Process Map & Key Process Interactions (ISO 9001:4.4)¶
Document ID: BD-QMS-PROCESSMAP-001 Version: 1.0 Effective Date: 2026-03-17
Process Classification¶
BeDefended's QMS consists of three process categories:
- Core (Value-Adding) Processes — Directly deliver customer value
- Supporting Processes — Enable core processes to function
- Management Processes — Oversee the entire QMS
Core Process: Penetration Testing Lifecycle¶
┌─────────────────────────────────────────────────────────────────────┐
│ Core Process: Full PT Engagement Cycle │
└─────────────────────────────────────────────────────────────────────┘
│
├─► Phase 0: Intake & Authorization
│ • Customer intake form
│ • Scope definition
│ • Rules of engagement
│ • Resource planning
│
├─► Phase 1: Reconnaissance
│ • Passive recon (DNS, WHOIS, SSL)
│ • Active recon (IP enumeration, ports)
│ • Technology stack identification
│ • Output: context.json
│
├─► Phase 2: Discovery
│ • Content discovery (crawl, fuzz)
│ • API enumeration
│ • JavaScript analysis
│ • Parameter mapping
│ • Output: app-map.json
│
├─► Phase 3: Automated Scanning
│ • Nuclei templates (CVE, exposure, misconfig)
│ • Nikto scanning
│ • TLS/SSL assessment
│ • SAST scanning (code)
│ • Output: Finding-NNN.md files
│
├─► Phase 4: Manual Testing (17 Skills)
│ • Test-injection
│ • Test-auth
│ • Test-access (IDOR, priv esc)
│ • Test-ssrf
│ • Test-logic
│ • Test-client (CSRF, XSS, CORS)
│ • Test-infra (smuggling, cache poison)
│ • Test-api (GraphQL, protobuf, mass assignment)
│ • Test-crypto (TLS, key strength)
│ • Test-deser (Java, PHP, Python, Ruby)
│ • Test-advanced (HPP, redirect, MFA bypass)
│ • Test-supply-chain (dependency vulns, SRI)
│ • Test-exceptions (debug mode, stack traces)
│ • Test-cloud (S3, GCS, subdomain takeover)
│ • Output: Finding-NNN.md, evidence files
│
├─► Phase 5: Verification & Validation
│ • PoC recreation (each finding)
│ • False positive removal
│ • CVSS 4.0 scoring + validation
│ • Severity peer review
│ • Output: Verified findings only
│
├─► Phase 6: Report Generation & Delivery
│ • Compliance framework mapping
│ • DOCX generation + injection
│ • Peer review (≥1 reviewer)
│ • Client delivery
│ • CSAT collection
│ • Output: Final Report (DOCX)
│
└─► Post-Engagement
• Evidence archival
• Knowledge extraction
• 30-day remediation check
• 90-day CSAT follow-up
Supporting Process: Quality Management¶
┌─────────────────────────────────────────────────────────────────┐
│ Supporting Process: Quality Assurance │
└─────────────────────────────────────────────────────────────────┘
│
├─► Peer Review
│ • Before report delivery
│ • Reviewer: independent QA lead or senior pentester
│ • Checklist: accuracy, compliance mapping, formatting
│ • Target: <3% defect rate
│
├─► Finding Verification
│ • Every finding has working PoC
│ • Re-test methodology on random sample
│ • FP detection (tool artifacts, misconfigurations)
│ • Target: 99% accuracy
│
├─► CSAT Monitoring
│ • Post-engagement survey (7 days after delivery)
│ • Trending: Monthly average, quarterly review
│ • Target: ≥4.5/5
│
├─► Nonconformity Management
│ • Document quality issues
│ • Root cause analysis
│ • Corrective action plan
│ • Verification of effectiveness
│
└─► Internal Audits
• Quarterly QMS audit
• Process compliance verification
• Control testing (scope, methodology, delivery)
Supporting Process: Resource Management¶
┌─────────────────────────────────────────────────────────────────┐
│ Supporting Process: Resource & Competence Management │
└─────────────────────────────────────────────────────────────────┘
│
├─► Tool & Lab Management
│ • Tool procurement & updates (Dependabot)
│ • Lab environment setup
│ • Vulnerable application hosting
│ • Documentation & training
│
├─► Personnel Competence
│ • Certification tracking (CEH, OSCP, CISSP)
│ • Annual security awareness training
│ • Role-specific training (new tools, techniques)
│ • Internal knowledge sharing (4+ sessions/year)
│ • Target: 100% current certifications
│
├─► Schedule & Resource Planning
│ • Engagement booking (timeline, team assignment)
│ • Resource conflict detection
│ • On-time delivery tracking
│ • Workload balancing
│
└─► Vendor Management
• Third-party tool evaluation
