A penetration test examines your infrastructure, application or interface for security vulnerabilities. We attack you –
but without causing any damage.
Security gaps can be detected and closed in this way –
Your attack surface is reduced step-by-step together with you. For external attackers, it becomes more difficult to successfully attack you with every penetration test.
When conducting a penetration test, we do not rely solely on automated tools. Our experienced white-hat hackers check a large part of the attacks manually.
Discovered vulnerabilities from automated attacks are always checked manually, verified and, if necessary, assigned a PoC.
Types of penetration tests
Your web application is accessible to everyone. The advantage is disadvantage at the same time. Numerous possibilities offer surface for most different attacks.
Increase the security of your website, shops or web application. Protect customer, supplier and patient data of all kinds. Perform a penetration test now and close your security gaps.
The automated exchange and retrieval of information is a crucial aspect in the functioning of modern applications and business processes.
We examine the interfaces for IT security aspects, implementation of rights management and other aspects – so that your data is only accessed by the people you allow.
Regardless of whether you offer a mobile application for marketing purposes, for company organization or simply as an end customer product – you reveal a lot about the company and the significance of IT security.
Protect customer data, avoid misuse and build a reputation as a company that values customer data.
Your infrastructure is your heart. The customer WLAN, the connection of home office employees or the structure, distribution and accessibility of your servers are a popular target for attackers.
Investigate the vulnerability of your infrastructure from the outside. Avoid infrastructure outages, secure access points. Protect your data and that of your customers.
Our penetration test procedure
Our approach to conducting a penetration test is characterized by the procedures, best practices and guidelines of the OWASP Testing Guide, the Open Source Security Testing Methodology Manual (OSSTMM) and the Penetration Testing Execution Standard (PTES).
First we have a non-binding conversation with you. At this point, information about the scope of the test and the system is required. We meet together to clarify the last open questions. Special features of your system will be discussed in the kickoff meeting. In addition, we determine the communication structure and the single point of contact.
We collect relevant information about your company and the goal of the penetration test. A wide variety of methods are used. We reserve the right to fake calls to obtain or supplement missing information.
The information collected is used to plan potential attacks. Careful documentation allows you to close these information sources after the penetration test has been completed.
We find out which attacks can potentially be exploited with which vulnerability. Depending on the technologies used, restrictions already implemented and security mechanisms, you will receive recommendations for action in the report, which attack surface exists for your company.
If necessary, we will exploit the existing security gaps and show you how attackers can steal, manipulate or encrypt data. You should provide a test system and make sure that it is isolated from the live system. A proven backup infrastructure should also be in use.
All steps – from the initial discussion, the information communicated and learned, as well as any gaps in security and proof-of-concepts – are handed over to you in a detailed report.
When carrying out a retest, the issued report is used on a basis to check the closure of the security gaps.
What are we testing during a penetration test?
Active & Passive Reconnaissance
The execution of an attack always requires extensive information research. The collection of information, the identification of running services, operating systems and software versions are some of the few points that are relevant for the execution of successful attacks.
- Open Domain Search
- DNS Investigation
- Public Information search
- Network Enumeration
- Port Scanning
- Firewall Enumeration
Not every information or security gap is practically feasible or useful. Security gaps that only apply in the laboratory – or under unrealistic conditions – are listed in the report, but are also classified as such. In order to discover these, we use numerous methods.
- Remote Code Execution
- Buffer overflow
- Code Injection
- XSS, SQLi, XXE,
CSRF, LFI, RFI ..
- VLAN Hopping
- ARP Spoofing
- HSRP/VRRP MiTM Attacks
- Routing Protocols MiTM
- Default Username/PW
- Brute Force Attacks
- Weak and guessable Creds
- Race Conditions
- Kernel Attacks
- Local exploit of high-
Can attackers successfully attack the company? Our white-hat hacker team attacks the target of the penetration test and practically carries out which information can be stolen or manipulated with which effort. Then you can use the knowledge to close the gateway for real attackers.
We offer the following penetration test approaches
Black Box Penetration Test
We test your system without any specific knowledge about it. We have no access to the source code and no knowledge of the architecture used. The approach typically takes place via a web application. This approach comes closest to that of a real attacker, but takes much longer and makes it difficult to get a complete overview.
Grey Box penetration test
The most necessary information was exchanged via the target system. This includes, for example, the URL of the application and user logon information that represents different user roles. The Greybox test is the most effective way to examine your application. Due to the lack of extensive information research compared to the black box test, more attention can be paid to the detection and exploitation of security vulnerabilities.
White Box Penetration test
The white box test has full knowledge of the target system. The white box penetration test contains a comprehensive code review. This review is conducted with a focus on IT security. Architecture and infrastructure aspects are also examined and subsequently evaluated. The white box penetration test, similar to the black box penetration test, takes a lot of time to perform.