Through our Penetration Testing services, we proactively assess your organization’s infrastructure and identify critical existing vulnerabilities to protect your assets from cyber threats before they are discovered and exploited by real attackers. We provide you with detailed reports on the assessments and the vulnerabilities that have been found, to later assist you in the mitigations and compliance.
Pentesting objectives
A Penetration Test, also known as a Pentest, is an offensive security exercise which aims to assess the overall security posture of a certain company’s asset. This target can be a network, an Active Directory domain, or a public IP address among many others. The Pentest generally consists of a simulated cyber attack on this particular target performed by our security professionals in a controlled and safe manner.
The objective is to identify existing weaknesses in your infrastructure that could be exploited by a real attacker at any given time, thereby leading to threats towards your organization such as ransomware, information theft, unauthorized access or service disruptions to name a few.
After every proper Pentest comes the most important part: the mitigations. This is why our assessments always provide valuable and detailed reports to our customers, where the vulnerabilities and security flaws are described, as well as their respective mitigation tips and guidelines. We will ensure that our customers have everything fixed and secure by quickly re-testing the detected flaws after all the patches have been installed.
Penetration Testing Approaches
Black Box
Black box exercises are based on an initial lack of knowledge of the client’s infrastructure. The pentesting team has no previous information regarding network configurations, technologies or users.
GREY BOX
In a Grey Box pentest, the customer provides our team with partial information regarding the target such as valid domain user accounts to be used, information about technologies in place, or IPs and domains to be analyzed.
WHITE BOX
A White Box pentest is more similar to an audit. Our team is provided with all the information about the infrastructure to be assessed, as well as admin or equivalent access to search into every corner of the network.
Pentesting: Scopes
-
Internal pentest
Internal pentests are performed from the perspective of an attacker which has an initial access to the company’s internal network. This is the scenario one would find after gaining an “initial foothold” into the corporate network, through phishing for example.
-
External pentest (perimeter)
This pentest scope focuses in the company’s perimeter, that is made of all the Internet-facing assets. These are reachable by anyone, and of course by attackers as well. These targets are public IPs, websites, domains, VPN Gateways and any other exposed services.
-
Social engineering Assessment
In this scenario, we will put to the test the security awareness of your company’s employees using what’s known as Social Engineering. By performing a targeted Phishing campaign, we will assess how many of them actually fall for the bait and use that as a lesson to improve your team’s vigilance towards this type of security threat.
-
Wi-Fi pentest
The Wireless networks in your company will be assessed to find any security issues and holes which could be exploited by attackers with access to them.
Penetration Testing
phases & methodology
Reconnaissance
Initial phase where we will gather as much information as possible about the target’s network, users, computers and others.
Identification
Process the gathered information and scan the targets looking for security issues which can be exploited.
Exploitation
This phase focuses on exploiting all the discovered vulnerabilities found previously.
Post-Exploitation
While maintaining access to the compromised systems, the pentesters look for further targets and vulnerabilities within the scope.
Reporting
The pentest’s report documents the entire assessment, and provides insights as well as remediation tips for the security issues found.