• Security assessment of vendors (Stripe, SendGrid, GitHub)
• Contract management
• SLA tracking
Management Process: Policy & Governance¶
┌─────────────────────────────────────────────────────────────────┐
│ Management Process: QMS Leadership & Continuous Improvement │
└─────────────────────────────────────────────────────────────────┘
│
├─► Quality Policy Maintenance
│ • Annual policy review
│ • Process documentation updates
│ • Communication to all staff
│
├─► Quality Objectives Setting
│ • Annual objective definition (8 objectives)
│ • Quarterly review & adjustment
│ • Owner assignment & accountability
│ • Target: 100% achievement
│
├─► Management Review
│ • Quarterly review meeting
│ • QMS effectiveness evaluation
│ • KPI trending & analysis
│ • Process improvement identification
│ • Action item assignment & tracking
│
├─► Risk Management
│ • Annual risk assessment
│ • Ad-hoc risk reviews (process failures, incidents)
│ • Mitigation planning
│ • Residual risk acceptance
│
├─► Improvement Program
│ • Identify improvement opportunities (audits, CSAT, incidents)
│ • Prioritize improvements (impact, effort, risk)
│ • Execute improvements (plan, implement, verify)
│ • Document & communicate results
│ • Target: ≥12 improvements/year
│
└─► Compliance & Certification
• ISO 9001 internal audit
• Regulatory compliance (GDPR, HIPAA, SOC 2)
• Certification maintenance (ISO 9001 audit readiness)
• External audit participation
Process Interactions & Data Flow¶
Stakeholder Inputs Process Execution Outputs to Stakeholders
────────────────────────────────────────────────────────────────────────────────────
│
├─ Client Scope ┌──────────────────┐
├─ Authorization │ Intake & Auth │ ──► Engagement Kickoff
└─ Rules of Engagement │ (Phase 0) │ Rules of Engagement
└────────┬─────────┘
│
Scope Data ────────────┐ │
▼ ▼
┌──────────────────┐
│ Recon → Discovery
│ Scanning (P1-3) │
└────────┬─────────┘
│
Evidence ────────────┐ │
▼ ▼
┌──────────────────┐
│ Manual Testing │
│ (Phase 4, 17 skills)
└────────┬─────────┘
│
Findings ────────────┐ │
▼ ▼
┌──────────────────┐
│ Verification │ ──► Verified Findings
│ & Validation │ PoC Evidence
│ (Phase 5) │ Risk Scores
└────────┬─────────┘
│
Peer Review ───────┐ │
▼ ▼
┌──────────────────┐
│ Report Gen │ ──► Final Report (DOCX)
│ & Delivery │ Compliance Mapping
│ (Phase 6) │ Archive Files
└────────┬─────────┘
│
Client Feedback ──┐ │
▼ ▼
┌──────────────────┐
│ Post-Engagement │ ──► CSAT Data
│ & Follow-Up │ Knowledge Extracted
└──────────────────┘
Process Performance Metrics (KPIs)¶
| Process | Key Metric | Target | Frequency | Owner |
|---|---|---|---|---|
| Intake | Scope clarity (0 client disputes) | 100% clear | Per engagement | Engagement Mgr |
| Recon | Asset discovery completeness | ≥85% | Per engagement | Lead Pentester |
| Discovery | Endpoint coverage | ≥85% | Per engagement | Lead Pentester |
| Scanning | False positive rate (nuclei) | <5% | Monthly | QA Lead |
| Manual Testing | Finding verification success | 99% | Per finding | QA Lead |
| Verification | PoC reproducibility | 100% | Per finding | QA Lead |
| Report Gen | Peer review pass rate | ≥95% | Per report | QA Lead |
| Delivery | On-time delivery rate | 100% | Monthly | Engagement Mgr |
| Post-Eng | CSAT score | ≥4.5/5 | Monthly | Client Success |
Process Documentation Hierarchy¶
Level 1: This Process Map (overview)
↓
Level 2: Detailed Procedures
• 01-Intake-Procedure.md
• 02-Testing-Phases-1to6.md
• 03-Finding-Verification-Procedure.md
• 04-Report-Generation-Procedure.md
• 05-Quality-Review-Procedure.md
• 06-Change-Management-Procedure.md
↓
Level 3: Work Instructions
• WI-01-Nuclei-Scanning.md
• WI-02-Manual-SQL-Injection.md
• WI-03-IDOR-Testing.md
• WI-04-Report-Template-Compliance.md
↓
Level 4: Records & Evidence
• Engagement contracts
• Testing evidence (screenshots, HTTP traffic)
• CSAT survey responses
• Audit logs
• Nonconformity reports
Review & Approval¶
| Role | Signature | Date |
|---|---|---|
| Quality Manager | _____ | 2026-03-17 |
| Process Owners | _____ | 2026-03-17 |
Review Schedule: Annually or when significant process changes occur Next Review: 2027-03-17 Status: Approved
Document Control - Owner: Quality Manager - Last Updated: 2026-03-17