Structural offensive security capability for international retailer
About the organisation
International retail organisation with 22,000 employees, 450 stores across 6 countries and an e-commerce platform processing 15 million transactions per year. PCI DSS Level 1 certified. Annual budget of 800,000 euros for offensive security assessments.
The Challenge
The retailer outsourced 12-15 offensive security assessments annually to varying suppliers. This led to three problems: inconsistent quality (some pentest reports were unusable), lack of continuity (having to explain the environment each time), and high procurement overhead (12 tenders per year through the procurement process). The CISO estimated that 30% of the offensive security budget was lost to inefficiency.
Additionally, the organisation had specific needs that were difficult to fulfil: PCI DSS-focused pentests for the payment platform, red teaming for the supply chain (warehouse management systems), mobile app security testing for the customer app with 3 million users, and social engineering assessments for store employees. No single supplier could cover this full spectrum with consistently high quality.
Our Solution
MVPartners acted as single point of contact for all offensive security needs. We curated a network of 4 specialised boutique offensive security firms, each selected for their specific expertise: a PCI DSS pentest specialist, a red team firm with supply chain experience, a mobile security testing bureau, and a social engineering specialist.
The MVPartners model worked as follows: the CISO communicates one scope and planning to MVPartners, we match the right partner to the right assignment, manage quality through our review standards, and consolidate all reports into a uniform format. Additionally, we introduced a continuous testing model: instead of 12 separate assessments, the partners conducted ongoing tests based on an annual plan, aligned with the development team's release cycles.
Results
- From 12 separate tenders to 1 ongoing contract with 4 validated partners
- Consistent reporting quality: CVSS scores standardised, uniform format
- Procurement overhead reduced by 85% (from 12 to 1 tender per year)
- Average lead time from scope request to pentest start decreased from 6 weeks to 5 working days
- Vulnerability remediation rate increased from 64% to 91% thanks to improved reporting
“Thanks to MVPartners, we always have access to the right offensive security expertise, without having to recruit or tender ourselves. Our CVSS remediation rate has increased from 64% to 91% — that says everything about the quality improvement.”
What the team says
“The continuous testing model was a game-changer. Our developers now receive feedback during the sprint, not 6 weeks later when the code is already running in production.”
“The social engineering assessments were eye-opening. MVPartners selected a firm that physically visited our stores and gained access to the warehouse through tailgating. We had never done those kinds of tests before.”