When a company hires us for an offensive security exercise, it's common that, in the days beforehand, the IT team starts applying patches, removing old access, and reviewing configurations so everything is in the best possible shape by the time of the assessment. Although the intention is understandable, this approach is not always the right one.


An offensive security exercise is meant to evaluate the real state of the organization and reflect the level of security it operates with day to day. Making rushed changes before the assessment can hide vulnerabilities that would still be present under normal conditions, reducing the value of the exercise.


Instead of focusing on fixing problems at the last minute, it's more important to prepare what's needed for the assessment to run in an orderly way and deliver representative results.


Below, we'll go over the main points worth having ready.

Define the scope and the objectives

Before starting the exercise, define in writing which assets will be evaluated and which will be out of scope, such as domains, applications, IP ranges, accounts, and environments.


Having a clearly defined scope avoids misunderstandings and lets the assessment focus on the assets that matter most to the organization.


It's also important to set the objectives from the start. Evaluating the exposure of external services is not the same as analyzing the impact of an attacker with initial access to the internal network.

Have the access and information ready

If the assessment requires credentials, test accounts, or access to a specific environment, try to have them available before it begins.


Delaying the delivery of access reduces the effective time of the assessment.

It's advisable to have:

  • Test accounts with the agreed permissions.
  • Relevant documentation, such as architecture diagrams, endpoints, and environments.
  • A contact channel to resolve questions or grant access during the exercise.

Inform the right people

Define who within the organization will be aware of the exercise and who won't. Informing the right people keeps the assessment team's activity from being interpreted as a real incident and triggering unnecessary procedures.


At the same time, keeping the rest of the organization unaware allows a more representative view of how it responds to suspicious activity.

Avoid last-minute changes

Applying patches, changing configurations, or removing access right before the assessment can distort the results, since the exercise will end up reflecting an environment different from the one that runs day to day.


If you spot something you want to fix, note it down and raise it with the assessment team. It can be reviewed during the exercise and fixed afterward, with a clearer picture of your real level of exposure.

The most important part: managing the findings

The value of an offensive security exercise lies not in the report itself, but in the actions taken based on its results. Before starting, it's worth defining how findings will be received, prioritized, and remediated, as well as who will be responsible for each stage.


In practice, this tends to be the most neglected phase. It's common to find organizations that receive relevant findings but take no concrete action to resolve them. The report is filed away, the vulnerabilities stay open, and over time the follow-up is lost. An offensive security exercise does not reduce risk on its own; its purpose is to identify it and make it visible.


Risk is reduced when findings are prioritized, fixed, and then verified to confirm the measures put in place are effective. To make this easier, it helps to define from the start:

  • Who will be responsible for reviewing and prioritizing the findings.
  • The remediation timelines based on the criticality of each vulnerability.
  • The process for validating the fixes, ideally through a re-test.
  • A point of contact to coordinate the follow-up during and after the assessment.

Cybersecurity is not only about running a periodic assessment, but about managing the risks you find and following up on remediation.


At Quarancle, every finding is recorded in real time inside the portal, including its severity, evidence, and reproduction steps. You can also request a re-test of the fixed vulnerabilities, making it easier to follow up on and validate the remediations.