Penetration Testing

Service Overview

Our penetration testing service offers a pinpoint vulnerability assessment across a range of systems and technologies:

These include:

  • Web applications
  • Cloud services
  • APIs
  • Mobile
  • Network and infrastructure
  • Operating systems

The tests include generic vulnerability scans as well as targeted attacks based on the type of system under test. All tests are intended to be repeatable and we recommend that critical systems are tested on a regular basis to ensure no regressions have occurred.

The time required to complete an effective round of penetration tests depends on the range of systems under test and the complexity of each system. However, we can test the security posture of specific applications or systems in as little 2 to 3 days. With this approach you can validate your critical systems with an initial engagement and then take further action as required based on the findings.

The next sections provide an overview of our penetration testing methodology.

Preliminary Consultation

To determine the level of effort required to assess your system we offer a free preliminary consultation to advise on the likely timeframes and costs based on your specific requirements.

Security Test Plan

The test plan determines the “why”, “what” and “how” of the penetration testing process. We use our own template to kick start the process then sit down with you to understand and record the specific goals of the project.

As part of the plan we also confirm the scope, approach, schedule and the types of tests we will be performing.

Information Gathering

This consists of:

  • A workshop to go through the high-level architecture of the systems and services in scope for testing
  • Open source intelligence gathering to determine if any confidential data can be obtained through public resources to increase the effectiveness of the tests

Information you provide on your internal IT architecture allows us to undertake a knowledge-based test approach. While we can perform blind testing, our experience has shown that background information considerably accelerates the testing process.

Test Approach

We use a combination of automated and manual tests. Much of the testing can be completed remotely but in some cases site access will be required when we are testing internal networks. The tools used and the types of testing we perform are all documented in the Security Test Plan.

Test Execution

All tests are executed as per the Security Test Plan and to the agreed schedule. Should the testing identify any critical vulnerabilities then we will inform the agreed contact person immediately.

Vulnerabilities and Exploits

The aim of the penetration tests is to identify vulnerabilities. However, when requested we can attempt to exploit a vulnerability to confirm the risk it presents and demonstrate the potential damage it will cause.

Deliverables

The output from the penetration testing includes a Penetration Test report as well as the Security Test Plan for your reference.

The report will detail each of the vulnerabilities discovered along with a risk rating. We will also provide remediation advice for each observed vulnerability.

Follow Up

The cyber-threat landscape is constantly changing. To provide ongoing protection, now we are familiar with your systems we can refine and re-execute the penetration tests on a regular basis.

If you would like to learn more about our penetration testing service, please contacts us for a preliminary consultation.