Penetration tests emulate a threat actor’s attack to evaluate how our clients’ cyber security strategy responds to it.
Our certified experts follow common Tactics, Techniques and Procedures (TTPs) as well as innovative methodologies to assess the posture of various aspects of a company’s digital infrastructure. Attack vectors that are evaluated include, but are not limited to:
- Network infrastructure
- Web applications
- Mobile applications
- Wireless connectivity
- Employee cyber security awareness
Penetration tests can be performed from the following perspectives:
- Black box: A penetration test performed without any influence or direction from the business on what vectors to attack
- White box: A penetration test performed according to pre-determined guidelines set out by the client
- Grey box: A penetration test performed with partial guidance, like a map of the network, but where other aspects must be achieved during the project, like administrative access.
Our methodologies and processes are attributable to the following certified frameworks for penetration testing:
- NCSC CHECK scheme
- Penetration Testing Executive Standard (PTES)
- Open Source Security Testing Methodology Manual
- Centre for Internet Security (CIS)
- National Institute of Standards and Technology (NIST)
- Open Web Application Security Project (OWASP)
Following the penetration test, clients receive comprehensive reports that detail the variety of vulnerabilities identified and their associated exploits based on severity and criticality.
Penetration tests are more rigorous and exhaustive in their assessment of systems and networks and aim to translate the vulnerabilities identified into tangible risk for your business. For example, an unpatched application on one server out of several hundred may seem trivial, but a penetration test would describe how this vulnerability could be used to gain root/admin access to the device and how that access could be used to mount further attacks on other systems to compromise the entire network.
Similarly, penetration tests can be used to measure how staff members react to various situations, and how far these scenarios can go in compromising assets and networks.
They are a more in-depth approach to testing and provide a more accurate representation of your security posture than vulnerability assessments.
They are confined to a mutually agreed scope and adhere to well-defined rules of engagement and methodologies.
They can be used to test both application and network layers.
Penetration tests are usually performed from an unauthenticated perspective.
Better results are obtained when your security systems (IPS/WAF) are relaxed (for our test systems only) for the duration of the assessment.