It sounds like you're suggesting that pen testers by default will not reveal discovered vulnerabilities with clients.
Then you talk about "discovered and revealed vulnerabilities". But, your first sentence talks about "discovered vulnerabilities not revealed".
What you may be wanting is a honeypot, where a pentest client intentionally puts some vulnerabilities of various exploit difficulty into the clone environment to ensure pentesters are doing their job.
> It sounds like you're suggesting that pen testers by default will not reveal discovered vulnerabilities with clients.
How so? Presumably most pen testers are working in good faith. But, if there is a malicious actor in their midst, that individual would not disclose any vulnerabilities they intend to exploit, no. What would be the point? That's just a really good way to get caught.
> Then you talk about "discovered and revealed vulnerabilities".
Yes, that's right. While it is theoretically possible for all your pen testers to be working together maliciously, if you are careful in your employment practices you can make this highly unlikely.
As such, if your data shows that 100% of all known vulnerabilities were independently discovered by multiple testers, then there is reasonable confidence that any malicious actor's failure to disclose a vulnerability will still be reported by someone else.
But if that figure is less than 100%, and especially if it is considerably less than 100%, then there is much more doubt cast on another pen tester in your organization's ability to find the same vulnerability. Here you have a problem.
You don't need to be, but there are some big advantages:
1. You get to test the flaws in an environment where nobody will raise an eyebrow. If you go straight for the production system, it is likely your early attempts will visibly show up in the logs.
2. You get paid to carry out malicious deeds. That's a double win.
Why do you think it would be silly to take the job?
The second two sentences read like excellent reasons why you should take the job (even if they are just a repeat what I already said in different words).
Then what do you need pen testers for? With an offer like that, any threats to your system will come work for you instead.
The reality is that you don't get paid well if the data is worthless. You only get paid well when the data is worth orders of magnitude more than what you're being offered. If you are inclined to break that law, that's a pretty nice carrot dangling there.
If you are so inclined, why wouldn't you take the job and report the not so crafty exploits to bring in the sweet, sweet paycheque and use the really juicy exploit to also go after the even sweeter data? It's a total win-win situation...
...unless you get caught, but if you are so inclined that's not exactly on your radar.
My claim is that people tend not to do crime if there's a very well-paid alternative, and I think I have pretty good empirical backing on that one. Also, our data is probably not worth that much. We do pen testing so we don't get popped and leak our customers data, likely losing some of our customer base (even if it isn't worth much, not having it leaked is); because soc2 essentially demands it; and because smart customers care more about pentests done by good firms than soc2.
Then you talk about "discovered and revealed vulnerabilities". But, your first sentence talks about "discovered vulnerabilities not revealed".
What you may be wanting is a honeypot, where a pentest client intentionally puts some vulnerabilities of various exploit difficulty into the clone environment to ensure pentesters are doing their job.