A penetration testing firm does not run one engagement. It runs a portfolio. At any given week there is a retest closing for one client, a kickoff scoping for another, a framework agreement burning down man-days on a third, and a subcontractor waiting to be looped into a fourth. The technical work, the actual testing, is only part of the job. The rest is operational. Who is engaged on this project. How many days are left on the agreement. Which deliverable went to which client. Whether the firm’s CREST scope is still valid before the next bid.
Most firms run that operational layer in spreadsheets, shared drives, and email threads. PMAP is built to run it in one place. This article walks through how PMAP models a consulting firm’s day to day work, from the engagement container down to qualification tracking and client deliverable sharing. Every behavior described here comes from how the platform actually works, grounded in the project and consultingfirm domains.
If you are evaluating the category more broadly, start with the pillar on security assessment management. If you want the deep mechanics of putting several firms on a single piece of work, the cluster on running a multi-firm pentest project covers that ground in detail. This page stays on the firm operations lens.
The Operational Reality of a Pentest Firm
A consulting firm sells time and expertise against a defined scope. The unit of work is the engagement. Every engagement has a client, a boundary, a budget, a team, and an output. When those four things live in four different tools, coordination becomes the bottleneck rather than the testing.
PMAP treats the engagement as a first-class container. In the project domain a project represents a bounded assessment effort. That can be a penetration test, a vulnerability scan campaign, or a recurring security review. The project is scoped to one customer company and owned by one or more consulting firms. Crucially, every finding, every scan, every assessment run, and every piece of evidence in the platform lives inside a project. There is no orphaned finding floating in a shared inbox. The container holds the work.
This matters for a firm because it collapses several disconnected systems into one. The scope definition, the team roster, the commercial agreement, the activity history, and the deliverables all attach to the same record. When a client asks where things stand, the answer is one screen rather than a reconciliation exercise across tools.
One Container Per Engagement
Start with the project itself. PMAP gives you full create, read, update, and delete control over assessment projects, with multi-tenant scope enforcement applied on every operation. A project carries a name, a description, a project_type, and a status, so a firm can classify a web application test differently from an external network assessment or an annual review and filter on those classifications later.
Scope is where a pentest container earns its keep. PMAP defines scope three ways, and each mode is managed independently. You can pin individual assets to the engagement. You can pin whole asset groups when the client wants a logical segment tested as a unit. You can add attribute-based selectors that match assets by type, tag, or label, so a rule like “every asset tagged external-facing” pulls the right targets into scope without manual maintenance. A selector even reports how many assets it matched and how many it did not, which gives a tester a quick sanity check that the boundary is what the statement of work says it is.
There is a guard against the most common data-entry mistake too. Creating a project with a name that already exists for the same company is rejected as a conflict, so two coordinators cannot accidentally spin up duplicate containers for the same client work.
The filtered project list ties the portfolio together. A firm can filter by company, by consulting firm, by framework agreement, by project type, by status, and by free-text search, then sort and page through the result. That same filtered view exports to CSV or XLSX, carrying name, company, firm, type, status, man-days, and date range. A practice lead who needs a portfolio snapshot for a Monday standup pulls it in one click rather than rebuilding a tracker.
Many Firms on One Project
Real engagements are rarely a single firm. A prime contractor brings in a specialist for the hardware portion. A client insists on an independent QA reviewer. A subcontractor handles the social engineering scope while the prime runs the network test. PMAP models this directly instead of forcing one firm to pretend it owns everything.
Multi-firm engagement management lets you assign multiple consulting firms to one project, each with its own role. The role values are primary, secondary, subcontractor, auditor, and qa. That vocabulary maps cleanly onto how delivery actually splits up. The prime is primary. The independent reviewer is auditor or qa. The specialist you brought in is a subcontractor. Each firm linked to the project also carries its own man-day allocation and its own date range, so the platform records not just who is involved but how much of the budget and which window belongs to each party.
The system keeps this clean with two simple rules. A given firm cannot be linked to the same project twice, and a missing role defaults to secondary rather than failing the operation, while an outright invalid role is rejected as bad input. The result is a roster you can defend to a client or an auditor without footnotes.
Roles, Allocations and Date Ranges
Under the hood each firm engagement is a ProjectFirm record. It holds the firm’s role on the project, the man-days allocated to that firm, the start and end of that firm’s involvement, an active flag, and a reference to the relevant framework agreement. You manage these through dedicated endpoints to list the firms on a project, add a firm with a role and man-day count, update an existing engagement when dates or allocation shift, and unlink a firm when its part is done.
