A full-length interview on manual, threat-model driven pentesting, fix verification, and how to get real security outcomes—not checkbox audits.
OWASP Executive Director, Andrew van der Stock sat down with Abraham Aranguren (Managing Director, 7ASecurity) for a wide-ranging interview on what separates high-quality security audits from checkbox-style testing.
If you’ve ever received a pentest report full of tool output, unclear remediation, or no follow-through, this interview explains what a “quality pentest” should look like in practice.
Watch the full interview
Key takeaways for buyers of pentests and code audits
- Manual, researcher-led testing beats checkbox audits. The highest-impact issues are often in business logic and authorization—areas automation consistently misses.
- Every engagement should be aligned to the client’s threat model and priorities, not a generic checklist.
- A dedicated communication channel matters. We establish a channel before the audit begins, share interim findings during the engagement, and incorporate client feedback that can materially change severity and priorities.
- Fix verification is essential. Reporting issues is not enough—every engagement includes free fix verification to confirm fixes are effective and not bypassable.
Want a high-quality pentest or secure code audit?
Request a free consultation: https://7asecurity.com/
See public reports and research: https://7asecurity.com/publications
Note: 7ASecurity is an OWASP Platinum Corporate Supporter. OWASP® is a registered trademark of the OWASP Foundation. This interview does not constitute an endorsement of any product or service.
