Due to increasing digitalization, companies today are exposed to various threats such as industrial espionage, internal attacks by disgruntled employees, denial-of-service attacks or ransomware.
Penetration tests (Pentests for short, also: Ethical Hacking or Pentesting) are an important tool for the timely detection and closure of security vulnerabilities in order to protect sensitive company data.
In consultation with your organization, our OSCP-certified pentesters systematically check your systems for vulnerabilities. Our testing is guided by relevant industry standards such as OWASP Top 10, MITRE ATT&CK(R), the PTES and the guidelines of the German BSI.
Each finding is documented and evaluated to subsequently help you close these security gaps. We are happy to conduct retests to ensure that the vulnerability has actually been fixed. Of course, we maintain absolute secrecy and discretion to ensure that information about vulnerabilities does not fall into the wrong hands.
Which Pentest should I choose for my product/company?
Applications
You have an application (web, desktop or mobile) and want to make sure that your users’ data is protected and your APIs are secured? In an application penetration test, we take a close look at your application and all interfaces and examine authorization concepts, cryptography issues and uncover vulnerabilities in the code.
Infrastructure
Are you worried that an attacker will infiltrate your organization via your publicly available systems such as VPNs, Nextcloud, MDM systems or mail servers and cause damage? In an infrastructure penetration test, we test your publicly available servers for vulnerabilities using realistic attack scenarios, collect information via Open Source Intelligence (OSINT) and provide you with an accurate picture of your organization from the perspective of an external attacker.
Social Engineering Audit
The biggest vulnerability for companies remains the human being – are you afraid that your company will fall victim to a phishing campaign? We simulate phishing campaigns in an ethical manner, in consultation with you, to ensure that your employees are sensitized. Contact us for a social engineering audit.
Internal Pentest
If an attacker has already reached the corporate network via phishing or exploitation of a vulnerability, the extent of the damage depends on the hardening of your internal systems. But disgruntled (ex-)employees can also become perpetrators. In an Internal Penetration Test (also called Assumed Breach Audit), we test the extension of privileges, starting from a standard user in your Active Directory, and help you minimize the risk of damage in case of a successful attack. In this process, we can also test a work laptop for hardening to ensure that a stolen laptop does not lead to a corporate hack.
Contact us today
We will be glad to advise you in a non-binding conversation.
Frequently Asked Questions (FAQ):
How do I order a Penetration test?
In a first step, please contact us via our contact form or by phone. In a non-binding preliminary meeting, we will clarify the scope of the audit. We will then get back to you with an offer. After signing the contracts, our experts get started and you will receive a detailed report with a description of all vulnerabilities found and recommendations for their elimination after the penetration test is completed.
What is the difference between a whitebox, blackbox and greybox pentest?
In a blackbox test, an external attacker is simulated who has no prior knowledge or insider knowledge about a target. In greybox tests, the attacker is aware of more information about the target, such as a list of services running on the target hosts. In a whitebox test, the attacker gets the maximum amount of information: For an application, for example, the source code is made available.
We will be happy to advise you and find the right model for your use case.
Is it possible to perform a automated penetration test?
So-called automated pentests are often only vulnerability scans disguised as penetration tests – through this, only obvious vulnerabilities (so-called low-hanging fruits) are found by using scanning tools. Even though a vulnerability scan is part of a penetration test, however, vulnerabilities often lie in the logical design of an application or in the meaningful connection of several smaller vulnerabilities in exploit chains. These can only be detected by an experienced penetration tester.
Does an internal penetration test have to take place on site?
No – we send our pentest box directly to you and you only have to connect it to your network. It connects directly to our office in Bremen via a secure VPN connection and our pentesters can get started right away.
However, we are also happy to check your physical security on site and take a look at your offices and workspaces.
How does a social engineering audit / phishing simulation work?
For a phishing simulation, we first select one or more appropriate scenarios in a kickoff, which we want to simulate and decide whether we want to educate your employees about the phishing attempt through an educational page, that is shown once somebody falls for the attack.
After some test runs and adjustments we execute the campaign. You will then receive a report with success statistics and a description of the scenario. Optionally, we also conduct awareness workshops for your employees to ensure that phishing will not be successful in your company in the future.