A penetration test (pentest) is a technical and offensive check (security test) of the security of IT systems. The focus can be on different IT components:
- Web applications
- APIs
- Mobile apps
- Whole networks
The process is always coordinated with you and is based on standards and frameworks such as OWASP Web/Mobile Security Testing Guide and MITRE ATT&CK.
Versions
A penetration test begins with defining the scope and conditions: You specify which networks, hosts, applications, user roles, functionalities, etc. are to be tested and under which conditions. The following questions, among others, are clarified:
- What test activities should be allowed?
- How much internal information about the systems should be revealed in advance, i.e. should it be a white, grey or black box penetration test?
- When and where (remote/on-site) should the reviews take place?
The duration of a pentest depends on the size and complexity of the environment as well as the desired depth of testing. A variety of techniques and tools can be used. Typical activities include:
- Identification of hosts, services, endpoints, etc.
- Exploitation of vulnerabilities
- Escalation of privileges
- Lateral movement
- Man-in-the-middle attacks
- Collection and use of authentication information
- Use of malicious input
- Bypassing authentication and authorisation
- Client-side attacks
Certain activities can have undesirable side effects or be associated with risks. Therefore, we determine in advance with you which checks should be allowed.
Your added value
After the penetration test, we provide you with a report that explains the identified opportunities for improvement, prioritises them according to criticality and recommends measures for their elimination. In doing so, we attach importance to recommending not only selective but also holistic measures to you. A penetration test can also be beneficial in the early development phase of a new application or environment as design vulnerabilities can be detected early and remedied cost-effectively.