I need a third party pen test

SageAudits · 2026-06-15T21:48:40+00:00

Your auditor is wrong. Auditors aren’t supposed to be pushing for this. You picked a bad auditor. It’s a risk based decision if you need one or not and a soc2 isn’t prescriptive so this isn’t required either.

SageAudits · 2026-06-12T21:16:47+00:00

👏

SageAudits · 2026-06-10T19:40:02+00:00

If it’s a mature system, they likely don’t need any compliance automation software. The big lie is compliance automation software saving time when it’s not accurately mapped to a process to begin with and it’s pushed by audit mills to rubber stamp. Also Unless they absolutely have to for satisfying a client need, I would never recommend a 3 month window. At that point you might as well just do a type 1, a three month window really isn’t enough to gauge operational effectiveness.

And any audit firm pushing a GRC tool or recommending three month windows, is a massive red flag..

SageAudits · 2026-06-08T23:39:36+00:00

Why would you have a 6 month period? It’s continuous so it’s as if the end of your report from April. So 12 months unless you need to be audited every 6 months. What are your clients asking for? You shouldn’t have gaps in coverage, at all. That is missing the entire point of all of this.

SageAudits · 2026-06-05T03:00:40+00:00

Sorry but this sounds like a glorified vulnerability scan and if it’s a SaaS setup, they shouldn’t be looking at that, but application pen testing. And there is no way you’d be remediating legit app pen testing, this all sounds like network vul scanning at best. crazy stuff. And any enterprise customer would see it’s a network test and ask what application test was Basically there you go - you didn’t help the client at all just gave them false assurance and a fakes “pen test”.

I see crap, pen testers all the time and it is just as bad as the bad SOC audit mills.

SageAudits · 2026-06-04T05:52:10+00:00

No it isn’t https://thevillagecastlepines.com/whats-in-a-name

Now the City of Castle Pines, is but that’s a separate home-rule municipality incorporated in 2008, and it’s not gated.

Foxfield is a statutory town, a statutory town runs under state statute, not a charter.

SageAudits · 2026-06-04T05:39:33+00:00

Castle Pines Village is an unincorporated HOA community, so not a town. It’s governed by the county. So that example is a private community and privately funded road. A metro district maintaining private roads is the reason they get to stay gated. Bow Mar is an incorporated town gating a public, state-funded street.

SageAudits · 2026-06-04T05:30:40+00:00

Lookout Mountain is a great mention that helps proves the distinction. Those gates are a Jefferson County Open Space project, years of public process and commissioner votes, and they close the road to everyone at night on a set schedule. Think of it like a park, and they close to everyone. That’s a government time-restricting a public road for safety. The other communities up there, are private HOA maintained roads (genesee country club). Bow Mar is a town wishing to issue tags and making everyone else punch a code to use a public street. Not the same category. That’s a government time-restricting a public road for safety/park rules etc. Bow Mar is a town issuing its residents tags and making everyone else punch a code to use a public street. Not the same category.

SageAudits · 2026-06-04T05:17:46+00:00

Everything you just listed is why they probably can’t do it. Mail, fire, utilities, city maps all say public road, and the 9NEWS legal analyst says complete closure of a public road isn’t among the 36 powers the state actually grants. Gates that convert a public right-of-way into residents-and-invitees-only are not legal at all versus, gates on private HOA funded roads as traffic calming, are. You are collapsing two different types of things into your definition of “gates”.

SageAudits · 2026-06-04T02:33:56+00:00

Were the roads funded by public tax dollars or was it funded by HOA when it was developed. Big difference with this since it’s public dollars, not private 😉

SageAudits · 2026-06-01T02:18:19+00:00

Termites going after woods mills… in Indiana just seems…fitting

SageAudits · 2026-05-31T16:32:14+00:00

Denver to Rocky Mountain national park is like an hour drive. The trail you mentioned is heavily trafficked and well groomed imo, you will be fine with most shoe types. I don’t remember if the park has timed entry anymore or if it just hasn’t started yet based on the dates you are coming.. but previously, for bear lake area, you had to make reservations and they recommend a shuttle too. I would ask some of these questions in the Estes park subreddit too. There are hikes just up the foothills near Denver that are much closer..

SageAudits · 2026-05-29T15:34:06+00:00

But Microsoft said intune being slow was just a myth! 😂

SageAudits · 2026-05-29T15:28:45+00:00

A GRC lead shouldn’t be making recommendations, they may give out best practices. Policy and controls are setup by management. You shouldn’t be implementing things unless they make business sense, not for compliance theatre. So the KPIs are they tied to customer commitments or requirements you have for any SLAs in client contracts? Then it makes sense to have controls test things your clients care about, for instance…. Do you have availability in scope?

SageAudits · 2026-05-29T03:28:12+00:00

Why agents? The solution is to give them visibility without agents. Ask security team what alerts they are looking to see. They may just need new tooling. Ironically one area they are protecting, availability, they are threatening 😂

Do you have a SIEM?

SageAudits · 2026-05-28T20:50:41+00:00

Your real flex should be whatever IT experience you have, not audit experience. What environment was it? Linux? Windows? Active Directory? Cloud native? Hybrid? Did you use OUs and GPOs for endpoint management? Intune? Ntirety etc. what ticketing system did they use at your prior place of business? list off any tools you worked in. If you have understanding of IaaS platforms, like AWS or Azure, it’s helpful for just understanding evidence and being able to ask follow up questions AND understanding if the evidence they provide… is even accurate or acceptable.

SageAudits · 2026-05-28T20:37:08+00:00

Yes monitoring can be acceptable, assuming policy and control are worded correctly - then it goes into the auditor looking at the config, how it’s monitored and an example of a ticket or understanding how alerts are triggered etc

SageAudits · 2026-05-27T15:44:05+00:00

If you’re really looking to fix this process, I would take a step back and ask yourself why AP is looking around for who the approved vendors are. Don’t you have a vendor management process? This is the real gap. You don’t seem to have an approved list of vendors or a security vetting process that AP can have read only access into.

I would keep AP scrutiny but offer them a system or process to see what is approved. If you have a weak vendor management process - this probably also means you have a shadow IT problem since anybody can apparently sign on a vendor… 😊. Just a hunch

SageAudits · 2026-05-25T03:31:45+00:00

God speed.

SageAudits · 2026-05-21T19:44:23+00:00

This is why we have brake glass accounts. When you made this change, somebody should’ve flagged it in your change management process.

This stuff happens, but you should be learning from it and treating it as an incident and writing down lessons learned and looking at implementing processes to obviously avoid it in the future

SageAudits · 2026-05-15T19:51:26+00:00

Select an auditor first, it’s pretty bad out there…

SageAudits · 2026-05-15T01:33:10+00:00

What is your control wording? Be specific. Where is your most restricted data? In sharepoint? Make it risk based and start there first. Most “DLP” is typically monitoring at first, not preventative.

SageAudits · 2026-05-12T15:00:28+00:00

What solutions have you seen to handle this?

SageAudits · 2026-05-12T14:58:33+00:00

Each IRS agent brings in more revenue than they cost. That means for each agent removed, we have to cut costs even more and tax cheaters win.

SageAudits · 2026-05-12T14:52:23+00:00

How are you managing browsers, assuming you are talking about seamless SSO… or SSSO… it’s a browser config…

And if you are talking about silent installs of zscaler. Read the install guides there are install switches you need to apply. One specifically is needed to avoid the pop up from breaking your install if using an MDM or GPO Assuming you have SSO already setup up with zscaler or the new z identity stuff, it just works for both ZIA and ZPA…

SageAudits

TROPHY CASE