At a glance
NEXT AI commissions independent, third-party web-application penetration tests at least annually. The latest engagement (Cacilian LLC, December 2024) concluded the NEXT web application demonstrated a STRONG SECURITY POSTURE. A customer briefing note is available. Findings—if any—are tracked and remediated under NEXT’s vulnerability SLAs.
What is tested
Scope: Production web application & APIs, authentication/authorization flows, input handling and injection risks, server-side request behaviors, access controls, and other common web weaknesses. Testing is point-in-time and follows a structured methodology.
Methodology: Based on OWASP Web Security Testing Guide (WSTG) plus coverage of MITRE CWE Top 25 weaknesses, supplemented by the tester’s procedures.
How pentest findings are handled (SLA overview)
If a pentest ever identifies issues, NEXT AI logs and tracks them to closure with defined SLAs: Critical (24h), High (3 days), Medium (1 month), Low (best efforts). Exceptions require compensating controls and Security Officer approval; closure requires validation and deployment planning. Records are retained for 5 years.
Continuous security checks (complements to penetration testing)
Outside formal pentests, NEXT AI runs automated vulnerability scanning (e.g., AWS Inspector) and tracks findings centrally—these controls complement but do not replace the annual third-party pentest.
Standards & guidance: Test design aligns with NIST SP 800-115 principles for technical security testing.
Related topics
FAQ
Q: How often does NEXT AI run penetration tests?
At least annually, using an independent third party. Ongoing engagements may occur more frequently based on risk.
Q: Who performed the latest pentest and when?
Cacilian LLC in December 2024; the application was concluded to demonstrate STRONG SECURITY POSTURE.
Q: Can customers see the results of pentests?
Yes. A customer briefing note from the latest pentest is available upon request.
Q: What methodologies guide the tests?
Tests follow the OWASP Web Security Testing Guide and consider the MITRE CWE Top 25 software weaknesses.
Q: How are issues prioritized and fixed?
NEXT AI applies documented SLAs (Critical 24h, High 3 days, Medium 1 month, Low best efforts) with validation and closure tracking. Exceptions need compensating controls and approval.
Q: Does NEXT AI also run scanners during the year?
Yes. Automated scanning (e.g., AWS Inspector) complements manual pentesting and feeds the same remediation workflow.
Q: Does pentesting cover APIs as well as the web app?
Yes—application APIs and auth/authorization flows are in scope during web-app pentests.
Q: What standard frames your testing approach?
The overall approach aligns with NIST SP 800-115 for technical security testing and assessment.