This is the difference between a tool that knows a project has “some firms” and one that knows exactly who is doing what, for how long, and against which contract. When a subcontractor’s window closes or a QA reviewer rotates off, the record reflects it. The portfolio stays honest.
Framework Agreements and Man-Day Budgets
Consulting work usually sits under a commercial umbrella. A framework agreement defines the relationship between a client and a firm, often capped at a pool of man-days that successive projects draw down. Losing track of that pool is how firms end up either over-delivering for free or scrambling at quarter end to explain a budget that already ran dry.
PMAP links a project to a framework_agreement and enforces the relationship at write time. The agreement’s company must match the project’s company, and if the project names a consulting firm, the agreement’s firm must match too. A mismatch is rejected before the bad link is ever saved, so you cannot accidentally bill an engagement against the wrong client’s contract.
Budget tracking is automatic. Each project records planned man-days and actual man-days. Whenever a project is created, updated, or deleted against an agreement, the agreement’s used_man_days total is recalculated synchronously in the same request. The burn-down stays current without a nightly job or a manual tally. A practice lead always sees how much of the pool remains.
There is even a guardrail for a specific contract shape. When an agreement is project_based, meaning it is meant to cover a single project, and a second project is attached to it, PMAP returns a non-blocking warning alongside the successful response. The operation still completes, because sometimes that is genuinely what you intend, but the platform flags the unusual case so a coordinator can confirm rather than discover the overrun later.
Tracking Tester Membership and Roles
A firm’s people are as important as its firms. PMAP manages project members with four roles: lead, tester, reviewer, and observer. The lead owns delivery. Testers do the work. A reviewer provides a second set of eyes. An observer, often a client-side security manager, watches without editing. If someone is added with a role value that is not recognized, the platform quietly normalizes it to tester rather than blocking the add, which keeps onboarding friction low.
For the individual consultant there is a “My Projects” view. It returns every project that the authenticated user is a member of, across all companies, along with their role and finding counts on each. A tester who works three clients in a week does not hunt through three separate spaces. One screen lists their engagements with the open-finding count beside each. Platform administrators have the equivalent view for any user, which makes capacity questions and coverage gaps answerable rather than guessed.
The Firm Directory and Contact Book
Behind every engagement is the question of who the firms actually are. PMAP maintains a global directory of external consulting and penetration-testing vendors. A consulting firm here is a named, platform-wide master-data record. The directory is deliberately cross-tenant, which means a firm that appears on several different clients’ framework agreements is one consistently maintained record rather than a scatter of per-tenant duplicates. Update the firm once and every engagement that references it sees the change.
Each firm record carries a contact book. There is a primary contact and a secondary contact, each with name, email, and phone, plus the firm’s website and free-text notes. When a project lead is setting up an engagement and needs to reach the right person at a partner firm, the detail is on the firm’s profile rather than buried in someone’s inbox. An is_active flag soft-disables a firm without deleting its history, so a vendor you are not currently using drops out of the active list but its record and qualifications survive.
Finding a firm is a substring search across the firm name, the email, and the contact name. For a directory that grows over years of partnerships, that beats scrolling. The whole catalog also exports to CSV or XLSX with the active filters respected, which is exactly what a procurement or compliance team asks for when they need the current vendor list.
One operational note worth understanding. Maintaining the catalog is restricted. Creating, editing, and deleting firm records is platform-administrator work, because the catalog is shared master data across every tenant. Reading the directory, browsing firms and their qualifications, is available to anyone with project visibility. That split keeps the shared catalog consistent while still letting every project lead see what they need when scoping work.
Qualification Tracking Before You Engage
This is the part that turns a directory into a governance tool. Before a firm tests a regulated client, someone has to confirm the firm actually holds the certifications the contract requires. CREST. CHECK. ISO 27001. In most firms that confirmation is an email forward of a certificate PDF that nobody can find six months later.
PMAP tracks qualifications as structured records on the firm. Each qualification has a scheme, which is the certification itself, plus a level or class, a scope, an issuer, and a validity window with a start and end date. A firm’s profile shows its certifications as a panel, so the question “is this firm CREST-qualified for the scope we need” has an on-screen answer.
The lifecycle matters as much as the record. Every qualification carries a status of active, expired, or pending_renewal, alongside its valid_from and valid_until dates. That three-state model is the difference between knowing a firm was once certified and knowing whether its certification is good right now. When a qualification is approaching its validity end, marking it pending_renewal signals the gap before it becomes a compliance problem on a live bid. For background on what these schemes actually attest to, the CREST certification scheme publishes the standards behind the accreditations many clients require.
