If you read the Wikipedia’s definition of Tiger Team you get the following: A tiger team is a specialized group tasked with testing the effectiveness of an organization’s ability to protect assets by attempting to circumvent, defeat or otherwise thwart that organization’s internal and external security
. And further down we have In the computer security field, the term is now obsolete, and more common terms are penetration testers or security testers. Security assessment testing of a computer system or network infrastructure is called penetration testing
, which I find very untrue.
There is a significant difference between a tiger team operation and a penetration test. They differentiate largely in terms of quality, pricing and also the time frame which is allocated for each project. Let’s have a look at these differences.
Quality
It is needless to say that the tiger team operations will produce more quality if this is what you are after. Tiger Team operations involve more then one expert in the info security field. Not to mention that each expert specializes or s/he is good at in a different area all together when compared to the rest of the participants. This adds a lot of value and it works a lot better in the long term for companies/organizations who are interested in protecting their digital assets.
When a tiger team operation is established, there is a lot brainstorming involved. This usually leads to greater input and therefore much better job. Simply put, the more heads are thinking on the same problem, the more solutions you will get and much more quality is provided as a result.
Penetration tests, from what I can see from the market today, usually involve only one person. I must admit that I’ve seen penetration tests which consisted of more then one info sec expert but all of them specializing in the same field. As you probably guess, this is not very good from creative input point of view since all experts will tackle the problem from the exact same angle. Therefore, the quality is much lower.
Pricing
Tiger team operations cost a lot more when compared to penetration tests, because they involve several experts for a longer period if time, as you will see in the next section. A single tiger team operation may take a lot of money but at the end of the day you get what you pay for. You can buy jeans from the local market for 5-a but if you want the quality stuff you might want to get the American denim which will cost you a lot more.
In UK for example, anything that is less then £1000 per-day onsite work should tell you that the people who will test you will run Nessus and this is how far their commitment to your situation goes. Still, many companies are doing exactly this. In some very rare situations you get good stuff for not much but this is very, very rare. Probably you’ve hired a good startup company which does not know how much to charge you just yet.
Time frames
Tiger Team operations usually take more time then standard penetration tests. Why? Because they are custom tailored for the specific situation. Strategic planning is the key. But on the good side of the things, you don’t have to attend the team progress on every single step. The quality and professionalism speak for themselves. So, in general you do a better job by not investing your time which usually costs you money.
Penetration tests are very narrowed and can take up to a single day which in some cases is enough in others is just the start but if it is a pentest then what is done is done and this is how much you get otherwise you have to pay more, which may not be enough and which again, takes up of your time. As you can see this is a mess.
Conclusion
I guess I am bias as being the leader of the only tiger team in UK but I wouldn’t have been part of such initiative unless I believe in its values and qualities. There are many differences between both types of services and they all fit different types of clients. Therefore, both of them fit different needs. It is up to the client to decide what they really need.
