Enhancements across the board. File Structure Reorganization.

Made improvements based on Erik's indications & my reasoning. Reorganized the files & renamed most of them.

Author: AlexCulda

pages/penetration-testing/_meta.ts

@@ -1,9 +1,10 @@
 export default {
-  ptaas: "Penetration Testing as a Service (PtaaS) at Oneleet",
-  types: "Penetration Testing Types",
-  "reports-documents": "Penetration Test Reports / Documents",
-  "process-overview": "High-level overview of the Process",
-  "test-report": "The Penetration Test Report",
-  "analyze-remediate-retesting-accept": "Analyze, Remediate, Retesting and Accept the Risk",
-  "faq": "Frequently Asked Questions",
+  ptaas: "Penetration Testing as a Service (PtaaS)",
+  "process-overview": "Process Overview",
+  "classification": "Classification",
+  "documents": "Documents",
+  "final-report": "Final Report",
+  "offerings": "Offerings",
+  "findings-decisions": "Decisions on Findings",
+  "faq": "Frequently Asked Questions"
 };

pages/penetration-testing/classification/_meta.ts

@@ -0,0 +1,5 @@
+export default {
+    "access-level": "Access Level",
+    "attack-vector": "Attack Vector",
+    "pci-dss": "PCI DSS",
+  }

pages/penetration-testing/classification/access-level.mdx

@@ -0,0 +1,29 @@
+import { Callout } from "nextra/components";
+
+# Classification based on Access Level
+
+At Oneleet, we tailor our approach to meet each client’s needs. 
+We recognize that businesses vary in size, goals, and requirements, so we develop customized strategies for success.
+
+Generally, there are three types of penetration testing scenarios. Let’s break it down:
+
+## White Box Penetration Testing
+
+The tester possesses complete knowledge of the system’s source code, architecture, and network details. 
+This scenario resembles an attacker with in-depth understanding of the system’s inner workings. 
+Such an attacker could be a disgruntled employee, a contractor, or someone who has gained unauthorized access to sensitive internal information.
+
+## Gray Box Penetration Testing
+
+The tester may have limited access to internal documentation or user credentials, which could be exploited by an attacker with some inside information or limited access to the system.
+
+<Callout type="warning" emoji="⚠️">
+  This is the type of penetration testing we most often recommend to our
+  clients, as it provides a balanced approach in terms breadth, and depth.
+  However, depending on the company's nature, product, and likely attack
+  vectors, other types of penetration testing might be more relevant.
+</Callout>
+
+## Black Box Penetration Testing
+
+The tester, lacking prior knowledge of the system, adopts an external hacker’s perspective. The simulated attacker embodies a hacker attempting to breach the system from the outside. They employ techniques such as reconnaissance, social engineering, and vulnerability scanning to identify potential weaknesses.

pages/penetration-testing/classification/attack-vector.mdx

@@ -0,0 +1,8 @@
+# Classification based on Attack Vector
+
+Sometimes, there’s also a distinction made between internal and external penetration testing. 
+If the previous Black/Grey/White categorizes tests by what the tester knows/can access, the Internal/External one categorizes tests by where the testing originates.
+
+**External Penetration Testing** simulates an attack originating from outside the organization, specifically targeting internet-facing assets such as web applications, firewalls, and public servers. The primary objective is to uncover vulnerabilities that an external attacker could potentially exploit. Common targets include websites, virtual private networks (VPNs), and cloud resources. These tests encompass a range of scenarios, including misconfigurations, compromised passwords, and outdated software.
+
+**Internal Penetration Testing** simulates an attacker who has already gained access to the internal network. It focuses on internal security controls, access permissions, and lateral movement capabilities, targeting internal systems, applications, and sensitive data.

pages/penetration-testing/analyze-remediate-retesting-accept.mdx renamed to pages/penetration-testing/classification/pci-dss.mdx

