penetration_ testing

uncover vulnerabilities,
protect your organisation

Penetration testing is an in-depth investigation into specific networks, web and mobile applications, infrastructure or connected devices. Our services are delivered by experienced security consultants and are designed to simulate the actions of a threat actor, uncovering and classifying vulnerabilities which could be used to exploit and damage your organisation.

the benefits of penetration testing

protect your assets & your reputation

Organisations rely heavily on digital assets, whether that be web applications, infrastructure, third-party software, connected devices or supply-chain networks. These need to be tested on a regular basis, and if they were to be breached it could result in reputational damage.

prioritise improvement efforts

Penetration testing allows you to identify and classify your most critical vulnerabilities, providing vital remediation advice. This gives you the information you need to make informed decisions regarding your security and effectively prioritise your ongoing improvement efforts.

provide security assurances

Whether you’re buying third-party software, or developing your own solutions, ensuring its security is essential for both your organisation and your customers. Our penetration testing services can help provide these security assurances during development, or as part of any procurement process.

gain security buy-in

Obtaining budget for information security improvements can be difficult, especially when you don’t have a clear picture of the issues your organisation faces or your vulnerabilities. Our penetration testing can give you this picture, providing you with the support you need to gain security buy-in.

support compliance

Regular penetration testing will help support compliance standards and regulations such as PCI DSS, ISO 27001 and GDPR.

what we test

Penetration testing comes in several forms and our service will be tailored to your business, as well as your security priorities. Our services include: 

Not sure what you need? Our team will be happy to discuss your options, helping you to prioritise your efforts based on your individual requirements.

our approach

Every test we conduct goes through a rigorous process, ensuring you get the best possible outcome for your business. Below we outline the key stages out penetration testing goes through: 

1.scoping

We work with you to fully understand your organisation, goals and desired test outcomes.

2. proposal & prerequisites

A proposal will be drawn up outlining the planned scope of work and the preparation needed to start testing.

3. testing

Testing commences once the proposal has been agreed and signed authorisation has been granted.

Penetration testing approach - Pentest - Information security assurance

4. ongoing communication

Our consultants will communicate with you throughout the test, to your set requirements.

5. reporting

A comprehensive, quality assured report of test findings will be delivered.

6. post-test support

Our consultants will be available after the test to offer advice and guidance on any aspect of the report, as well as remediation efforts.

7. retest

You have the option to retest, ensuring reported vulnerabilities have been addressed.

why choose us?

Our penetration tests are designed to support your security improvement efforts. Whether it’s your first test, or you’ve conducted hundreds, our team are dedicated to making the process as seamless as possible, to pass on their wealth of expertise and to deliver long-term value to you and your organisation.

experience and expertise

Our team of security sonsultants have years of experience and a depth of expertise in application layer security. We invest significant time into security research projects, honing and developing skills which allow our consultants to deliver the best possible results for your organisation.

dedicated contact throughout

Every organisation we work with is appointed a dedicated account manager. Our account managers understand the complexity of coordinating tests and will work with you to ensure your test runs smoothly.

testing tailored to your business

We work with you to understand your organisation and the information security challenges your organisation faces. We will use this knowledge to put forward a bespoke test proposal based on our experience and your requirements. 

quality reporting

Every penetration test report undergoes an internal QA process and is peer reviewed. Our reports provide you with a managerial overview of findings, an in-depth technical review of the vulnerabilities found and our remediation advice.

post-test support

Our job doesn’t finish on the delivery of a report and our expert consultants will be available to answer any questions, to share their expert knowledge, and to provide remediation support to internal development teams or external suppliers.  

optional retest

We can provide an optional retest into our testing, making sure issues have been understood and remediation efforts have been implemented as effectively as possible. 

faqs

Both vulnerability scans and penetration tests are important in the overall protection of your network. Neither assessment replaces nor cancels out the other, however, there are some fundamental differences.

