Structure

By adhering to a structured testing approach, HackerOne aims to deliver consistent, high-quality pentest results tailored to the unique security requirements of our customers. The five key components of our pentest approach are explained below:

Team Composition	One Lead Pentester leads every pentest. Up to four additional pentesters may be included in the team, depending on the scope and requirements.
Pentest Tiers	Pentests are categorized into two distinct tiers: the Essential and the Premium. Each tier has unique responsibilities, ensuring a tailored approach to different security needs.
Duration and Effort	All pentests, regardless of their size or tier, are designed to run over two calendar weeks (14 days). Every pentester involved is expected to commit a total of forty hours of effort during this period.
Retesting Phase	Following the main testing phase, a retesting window opens. Pentesters assigned will be responsible for conducting retests during this period. The duration of the retesting window is contingent upon the assessment tier chosen.
Peer Review	Collaboration is paramount to ensure consistency across each engagement. At the end of each engagement, pentesters must review and provide feedback on their teammates' contributions, ensuring continuous improvement and cohesion within the team.

Pentest Engagement Process

1. Pre-Testing Phase

	Scoping	Setup
Customer Tasks	Create and save scoping drafts. Collaborate seamlessly with team members.	Upon approval, quickly start the pentest setup on HackerOne, addressing key questions. Tailor your pentest workflows using platform integrations, triggers, and APIs.
HackerOne Tasks	We evaluate your assets to accurately determine the needed pentest size. We provide a customized quote tailored to your specific pentest requirements.	With prepped assets and set pentester rewards, most tests can begin within days.
Duration	48 hours to 7 business days

2. Testing Phase

	Pentest Kickoff & Staffing		Testing & Real-time Results
Customer Tasks	Select “request to launch” in the platform.		Remain updated throughout the testing phase. Expect consistent Slack updates from testers, regardless of vulnerability detection.
HackerOne Tasks	A Technical Engagement Manager (TEM) arranges a kickoff call to manage credentials and testing environment setup. The most qualified pentest team is staffed and automatically scheduled.	After this kick-off call, HackerOne needs as little as three working days to source the pentest team, after which testing can begin.	Any detected vulnerabilities will be promptly displayed in your HackerOne platform inbox.
Duration	30 Minutes	Up to 3 Days	2 Weeks Testing Slack updates every 3-5 days

3. Post-testing Phase

	Reporting	Remediation and Retesting	Repeat
Customer Tasks	Shortly after testing concludes, you'll be notified. You can then securely download your comprehensive report via the HackerOne platform.	Use the final report to address identified vulnerabilities. Locate the relevant ticket in your Hackerone inbox and initiate a retest through the action bar.	Effortlessly transition pentest findings to your continuous security testing programs. Use the cloning feature to simplify and duplicate pentests, reducing manual entries. Analyze the pentest findings in your dashboards to determine where best to run your next pentest.
HackerOne Tasks	Your dedicated TEM offers a debrief call post-testing. Discuss findings and potential remediation steps during the call.		TEMs assist customers in optimizing and improving long-term pentesting programs.
Duration	Final report in 3-5 Business Days After Testing	30-90 Days for Retesting	Ongoing

Scoping

The scoping of a pentest serves two functions: to identify the target of the test and to calculate the size of the test. The output of scoping is:

The technical scope of the test: The assets and user roles to be tested
The size of the test: How many people/hours and what type of skills are needed to complete the test to a high-quality standard
A commercial quotation: How much this will cost

The target of the test is the set of digital assets that will be assessed in the 2 week testing period by the pentesting team. The type of asset determines the checks that must be completed, the pentester skill requirements, and the tier (essentials or premium). For example, when an Android mobile application is added to a HackerOne Pentest scope, the Android security checklist is added, pentesters are selected with skills and tools needed to audit Android applications, and the test will be defined as a premium test to reflect the increased complexity of testing (over a simple web application).

The size of the test is the number of hours needed to achieve coverage of the test targets. The size is calculated from the type of asset and qualities such as the number of functions that an application performs and the number of user roles.

Size

There are five different units of measurement we use to define various pentest sizes that HackerOne offers. These sizes are calculated based on the testing hours needed per pentest, depending on the scope.

All pentesters, including Leads, are expected to spend forty (40) hours of effort across all pentest sizes. Pentests are named based on the number of hours the assessment requires for the whole team and are referred to as the following:

Pentest Size	Description	# of Lead Pentesters	# of Supporting Pentester(s)
P40	Lead pentester performs all of the work by themselves.	1	-
P80	Lead pentester and a supporting pentester share the work.	1	1
P120	Lead pentester and 2 supporting pentesters share the work.	1	2
P160	Lead pentester and 3 supporting pentesters share the work.	1	3
P200	Lead pentester and 4 supporting pentesters share the work.	1	4
>P200	Contact your dedicated pentest team for custom sizing tailored to larger environments and multiple tests.

ℹ️ Of course, most organizations will be developing and maintaining multiple systems, and therefore, will need multiple tests. This is addressed with a consumption contract. A set number of hours are purchased, and these hours are deducted from the total during the contract period.

Pentester Roles and Responsibilities

Pentest Lead	Pentester
Main point of contact with the Customer and HackerOne staff Responds to all customer inquiries and questions within 1 business day Provides updates frequently (minimum of 4 updates required) Validates, performs QA, and de-duplicates all submissions from the pentesters before they are submitted Ensures all submissions are clear and optimized for the customer's understanding Leads the team, makes decisions about scope and testing focus, coordinates and delegates work where needed Performs testing and retesting Writes vulnerability reports and the summary report Completes checklists and/or assigns these to testers making sure these are completed.	Performs testing and retesting Updates the Lead about testing (minimum of 4 updates required) Shares and validates vulnerabilities with the Lead and the team before submission Writes Vulnerability reports Provides all the information required by the Lead (e.g. to answer customer questions) Completes checklists according to what the Lead assigns.
40 hours of individual pentest work

Tiers

Regardless of the size and scope, all pentests are categorized on the platform into two distinct tiers: Essential and Premium. There are several fundamental differences between these two tiers, which are detailed below.

Pentest Overview

Pentest as a Service (PTaaS): Enhanced Pentest Delivery

Pentest Deliverables

Your Pentest Team

Pentest FAQs