What should happen if evidence of a compromise is found during a PenTest?

When evidence of a compromise is discovered during a penetration test, the appropriate action is to notify the Incident Response Team. This immediate communication is critical for several reasons.

Firstly, identifying a compromise indicates a breach of security that could potentially affect the confidentiality, integrity, and availability of the organization's data and systems. The Incident Response Team is specially trained to handle such situations, ensuring that the breach is contained, investigated, and remedied according to established policies and procedures.

Secondly, involving the Incident Response Team allows for a more thorough investigation of the detected compromise. They can analyze the situation to understand the scope and impact of the incident, which may require coordination with other teams, such as IT, legal, and management, to effectively address the compromise.

Moreover, continuing with the penetration test without notifying the Incident Response Team could lead to further exposure of vulnerabilities or data, complicating the situation and potentially causing more significant damage. Additionally, creating a detailed report might be important later, but it would be premature to focus on documentation before addressing the immediate threats and vulnerabilities.

In summary, notifying the Incident Response Team is a vital step to ensure that any signs of compromise are effectively managed and mitigated, keeping the organization safe from further risk.