@@ -1,44 +1,3 @@
-# Analyze, Remediate, Retesting and Accept the Risk
-
-After receiving the penetration test report, there are several steps you can take, such as remediation, accepting the risk, or rejecting the findings.
-
-Here’s a brief overview of actions you can take once the penetration test report is ready.
-
-## Analyze
-
-When deciding to address a vulnerability, the first and most crucial step is to allocate sufficient time to analyze and interpret the report. Your employees responsible for the penetration test should consider the following questions:
-
-- Does this vulnerability meet the risk threshold we have agreed upon internally?
-- What is the actual (business) impact of a possible vulnerability exploitation, considering factors that may not be known to the penetration tester?
-- Who will be responsible for remediating each finding?
-
-## Remediate
-
-Before taking any further actions, it’s crucial to verify that the vulnerability is reproducible. This not only enhances your understanding of the issue but also helps identify the systems at risk and different intrusion techniques.
-
-To initiate the remediation phase, it’s essential to comprehend the scope of what needs to be fixed. While technical fixes may be necessary, there could also be underlying causes, such as:
-
-- Management practices that require improvements;
-- Alternative approaches;
-- Ineffective or overly permissive security policies;
-- Communication issues within or between departments.
-
-Nevertheless, in most cases, a technical fix must be implemented. We advise remediating the findings as soon as possible, as the chances of the penetration tester still being intimately familiar with the vulnerability are higher, and the probability of an exploitation is lower.
-
-## Retest
-
-At Oneleet, we are committed to safeguarding your company. We provide free retesting for a year after the penetration test is delivered, giving you ample time to address vulnerabilities and improve your company’s security posture. However, it’s crucial to adhere to your internal policy regarding vulnerability remediation, particularly in light of compliance requirements such as SOC 2, PCI, or ISO 27001.
-
-## Accepting the risk
-
-Marking vulnerabilities as `Accepted Risk` on our platform is entirely at your discretion. We recognize that each client may have a higher or lower internal risk threshold for remediation, and we respect your decision if the analyzed impact is deemed too low to warrant action.
-
-However, we advise against accepting vulnerabilities with a `Medium` or higher risk. As these vulnerabilities pose a growing business risk, they are not a matter of if but when they will impact your organization. Therefore, ensure that you allocate sufficient time and effort to remediate these risks effectively.
-
-Our recommendation is to always provide a clear reason for accepting a risk. This rationale will be included in the penetration test report, allowing you to offer additional context to internal and external stakeholders regarding the acceptability of the risk.
-
----
-
 # PCI DSS Penetration Test
 
 If you hired Oneleet for a PCI-DSS penetration test, there will be a few minor differences compared to our regular penetration testing process. The primary objectives of the PCI-DSS penetration test are to:
@@ -82,10 +41,10 @@ According to **PCI DSS Requirements 11.3.1 and 11.3.2**, penetration testing is
 
 The definition of a **“significant change”** fluctuates based on an **organization’s risk assessment** process and the specific configuration of its environment. Since PCI DSS doesn’t provide a rigid definition of a significant change, it’s up to each entity to assess whether a change could potentially compromise network security or expose cardholder data. If a modification could potentially affect security or access to cardholder data, it’s generally regarded as significant and should prompt a penetration test.
 
-### Example of a Significant Change:
+### Example of a Significant Change
 
 **Migration to a New Firewall System**: Upgrading or replacing the firewall safeguarding the CDE is a substantial change because it directly affects network security. This transition could introduce novel configurations, alter network paths, and influence data flow, potentially compromising cardholder data. Given the critical role firewalls play in security, a penetration test is essential to validate that security controls are functioning as intended.
 
-### Example of a Non Significant Change:
+### Example of a Non Significant Change
 
 **Patch for a Non-CDE System**: Applying a minor software patch to a system outside the CDE that doesn’t interact with or impact cardholder data would be considered a non-significant change. This maintenance doesn’t alter security controls in the CDE or affect access to sensitive data, so a penetration test under PCI DSS is not necessary.

