Guide

Planning a Pentest Project with Multi-Firm Engagement

2 min read

Get the document

Tell us where to send it. The PDF lands in your inbox in under a minute.

About

About this guide

Scope a project across three modes, staff it with members and consulting firms, and govern man-days from a single auditable container.

This guide shows how to create a governed assessment project in PMAP that bounds scope, team, firms, timeline, and effort in one place. You will define scope in all three modes, individual asset pins, asset-group pins, and attribute-based selectors, add members with correct roles, engage multiple firms with distinct roles, and link a framework agreement so man-day consumption is validated and recalculated automatically on every change.

Planning a Pentest Project with Multi-Firm Engagement
The Projects workspace: a server-driven grid, a collapsible filter rail, and the 10-tab project detail.

It is written for engagement leads and program owners who run external assessments across more than one consulting firm. By the end you can stand up a project with precise scope, assign members and firms as primary, secondary, subcontractor, auditor, and qa, verify qualifications, govern a per-project SLA, read the wave timeline, and confirm every action lands in the audit feed.

Inside this guide

  • Understand why a project carries three scope modes and five firm roles before you build one.
  • Create the project and link a framework agreement so effort is validated from the start.
  • Define scope precisely with individual assets, asset groups, and attribute selectors.
  • Add members with the right roles and engage primary, secondary, subcontractor, auditor, and qa firms.
  • Govern man-days against the linked agreement and set a per-project SLA policy.
  • Read the wave timeline and project evidence to see how the engagement unfolds.
  • Verify scope, team, firms, and the audit feed so nothing is left unaccounted.

Before you start

  • A PMAP account with project create and edit permissions in the customer company you will scope.
  • An active customer company, since creation is blocked for deactivated companies via the soft-pause gate.
  • Assets and asset groups already onboarded, so the scope editor has targets to pin and selectors to resolve.
  • The consulting firms you intend to engage present in the global directory, with their qualifications recorded.
  • For a linked agreement, one whose company and consulting firm match the project you are creating.
  • For firm catalog edits, a platform_admin role, while ordinary leads need only project:view to browse firms.

All resources

Keep exploring

Related resources

See it live

Ready to see PMAP in action?

Talk to our team or jump straight into a guided tour of the platform.

We use your email only to set up your guided tour. No marketing drip, no third-party tracking.