It is one of our core services, we have many years of experience in performing penetration testing and until now we have delivered several hundred tests to our customers. All pentesters performing testing hold multiple certificates e.g. OSCP (Offensive Security Certified Professional) and have a proven track record in the industry. We fulfill the formal requirements often required by customers in terms of delivering a penetration test such as PCI DSS Penetration Testing Guidance. All reports are written by our consultants and not thoughtlessly generated by automatic security scanners. Additionally our pentesters have identified many vulnerabilities in popular software and successfully participated in bug bounty programs.
Black box penetration testing
Both infrastructure and application pentesting can be performed from a outside attacker perspective meaning that the tester does not hold any knowledge regarding the targeted system apart from those available publicly. No information about the architecture and customer systems is delivered, no user accounts except those that can be created by an attacker (e.g. by registering in the application). Usually when conducting a security audit of a web application we use a gray box approach, which gives us some information about the audited system (e.g. documentation, description of the system functionalities) and accounts for each role in the systems are delivered, so we are able to check both vertical and horizontal privilege escalation, meaning accessing data and/or functionalities of higher privileged user and a different user with same or similar access rights.
White box penetration testing
This type of a security audit is an extended version of gray box pentesting in which testers have full knowledge of the targeted asset. In case of a web application we are given access to both documentation and the source code additionally to what is granted in a gray box test.
Web application penetration testing
We deliver web application penetration testing in accordance with popular and widely accepted OWASP methodology (The Open Web Application Security Project), including OWASP Top 10 and OWASP ASVS (Application Security Verification Standard) extended by our experience. We do not limit ourselves only to OWASP listed vulnerabilities and aim to find also business specific vulnerabilities that can pose a real threat to the business of the customer and which are often missed by automated vulnerability scanners.
Software penetration testing
We deliver desktop application penetration testing and client-server application penetration testing. We can cover security testing of applications written in C/C++/C# and Java for Windows, Linux and OS X platforms.
Mobile application penetration testing
We perform mobile application penetration testing for iOS and Android platforms. We base our methodology on OWASP Mobile (The Open Web Application Security Project), including OWASP Mobile Top 10 and OWASP MASVS (Mobile Application Security Verification Standard) enhanced by our own experience in identifying vulnerabilities in mobile application.
Infrastructure penetration testing
We perform penetration testing of network infrastructure (LAN/WAN/WLAN), according to the PTES framework (The Penetration Testing Execution Standard). Tests can be conducted from both external (Internet, Wi-Fi etc.) and internal (LAN, VPN) networks.
LAN Network penetration testing
Security audit of a local network can be performed locally on premises or via VPN. The difference compared to infrastructure pentesting is that the pentester is given access on the level as if the intruder already gain access to the company internal network or it simulates a rogue employee trying to do harm from the inside.
WiFi penetration testing
WiFi penetration testing aims to test the security of locally deployed wireless networks. It aims either to break into a protected WiFi network as well as privilege escalation from a guest network and attacking the users.
Wireless security is also a part of our red teaming services which aims to perform social engineering attacks against unsuspecting WiFi users, for example by running a rogue AP (Access Point).
Penetration testing pricing
Cost of a penetration test depends mainly on the scope size and the complexity of work required. Price also differs for remote and local engagements as the latter require additional travel and accomodations costs depending on the location. To get a quote please contact us.