pages/penetration-testing/documents.mdx

@@ -0,0 +1,9 @@
+# Penetration Test Documents
+
+At Oneleet, we offer several types of documents during the penetration testing process.
+
+| Name | Description | Target
+|-----|-----|-----
+| **Full Report** | Generated at the conclusion of the engagement. This report presents all the findings, accompanied by a **Description**, **Business impact**, **Reproduction steps**, and **Remediation steps** section. It includes an executive summary that highlights positive findings and recommendations. The results section provides a high-level overview, a table listing vulnerabilities, and an overview of the scope of the engagement. After remediation, the report will be updated to reflect the current state of each identified finding.  | Internal Usage or <br></br> External Stakeholders
+| **Letter of Attestation** | Verifies the successful completion of a penetration test, offering a succinct summary of the scope, methodologies employed, and the tester's proficiency. Offers a comprehensive evaluation of the application's security, identifying the number of vulnerabilities discovered.  | External Stakeholders
+| **Letter of Engagement** | Notifies that you are undergoing a penetration test. Offers a comprehensive overview of the test's objectives, scope, methodologies, and the dates of the assessment. Assures you that any vulnerabilities discovered will be promptly reported for remediation.  | External Stakeholders |

pages/penetration-testing/faq.mdx

@@ -4,15 +4,15 @@
 
 No. At Oneleet, we recognize that such attacks increase the probability of operational disruptions or the risk of collateral damage. We firmly believe that there is no genuine advantage to conducting such tests when doing a penetration test.
 
-### Is the source code assessed? Between a Black, Gray or White-box Penetration Test, what should I choose?
+### Between a Black, Gray or White-box Penetration Test, what should I pick?
 
-Opt for a **White-box Pentration Test** if you are prepared to provide the source code and configuration files to the penetration tester, or if the application is open-source, as it effectively simulates threats that have or had access to the source code. Select a **Gray-box Penetration Test** for a best-of-both-worlds approach, as it allows the penetration tester to uncover most vulnerabilities accessible to bot an out- and insider. Choose a **Black-box Penetration Test** if you are main concern is about external threat actors.
+Opt for a **White-box Pentration Test** if you are prepared to provide the source code and configuration files to the penetration tester, or if the application is open-source, as it effectively simulates threats that have or had access to the source code. Select a **Gray-box Penetration Test** for a best-of-both-worlds approach, as it allows the penetration tester to uncover most vulnerabilities accessible to both an out- and insider. Choose a **Black-box Penetration Test** if you are main concern is about external threat actors.
 
 ### Do I need to set up a staging environment, and where do you test?
 
 We usually conduct tests in the staging environment and advise against testing in the production environment to minimize the risk of operational disruptions or collateral damage. Having said that, testing in staging is discouraged if it doesn’t accurately reflect the production environment or lacks representative data, as this will provide less value from a security perspective.
 
-### Can we implement significant system changes during the penetration test?
+### Can major system changes be made during the penetration test?
 
 We advise against implementing significant system changes during the penetration test. While pushing small changes is acceptable, we recommend maintaining a stable environment throughout the engagement to ensure the accuracy and reliability of the testing process.
 
@@ -26,12 +26,12 @@ Technical background, certifications, communication skills. Evaluate a penetrati
 
 ### What are the lead times for a penetration test?
 
-The average time from contract signing to the start of the penetration test is a few days if you are rush, extending up to 1 week during busier periods.
+The time from when we sign the contract to the start of the penetration test is usually a few days if there’s a rush, but it can be up to a week during peak times.
 
-### What happens if no vulnerabilities were discovered during the engagement?
+### What are the consequences of 0 discovered vulnerabilities?
 
 Although such engagements are highly unlikely, the outcome depends on the engagement scope and business size. For a startup with over 10 employees and a Gray-box penetration test, vulnerabilities are typically found, especially if it’s the first test. If the scope is limited or the application security is strong, there can be no vulnerabilities, but the tester should explain their methods, failures, and challenges.
 
 ### Do I share the penetration test report with customers?
 
-You may share the penetration test report if you choose, but we provide a document designed specifically for this purpose. At Oneleet, we offer a Letter of Attestation, which provides a high-level overview of the penetration test, including the tester’s profile and the overall risk score or number of findings. We recommend the Letter of Attestation to be shared with stakeholders.
+You may share the penetration test report if you will, but we provide a document designed specifically for this purpose. At Oneleet, we offer a Letter of Attestation, which provides a high-level overview of the penetration test, including the tester’s profile and the overall risk score or number of findings. We recommend the Letter of Attestation to be shared with stakeholders.