For a firm that competes for regulated work, this is procurement evidence ready on demand. The full firm catalog export, qualifications included, is the artifact a compliance reviewer asks for. You produce it from the platform rather than assembling it under deadline.
Vendor Performance You Can Defend
Qualifications tell you a firm is allowed to do the work. Performance tells you how well it actually does. When a prime contractor manages subcontractors, or a client wants to compare two firms on a panel, opinion is not enough. PMAP turns delivery into measured fact.
The analytics layer produces a vendor performance scorecard. It tracks the metrics that describe how a firm delivers: closure rate, mean time to remediate, retest pass rate, and SLA breach rate. Closure rate shows how much of what was found actually got driven to resolution. Mean time to remediate shows how long that took. Retest pass rate shows whether fixes held when verified. SLA breach rate shows whether the firm worked within the agreed clock.
For a firm managing a portfolio, this works two ways. Against subcontractors, it is oversight. You can see whether the specialist you brought in is closing the loop or leaving findings open. Toward your own clients, it is a defensible record of delivery. When a client asks why they should renew, you answer with retest pass rates and closure metrics rather than assurances. The numbers come from the same findings the work already produced, so there is no separate reporting effort to maintain. The data is a byproduct of doing the engagement in the platform.
Deliverables and the Wave Timeline
An engagement ends in a deliverable. The report, the evidence pack, the retest letter. PMAP keeps those outputs attached to the work that produced them rather than scattered across drives.
Project files are uploaded against a project, and the consulting-firm directory surfaces a deliverables view that lists the project-file deliverables attributable to a firm. That gives a consolidated picture of the output artifacts a given vendor has produced across engagements, which is precisely what you want when a client asks for everything a particular firm delivered, or when you are assembling a track record for a renewal.
Inside a single project the picture is even richer. PMAP aggregates finding evidence across the whole engagement. A dedicated evidence view returns every finding attachment across the project’s findings, each enriched with the finding’s title and severity. A tester assembling a report does not chase attachments finding by finding. The evidence is collected in one place, labeled and ranked.
The wave timeline pulls the testing narrative together over time. PMAP renders a chronological view of scan waves, and each wave shows its finding deltas: what is new, what is persisting, what was resolved, and what reopened, broken down by severity. Assessment runs that have no scan attached are surfaced separately so manual testing is not lost in an automated view. For a recurring engagement or a test-and-retest cycle, the timeline is the story of progress. It shows a client not just the final state but the trajectory, which is far more convincing than a single point-in-time count.
When delivery is done and the client needs the output, secure sharing matters as much as the document itself. The reporting side of PMAP is built so a client can receive a deliverable without holding a platform login, which keeps the handover clean and access controlled. For the wider methodology behind structuring a thorough assessment, the OWASP Web Security Testing Guide and the Penetration Testing Execution Standard remain the reference points many firms scope their work against, and NIST SP 800-115 frames the technical testing process at a standards level.
How PMAP Runs a Firm’s Whole Portfolio
Step back and the pieces connect into one operating model for a consulting firm. The project is the container, and every finding, scan, and piece of evidence lives inside it. Multiple firms attach to that container with explicit roles, allocations, and date ranges, so collaboration is recorded rather than improvised. The framework agreement sits above the project, validated at write time and recalculated on every change, so the budget never drifts out of sight. Members carry roles, and every consultant has a single view of their own work across clients.
Around that, the firm directory holds the master data. Contacts so you can reach a partner. Qualifications so you can prove a firm is fit to engage. Performance metrics so you can defend how it delivered. Deliverables and the wave timeline so the output and the trajectory are both captured against the work that produced them.
The throughline is that the operational layer of a consulting practice, the part that usually lives in spreadsheets and email, becomes structured data inside the platform that already holds the technical work. Ingest the scans, correlate the findings inside the right container, triage and assign across the firm’s people, and drive remediation to a deliverable. The same record that a tester works in is the record a practice lead reports from and a compliance reviewer audits.
That is what it means to run a portfolio rather than chase one. To see the engagement and assessment model in full, read the pillar on security assessment management, and for the mechanics of layering several firms onto one piece of work, the multi-firm pentest project cluster goes deeper than this overview.
Download the assessment and engagement datasheet and run your next client project in PMAP.