Vulnerability Scanning is traditionally a regular or scheduled assessment that delivers important information on vulnerabilities found and how to fix them. A thorough scan, whether it be done manually or automated, is very much dependent on how it has been set up and configured. It is worth noting that vulnerability scans do have their limitations; they only detect known vulnerabilitiescan often miss vital red flags and there are issues around false positives. 

A penetration test is more in depth. Based on a manual approach a penetration test mimics a ‘real life’ malicious attack on the system or network within the testing scope. Organisations that have an established information security posture tend to engage with companies like Pentest on a regular basis, providing them with a high level of security assurance, protecting them from loss of data and consequently reputational damage. 

Every test is scoped individually, utilising the knowledge and experience of our dedicated security consultants, along with other factors, such as the complexity of the application and your business need. This means there is no ‘average’ penetration test duration and our dedicated account managers are best placed to advise you based on your individual requirements.  

Having access to source code is not a prerequisite to perform a test, however, it can provide valuable information regarding the application and can be useful in terms of confirming the issues identified. 

For example, source code would be helpful if a consultant identified a form that they suspect to be vulnerable to injection attack. Using the code, the consultant could identify what validations are in place and find attack payloads that would bypass these protections. 

Each hosting vendor will have different requirements regarding permission to perform testing of applications hosted on their infrastructure. Some providers have an online form where you can request test authorisation, others may not require authorisation but ask that you notify them beforehand.

We recommend in all cases that you should check with the specific requirement as per your contractual obligations. A first point of call for this may be the hosting partners web site or your assigned account manager.

Information on AWS and Azure can be found on their relevant websites.

In many cases the vendor will provide testing guidelines, listing what test approaches can, and cannot, be performed by an external tester. We recommend you provide this information to us before any test is performed. Pentest will always follow the testing requirements and limitations as specified by the relevant vendors.

Our consultants are experienced in performing penetration testing and follow a proven methodology that has been developed over many years. As we are testing applications that we have not developed, hosted on infrastructure that we have not configured, we cannot guarantee that no damage or loss of availability will be sustained by the client. 

Every effort will be made to avoid this situation and we will work with you throughout the scoping process to identify associated risks, outline the tests that can be performed, understand what is out of scope and determine whether the test is best performed on a ‘test’ site rather than ‘production’ site. 

Our consultants will communicate with you throughout the test process, highlighting any potentially risky actions beforehand and will immediately halt testing if a client flags a situation whereby our testing, or proposed next actions, could be prejudicial to the production system or applications. 

We have performed tests on both UAT/test environments as well as production/live environments. In many cases, this choice will be driven by your requirements, the environments available and the risk assessment for each test. It is not unusual for consultants to perform an initial test on a UAT environment and then check to see if vulnerabilities are present in the live application. 

The scoping process will be used to agree the most relevant approach for you and we strongly advise that backups are kept, ensuring that any loss is recoverable.

We provide a detailed report of findings at the end of every penetration test. This report classifies the vulnerabilities found into critical, high, medium and low risks (including Common Vulnerability Scoring System (CVSS) v2 and v3 ratings/vulnerabilities). It also provides you a managerial overview, an in-depth technical review of the individual vulnerabilities and our remediation advice. 

Every report undergoes an internal quality assurance process and is peer-reviewed.

Pentest provides remediation advice, though we do not provide remediation services (this would be considered a conflict of interest if we were to perform a retest in the future). 

Each test report contains sufficient detail to allow clients to not only reproduce the vulnerabilities, but also the detailed steps and references to correctly fix the issues. In addition, we place great emphasis on posttest support and our consultants will be available during remediation efforts to advise and provide support where needed.  

We don’t provide certificates of testing and believe there is a danger in doing so. However, we do understand that you may be approached by existing or prospective clients asking for proof of testing as part of any due diligence or security related requirements. If this is the case, we can provide a ‘letter of opinion’ which can provide assurances that the applications and services under review have been tested in accordance with industry standards and by an experienced consultant.