Skip to content

Red-Team / Pentesting Guidance for Customers and their suppliers

SenseOn welcomes customer security testing / assessment / red team assessment / pentesting of the SenseOn product as part of a customer's wider security posture.

This page has some useful information for Red-Team assessments / pentest activities. For ease, we refer to these as 'testing' in this documentation.

Details to provide to SenseOn in advance of testing:

  • The company doing the testing, and a contact for this
    • We can set up a testing call, or get further details - such as account names and devices expected to be used in the testing. We will use these to correlate and report on all pentesting activities.
  • What should happen with Alerts detected during the testing - escalate as usual, close with 'Benign True Positive'
  • Note: Log Retention is set by the customer and is a commercial service level - this is usually 30 days, but with our LTTR service can be 90 days and above. To properly correlate and report on any pentesting, SenseOn must be able to search logs within this timeframe. The sooner we know about testing (preferably in advance), the better we can start reporting on this.

Configuration which may affect testing / response

  • If SenseOn is run alongside another product as a detection platform, it is usually run in 'Compatibility Mode' by the customer, to avoid conflicts with the other EDR. When this mode is used, it will Alert (but not Block) when applicable testing tools/techniques are detected.

Scoping

  • SenseOn core endpoint, which runs on Windows, macOS, and Linux.
  • Data from Integrations.
  • Network telemetry from endpoints and network probes.
  • Some customers have our 'Managed SOC' service, who triage Cases (High priority and above only).
  • Whilst log ingestion is available the SenseOn Managed SOC analytics are customer-specific, and a review may be performed but depending on the volume this may not be in depth.
  • Out-of-scope activities (SenseOn agent is not designed to detect these):
  • Ingestion of non-SenseOn host-based logs e.g. Syslog
  • Misconfigurations in Active Directory
  • Web App pentesting
  • Host network activity conducted over HTTPS, including Web Application scanning/testing

Reporting

  • Whilst/after the testing is being completed, SenseOn will cross-reference the techniques used against the Cases generated in the SenseOn Platform.
  • We will then conduct a 'gap analysis' to see where our Detections can be improved, and where they worked well
  • We will provide this to the customer in a post-testing report, which can be used to prove the effectiveness of SenseOn's detections and service.