Penetration Test
Scoping Call Prep
A plain-English walk-in kit for the meeting where Orchestral and the security vendor confirm assumptions, agree the rules, and lock the scope of the pen test behind HITRUST r2.
A job posting for ethical hackers
The original document is a Request for Quote. Orchestral sends it to security companies: here is our system, here is what to try to break, send us your price and approach. Several vendors reply with quotes, and Orchestral picks one.
Manual, not a scan
Skilled humans finding real attack paths, not just an automated tool's checklist.
Grey-box, authenticated
Testers get architecture docs and real logins at several privilege levels. Faster and deeper than starting blind.
Synthetic data only
They attack a clone of the real system loaded with fake patient data. No real patient is ever at risk.
HITRUST r2 is a safety inspection for companies that handle health data. It demands proof that an independent expert tried to hack you. This pen test produces that proof.
Seven components, in plain language
Keycloak
The bouncer that checks IDs. Fool it, get in as someone else.
Application Client API
The main front door for querying health data. The primary way to pull data out.
Big Data Query Service
The giant search engine over the data lake. Could be tricked into over-returning.
Product Portal & Data Catalogue
Customer site plus a catalogue of where data lives. A treasure map if it leaks.
File Object Service
The mailroom for large files. Unsafe file handling is a classic way in.
JupyterHub Sandbox
A notebook playground that runs code. Running user code is risky to contain.
Inference Service
The AI model API. New surface: prompt abuse, data leakage.
Core, or comprehensive
Core Assessment
- Keycloak
- Application Client API
- Big Data Query Service
- Data Catalogue
- File Object Service
Comprehensive
- Everything in Option 1, plus:
- JupyterHub Sandbox
- Inference Service
If a vendor drifts here, that's a flag
Denial-of-service, stress, or load testing
Phishing, social engineering, physical security
Real patient data or real PHI
Third-party services Orchestral does not control
The underlying AWS managed services themselves
Destructive changes, malware, persistence
Source-code review
Broad cloud-architecture review
Six deliverables, one that the auditor wants
Executive summary
For leadership and HITRUST audit evidence.
Technical findings report
Vulnerabilities, evidence, reproduction, remediation.
CVSS severity ratings
The 0 to 10 industry score per finding.
Early Critical alerts
A call during testing, not only at the end.
Attestation letter
Confirms scope, dates, completion. The artifact your HITRUST assessor wants.
One round of retest
For Critical and High findings after you fix them.
Confirm the assumptions are true, agree the rules, and leave with three things. You are de-risking the engagement, not committing budget in the room.
Your gather-list
Run it in this order
Show them you've read the RFQ
Are your testers OSCP or CREST certified, with healthcare, AWS, API and AI experience?
What methodology do you map to: OWASP Web, API Top 10, WSTG?
How fast do you notify us of Critical findings during testing?
Is the retest included in this price or itemised separately?
Can you share a redacted sample report for our HITRUST assessor?
How do you handle evidence: storage, encryption, deletion?
If you hear these, slow down
Guard the evidence trail
- The attestation letter is the artifact your auditor cares about. File it with your HITRUST evidence.
- Critical and High findings must be remediated and retested. Don't let the retest line get dropped from the quote.
- Keep the pen-test scope consistent with the assessor's scope. AI in HITRUST scope but excluded here creates an evidence gap.
Confirm. Agree.
Lock the scope.
Leave the call with a chosen scope, a start date, and your list of inputs. Protect the retest and the attestation letter. You'll be the most prepared person in the room.
Orchestral HIP · Internal prep · not for external distribution