Penetration Testing

Penetration Testing allows you to identify where the weak-points in your security are. It is considered best practice by numerous security standards include ISO27001, as a requirement of GDPR and any business regulated by PCI-DSS, FCA or other bodies to have a Penetration Test carried out at least annually by a competent, and independent external third party.

Conducting Penetration Testing against your people, processes, property and technology will gain you an insight into how well security operates throughout your business and how well you can withstand an attack.

We use our global reach and research insights to collect, process and analyse how threats are evolving. This allows you to stay informed with general threats, industry specific threats and targeted threats to your organisation.


What sets uS apart from others

Our Penetration Testing service is different from many of the other penetration testing services available today. Our key difference in the market place is our team, their mixed skill sets and diverse experience.

We know every client is different, so is every Penetration Test. We tailor every test to your requirements and needs. We will take time to understand your business, why you need testing and how best to deliver the perfect test for you.

Every step of the way through your penetration test you will have direct access to your tester and, where we are working on a team based engagement, you will have direct access all the time to the team leaders.

We have an extensive repository of custom developed tools and exploits at our disposal that can be used to bring to life the advanced attack techniques of the chaotic actors that may target your business. These, coupled with our unique reporting style, means you are ensured the very best testing results and experience.

Downloads

Download our penetration testing brochure to find out more information on our penetration testing services.


Penetration Testing Process

Scoping

At a high level, there are four stages to our general penetration tests. These are Scoping, Testing, Reporting and Review. This can be seen on the right in our typical penetration test process flow.

The most important part when considering your penetration test is the scope. The scope is what defines which objects or assets require testing.

Defining a scope can be relatively simple. The whole scope may be a single system or application where the boundaries are clearly defined. In other cases the scope will be more complex. For example, when conducting a PCI-DSS penetration test the scope must meet the requirements of section 11.3 of the PCI-DSS. In this example it will need us to verify the scope for testing to ensure that the scope adequately covers all in-scope systems.

For simple requirements we can typically scope a test accurately via a phone call or email, more complex tests will require a scoping form to be completed.

Testing

The testing phase is where all our skill and experience come into play. Communication is key to the delivery of a good security testing engagement. You will receive communication from your tester at intervals defined during the Pre-Test discussions. Typically this will be towards the end of each day.

Reporting

Arguably the most complicated part of the engagement, this can sometimes be one of the most time consuming phases. Reporting takes all of the raw technical output from the test and turns it into a readable document. Depending on the type of test booked, there may additionally be csv files of vulnerabilities, screen casts of exploitation in action and access to a private file repository to download files.

Review

Our review process is tough for our testers. Every report will be reviewed by either our senior team leader or our CEO. During the review they will look at each vulnerability identified and exploit performed to ensure that the penetration test achieved the best results within the time-frame of the scope.


Penetration Test Report

Reporting is vitally important to every penetration test. We often get asked by clients why one third of the time assigned to a test is dedicated to creating the report, and the answer is simple. The report is the single tangible piece you receive at the culmination of your penetration test.

We approach reporting in a different way to many of our peers. Your main report is split into three sections.

  • Executive Report

  • Technical Report

  • Vulnerability Report

While these three sections constitute the Penetration Test Report, we also provide you with a CSV file containing all the verified vulnerabilities to aid your technical teams in the remediation of the vulnerabilities.

Wherever possible, we also include links to downloadable video files for particular exploits so you can watch the penetration tester performing the exploitation and understand how the exploitation works.

All of this combined provides you with the most comprehensive penetration test report available to date.


Our Two LEVELS of penetration Test

Advanced Penetration Testing

Our Advanced Penetration Test service is the flagship of penetration testing. Formulated for businesses where security and safety is mission critical, our Advanced Penetration Testing service is used by businesses with advanced security requirements where failure of protection mechanisms in not an option.

An Advanced Penetration Test will be performed over a greater number of days and will always be led by our CEO, Peter Bassill and two further highly qualified penetration testers.

This level of testing includes everything from the Base and Standard Level Tests plus:

  • Led by one of our senior Researchers

  • Testing performed by two independent teams

  • Each team is made up of Crest Registered Testers

  • Testing is based on active threat modeling of your environment

  • Double Testing lock. Essentially the scoped environment would be tested twice by different testers with collaboration on exploitation

  • Advanced testing practice with custom developed zero day attacks where needed

  • Highly detailed report plus:

    • CSV file containing all the vulnerabilities identified with suggested remediation

    • Screencasts of exploitations to help demonstrate and enhance the understanding of what is being performed

    • Details of all the false positives identified

Standard Penetration Testing

Our Standard Penetration Test is ideal for those businesses wishing to understand the cyber risk exposure of their infrastructure, applications and devices.

The Standard Level Penetration Test meets the requirements of a number of regulatory standards which require annual penetration testing, such as PCI-DSS.

This level of testing includes everything from Base Level Penetration Testing plus:

  • Testing is led by one of our CREST Registered Testers

  • Deeper dive into the scope using manual testing techniques

  • Detailed Test Report


News from our Blog