PENETRATION
TESTING
Find weaknesses in critical resources and improve your security baseline by simulating malicious attacks.
We take a hacker’s perspective on your infrastructure and simulate an attack on your IT systems to identify and validate vulnerabilities that may pose risks to your organization. By mimicking the tactics and techniques of real-world adversaries, we validate exploitable pathways, identify errors in programming, and diagnose logical flaws in the system architecture that attackers could use to gain access to your IT environment.
Why Perform Penetration Testing
Achieve Important Goals
01
Find and Fix Vulnerabilities
When performing penetration testing, we look at your organization from the viewpoint of a malicious actor, find exploitable vulnerabilities, and fix them before they are used by adversaries.
02
Validate Security
Posture
By imitating actions that adversaries would take to penetrate your IT infrastructure, we gain an accurate understanding of your security posture and verify how effectively your systems work.
03
Identify Gaps in Compliance
A successful perimeter breach during penetration testing can expose violations of policies and compliance measures on the part of security staff or other employees.
04
Get Management
Support
Penetration testing results from an independent third party help showcase security flaws to an organization's management and provide evidence-based reasons for increasing budgets or implementing new solutions.
05
Train Your
Security Team
Penetration testing allows you to assess how well the security team is prepared for cyberattacks as well as to measure their monitoring and incident handling capabilities.
What you can test
Penetration Testing Categories
EXTERNAL TESTING
Finds and exploits vulnerabilities in systems, services, and applications exposed to the internet
SMART CONTRACT AND BLOCKCHAIN SECURITY ASSESSMENT
Perform a security review of your blockchain ecosystem and detect vulnerabilities within smart contracts (re-entrancy vulnerabilities, transaction ordering/timestamp dependence issues, mishandled exceptions, DoS- and deadlock-related vulnerabilities)
WI-FI TESTING
Tests the security of deployed wireless solutions and all wireless devices
MANUAL INTERNAL TESTING
Searches for security weaknesses from the point of view of an attacker who has gained access to an end user's system
WEB APPLICATION TESTING
Complex and detailed testing to discover security vulnerabilities in web-based applications
SOCIAL ENGINEERING TESTING
Uses social engineering methods and test phishing campaigns to attempt to obtain sensitive information from employees
AUTOMATED INTERNAL TESTING (AVAILABLE AS CONTINUOUS ASSESSMENT)
Tests your entire infrastructure daily, weekly, monthly, or at
any other interval, trying every possible attack vector based
on automated discovery of vulnerabilities and performance of ethical exploits while ensuring undisrupted network operation
MOBILE APPLICATION TESTING
Analyzes the behavior of mobile applications (iOS and Android) in a dedicated isolated sandbox environment
API TESTING
Reveals security vulnerabilities in API functions, how APIs could be abused, and how authorization and authentication could be bypassed
How you can test
Choose the Type of Pentesting That Best Suits Your Goals
What You Get in the Report
Your penetration testing report will contain:
The penetration tester has no internal knowledge of the target systems,theirarchitecture,ortheir source code. Taking an average hacker'sperspective,thetestertries to identify and exploit vulnerabilities from outside the network.
ZERO KNOWLEDGE
• An Executive Summary for key decision-makers with no technical background, containing high-level results and what needs to be fixed immediately
• A Technical Summary with specific findings
• A description of successful attack vectors, demonstrating what vulnerabilities were exploited (and
how) to penetrate the infrastructure
• Recommendations for remediation and risk management
Before performing penetration tests, we agree on how much the customer will know about the scope of testing and the testing plan by deciding on one of three testing types:
Visible
the customer's team has full information about the time and plan for the test
Implicit
the customer's team has some general or partial information about the test
Blind/
Red teaming
the customer's team is not informed about when and how testing will be conducted
ISSP Penetration Testing Methodology
01.
Scoping
Define the scope and
goals of the test
03.
Threat Modeling
Build a method of attack
05.
Exploitation
Attempt to exploit common vulnerabilities, errors in programming, and logical flaws in the architecture
07.
Reporting
Detail the findings, classify vulnerabilities, analyze risks, and recommend mitigation strategies
02.
Reconnaissance
Search for an organization’s IT assets, technologies deployed, leaked credentials, and sensitive information indexed by search engines
04.
Vulnerability Assessmen
Map infrastructure and application surfaces, identifying vulnerabilities that may be used in the attack
06.
Post-exploitation
Obtain sensitive information, access to other servers, and credentials to be used for further attacks
08.
Verification
Check whether identified vulnerabilities were mitigated correctly
Penetration testing standards
that we use
OWASP Testing Guide | PTES Penetration Testing Execution Standard | ISECOM OSSTMM – Open Source Security Testing Methodology Manual |
---|---|---|
NIST Technical Guide to Information Security Testing and Assessment | ISACA IS – P8 Security Assessment – Penetration testing and vulnerability analysis | PCI DSS Penetration Testing Requirements |
BSI Penetration Testing Model |
You should also consider
Additional Testing Options for Better Results
SOURCE CODE ANALYSIS
Using the white box Static Application Security Testing (SAST) methodology, a tester examines the application from the inside, searching its source code for conditions that indicate a security vulnerability might be present. Static code analysis establishes the impact, likelihood, and severity for each type of vulnerability.
RETESTING
All our pentests include recheck by default, but consider performing a new penetration test at a defined period of time after the first test. With retesting, the team of testers is already aware of the targets, their business logic, and previous findings. Retesting can include new functions and pieces of software added to the initial targets.