2 min read

Discord Auditing

Some Questions to Review Before Hiring an Auditor

Things to ask your Discord Auditor before hiring them (Feel free to add on things if you think I missed anything!)

#1: Will they change things for you? Some auditors will only do a call with you. This can take longer, and result in a worse audit.

#2: Will they set up bots for you? Knowing how each bot works and how they all work to provide a secure server is difficult, and if they won't even touch your bots, you are incredibly likely to miss something.

#3: Will they provide any support after initial setup? There are a number of so called security experts out there who set up your server, and then just ignore you after $$ has been paid. Only interface with an auditor who promises you at LEAST a week of support after setup.

#4: Do they even know what they're talking about? Having a large Twitter following is not enough. Find someone who is talking specifically about Discord security, best practices, and wants to share knowledge. People on Fiverr are usually worth what they are paid.

#5: Do they provide you with a document after the fact? In the infosec world you provide a written document outlining what was wrong, what changed, and why. Just implementing an audit doesn't solve your security issues, learning why and having knowledge helps in long run.

Feel free to ask questions below - It's really hard to make short posts about something so complicated and have nuanced responses. I'm happy to talk about ANYTHING in response to this section, even pricing - feel free to ask :)

One Way to Tell if Your Discord Auditor is Not Qualified

Discord Security Tip

I made a whole thread on Twitter about how to pick a Discord auditor. I can actually condense it way down now. In this threat environment, I can boil it down into one single thing to check. Read on to figure out if your Discord auditor has swindled you.

I spend two weeks after audits, badgering teams, ordering them pizza with a note attached to the top of the box that says one simple thing: "Set up your goddamn cold admin account." If you don't have an auditor that forces distributed cold admins down your throat, you are ngmi.

How to Check If An Auditor Set Up Wick Correctly

Discord Security Tip

If you hired an auditor, click this magnifying glass in the Wick Dashboard once they are done with their 'audit'. If you see a lot of red, the auditor did a bad job, and at the very least should be able to explain why things are highlighted.

This is what a good server sweep result looks like: For this server, some bots have necessary native kick ban. Some bots had to live above Wick to delete webhooks. Some bots require perms that frustrate the lockdown system. Anything lower than 80% is usually pretty suspect.

Oh and if they didn't install Wick... check if they installed another anti-nuke bot (I have yet to find a good alternative) and if they didn't, fire them. Like end stop.

Published by:

Jon Holmquist

Member discussion