A Penetration Test is a friendly attack on your company’s information systems.
We attempt to break into your systems using the same methods that a malicious hacker would employ. These could include exploiting unsecured or unpatched devices on your network, flaws in third-party software or human errors in systems configuration.
Penetration Tests are our specialty, and each is conducted using highly-trained experts and unique methodologies to combat the flaws inherent in automated scanners that some others use.
Many vulnerabilities arise from bugs in software applications based upon complex business logic, which can be difficult to find unless expressly looked for.
Our Penetration Tests are based upon the level of access you give us to your systems. They run from ‘Black Box’ testing, where we have minimal knowledge of your systems, to ‘White Box’ testing, where we are given a high level of knowledge and access, and ‘Grey Box’ testing, which as the name suggests, is a blend of both. For companies that are looking to acquire another company, we also offer ‘Blind Black Box’ testing, which provides an assessment of the target company’s Cyber Security situation.
In a Black Box test, we have no knowledge to any of your internal information structures and are not given access to your applications or network. This test is the most similar to a real-world malicious attack, and usually requires significant time (as we need to attempt many attack methods to ensure none of them work), and deeper vulnerabilities may not be found or exploited during the time-frame of the test.
However, simply because deeper vulnerabilities cannot be found doesn’t mean they don’t exist, which can result in a false sense of security that could be exploited at a later date by a hacker without time-constraints waiting for the right opportunity.
In White Box testing, we have complete access to your selected networks, systems and applications, which allows us high-level privileges and the ability to view source code. We perform both dynamic and static analyses to identify weakness across several areas such as security misconfigurations, logic vulnerabilities, poorly written software code and more.
This type of penetration test is comprehensive as both internal and external vulnerabilities are identified, assessed and prioritised from a ‘behind closed doors’ perspective that is not available to most hackers.
In a Grey Box test, our team replicates the activities that a hacker would undertake after they have penetrated your security perimeter and has internal access to your network. You provide us with some background information such as network infrastructure maps, application flow charts and low-level credentials, which allows for much more streamlined and efficient testing, saving time and money.
This approach also allows us to focus on identifying and exploiting potential vulnerabilities in your higher-risk systems rather than attempting to discover where these systems are.
The choice of testing methodology depends on your specific situation and needs.
Here’s how we’ll work with you…
First of all, we’ll clarify exactly what your specific needs are. It could be a web application or a network infrastructure issue for example. This will all be defined within a simple scoping document that we’ll help you complete before we begin.
Then we carry out the Penetration Test. The time taken depends upon the complexity of your needs and whatever we uncover during the process. We ALWAYS find weaknesses, often critical.
Once complete, we’ll securely send you the outcome, detailing both technical and business solutions to security vulnerabilities. Technical fixes may include updating certain devices or fixing errors in databases, whilst business solutions may focus on providing employees with security training or re-evaluating dependencies on less secure third-parties.
Example Penetration Test Report
If you need assistance with resolving any issues we’ve found, we can help with that too.
Read our Penetration Test client case study.