Case Study: How JB Poindexter’s CISO Traded Quarterly Pentests for Continuous Validation

JB Poindexter & Co. is one of the largest truck body manufacturers in North America, supplying major fleets like Ryder, UPS, and FedEx out of Houston, Texas. When CISO John Barrow set out to modernize the company’s offensive testing program, he wasn’t looking for another compliance exercise. He wanted validation that would hold up in his actual environment, against the vulnerabilities attackers could actually exploit.

We sat down with John to hear why he partnered with Novee, and what’s changed since.

The limitations of point-in-time pentests

John’s team had cycled through the usual upgrades: annual pentests, then quarterly ones. The cadence improved, but the output didn’t.

“With our previous tools, it was more of a checkbox. They would provide reports, but a lot of times the findings included in the report weren’t really critical. They were very informational and didn’t really provide a whole lot of value.”

The team needed something that could demonstrate real value by demonstrating real, exploitable risk.

“I really wanted to invest in a technology that was providing real value, and showing not only just vulnerabilities, but vulnerabilities that can be exploited in my environment.”

A critical finding on day one

During the Novee POC, John’s team saw results immediately.

“When we first met with the Novee team, we did a POC and the first thing I noticed was it was really easy to implement. It took the length of a 30-min onboarding call to get started. When they enabled the POC, they immediately found vulnerabilities and issues in our environment that were complete blind spots previously, that other pentests hadn’t discovered.”

One of those findings landed on the first day:

“On day one, they found a cross-site scripting vulnerability which would allow an attacker to essentially compromise someone’s account or website. There was a real business impact from what they found, because we weren’t aware that we had some of the vulnerabilities on our external-facing websites.”

The Novee platform went on to show exactly how an attacker would exploit each finding, and paired every vulnerability with specific, actionable remediation guidance.

“Novee actually showed us, not just that there were vulnerabilities, but how they would be exploited by an attacker, which is extremely helpful.”

From snapshot to continuous signal

For John and his team, pentests used to be events – ceremonial and quickly outdated. With Novee, they became an ongoing process.

“Previously when we did a pentest, we didn’t get alerted or anything — it was a snapshot in time. With Novee being continuous, they do alert us when they find vulnerabilities that are exploitable.”

John’s team designed the rollout to match the realities of a manufacturing environment. They scoped testing by business unit and network segment to minimize operational impact, and worked through remediation in phases.

“It’s not just, ‘hey, we ran your pentest, here’s your report, okay, see you again in three months.’ We’re actually working together, which is awesome. The relationship with Novee has been a true partnership, with constant communication and active collaboration.”

Continuous communication, continuous risk validation, continuous remediation

“Previously, our pentests took weeks and constantly missed critical vulnerabilities. With Novee, they immediately discovered these critical vulnerabilities and provided instant remediation guidance. The relationship with Novee has been a true partnership with constant communication, and active collaboration.”

See for yourself the continuous offensive and defensive cybersecurity platform that validates real exploitability and automatically retests fixes. Get a demo.