchange/@JohnsNotHere" title="johnsnothere@infosec.exchange"><img src="https://gnusocial.jp/avatar/179881-48-20230927185319.webp" width="48" height="48" alt="JohnsNotHere :verified:" style="position: absolute; left: 0; top: 0;">JohnsNotHere :verified:</a></section><article><p>I had a disappointing email today.  Working with a prospect who wanted to get their SOC 2 Type 2 certification, they needed a pentest.  Technically not fully required, but in my experience it helps a great deal.  Cut them a deal and provided a few options, including a very basic network assessment for the hosting infrastructure (it's all about the scope y'all)</p><p>But they had at least one of their own prospects asking for a pentest report, so I warned them that this won't work.  They need their actual app to be tested.  They're not sure, asking for what would be the bare minimum. </p><p>I explain that if they limit their scope for the SOC2, they can go cheap, but it won't help with their prospect.  Wait a few days and get the "We're going in another direction email."  I hear through the grapevine that they had a second prospect asking for a pentest report.  I wish them well and let them know I'm here if things change.  Maybe I was undercut, but  whatever.  Best part?  There in the healthcare field, targeting hospitals/clinics, so I hope they get their priorities straight.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3616126#notice-7090983">In conversation</a><time datetime="2024-09-05T11:46:12+09:00" title="Thursday, 05-Sep-2024 11:46:12 JST">about 3 months ago</time> <span>from <span><a href="https://infosec.exchange/@JohnsNotHere/113082627765354376" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@JohnsNotHere/113082627765354376">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
JohnsNotHere :verified: (johnsnothere@infosec.exchange)'s status on Thursday, 05-Sep-2024 11:46:12 JST JohnsNotHere :verified:
I had a disappointing email today. Working with a prospect who wanted to get their SOC 2 Type 2 certification, they needed a pentest. Technically not fully required, but in my experience it helps a great deal. Cut them a deal and provided a few options, including a very basic network assessment for the hosting infrastructure (it's all about the scope y'all)
But they had at least one of their own prospects asking for a pentest report, so I warned them that this won't work. They need their actual app to be tested. They're not sure, asking for what would be the bare minimum.
I explain that if they limit their scope for the SOC2, they can go cheap, but it won't help with their prospect. Wait a few days and get the "We're going in another direction email." I hear through the grapevine that they had a second prospect asking for a pentest report. I wish them well and let them know I'm here if things change. Maybe I was undercut, but whatever. Best part? There in the healthcare field, targeting hospitals/clinics, so I hope they get their priorities straight.
In conversationabout 3 months ago from infosec.exchangepermalink

Public

Embed Notice

HTML Code

Corresponding Notice