Uncover & close security gaps with the help of penetration tests
Vulnerabilities in your systems, components or applications can become a gateway for cyber criminals if they are not detected at an early stage. Data theft, blackmail and system failures, as well as the associated economic damage and loss of trust, are just some of the possible consequences of a successful cyber attack.
With penetration tests - in short pentests - we support you in checking the effectiveness of your existing IT security measures.
Best possible protection against hacker attacks
Using customized penetration tests, you can uncover potential security vulnerabilities before cyber criminals do.
Pentests pay off
Prevention instead of rehabilitation: Pentests help you to prevent potential attacks and the associated financial and reputational losses.
Comprehensive test report with recommendations for action
Once the pentests have been completed, you will receive an informative test report including recommendations for action to eliminate weak points.
What is a penetration test (short: pentest)?
A pentest is an IT security measure used to check the security of IT systems, networks and applications. The aim is to identify potential vulnerabilities and points of attack at an early stage before they can be exploited by cyber criminals. The methods and means used are the same as those that real attackers would use.
Benefits of a pentest at a glance
Identification of potential vulnerabilities
Pentests uncover security gaps & vulnerabilities before cybercriminals can exploit them.
Solid action recommendations for elimination
With the final report, you also receive recommendations for action to eliminate possible weaknesses.
Objective assessment & evaluation of security
Pentests are an efficient tool for evaluating the effectiveness of your IT security measures.
Increase IT security, reduce risks
Pentests help you to improve security within your company & reduce attack risks.
Pentests based on recognized standards
Our IT security experts carry out penetration tests in accordance with recognized standards and guidelines.
Sensitization of employees
By means of pentests, you simultaneously increase the security awareness of employees at all hierarchical levels.
Compliance with contractual requirements
By carrying out pentests, you comply with existing regulatory requirements and specifications.
Guidance for investments
By uncovering weak points, pentests reveal the areas in which you are best investing in the future.
Protection against financial & reputational losses
Prevention instead of aftercare: pentests help you prevent attacks – and the associated damage.
Trust among customers & business partners
In the form of pentests, you strengthen the trust of your customers and business partners.
Pentests: 3 test methods in the overview
Black box penetration test
A black box pentest does not provide the pentester with any additional information about the test object in advance. This simulates a typical attacker who usually knows very little about their target.
Grey box penetration test
The grey box pentest is a mixture of black and white box pentest. This means that the pentester already receives some information, such as test access data and (API) documentation, and determines the remaining information itself.
White box penetration test
During a white box penetration test, the tester has extensive additional information, such as the test access data, the architecture/design documents, the communication matrix or the source code. This ensures efficient testing within a certain period of time or within a certain budget.
Our pentest portfolio: These are the types of penetration tests we offer
Would you like to have a component tested that is not listed here? We also offer customized services & solutions!
Holistic view of IT security in your company
In addition to a purely technical approach, we also offer comprehensive tests that focus on potential physical or human vulnerabilities.
Physical security
Pentests are usually automatically associated with the hacking of networks, systems and Co. But why all the effort when criminals can simply gain access to your company's security areas?
During a physical pentest, our experts check potential weak points in your building's access systems, such as locks, sensors or cameras. To gain unauthorized access to the company, they use tools such as copied access cards for doors or security gates.
Social Engineering – human security vulnerability
Social engineering aims to exploit human characteristics such as helpfulness, curiosity or trust in order to cleverly manipulate people.
To test your employees' security awareness for such attacks, our experts fake phone calls, send phishing emails or distribute prepared USB sticks, for example. They then evaluate in anonymized form how often a link was clicked on or a USB stick inserted. The aim is to raise awareness among all employees of manipulation using social methods.
How is a pentest carried out? – Exemplary project process
1.
Preparation & Kickoff
Clarification of technical and organizational specifics and the necessary requirements for carrying out penetration tests.
2.
Information Gathering & Analysis
Collection of essential information about the object of investigation (identification of components, data & functions).
3.
Performance of Penetration Tests
Examination with regard to attack surfaces and vulnerabilities (basis: criteria specified in the kick-off & information collected).
4.
Final Report
Summary of all audit results in the form of an individual & significant final report (no automatic generation).
Optional: Re-Test
After the test is before the test: Check whether the implemented improvement and defense measures are (effective) or repetition of pentests due to new releases.
Frequently asked questions (FAQ):
The duration of a pentest depends on various factors. For example, the test object and its complexity, the selected test depth and the procedure determine how many days a pentest takes. As a general rule, the more complex the object to be tested, the longer a pentest will take.
We would be happy to offer you a non-binding initial appointment.
With regard to penetration tests, the following applies: after the test is before the test. This means that pentests should always be an integral part of a holistic approach to IT security within a company. As attack methods are constantly evolving, this is the only way to ensure that networks, IT systems, web applications and mobile apps can withstand potential cyber attacks.
Basically, vulnerability scans and penetration tests pursue the same goal: to uncover potential vulnerabilities within the company's IT.
In contrast to penetration tests, however, vulnerability scans are software-supported and fully automated. They therefore provide basic findings regarding possible vulnerabilities and serve as a starting point for more in-depth checks such as penetration tests. However, as vulnerability scanners rely on databases with already known security vulnerabilities, they reach their limits, especially with self-developed applications.
Penetration tests are largely carried out manually by appropriately trained IT security experts. The focus here is primarily on more complex security vulnerabilities and the unauthorized exploitation of certain functions. Following the test, companies also receive a test report with specific recommendations for remedial action.
First things first: Penetration tests are generally not aimed at restricting availability. We only carry out denial of service attacks after consultation with the client. Nevertheless, in rare cases it can happen that availability is restricted during the procedure. In general, however, the focus is on identifying vulnerabilities. The risk of an interruption to business operations is kept as low as possible.
Unfortunately, there is no general answer to how much a pentest costs. The final cost depends on various factors such as the test object, test configuration and security level. We would be happy to provide you with a free, non-binding quote.
In general, a distinction can be made between external and internal penetration tests.
In an external pentest, the attack on systems and networks is carried out from outside / from the internet and therefore from the perspective of an external attacker. The focus here is on the question of how secure a company is against such attacks.
In an internal pentest, auditors have access to a company's internal infrastructure. This simulates the further actions of attackers who have succeeded in overcoming the external security measures and gaining access to the internal network.
Test item:
IT infrastructure penetration test | Possible targets are various systems and IT infrastructure components, e.g. web & email servers, VPN gateways, domain controllers or file & database servers. In addition, firewalls, switches, WLAN access points, virtualizations and complete network areas/infrastructures can also be checked for vulnerabilities. |
Web application penetration test | As part of penetration tests (incl. backend systems, web services & APIs), a web application is examined for the most critical or most frequently exploited security risks. |
App penetration tests | As part of penetration tests, a mobile Android / iOS app is automatically and manually examined for security vulnerabilities. The aim is to identify the most critical or most frequently exploited security risks for mobile apps. |
Social Engineering | Social engineering aims to exploit human characteristics such as helpfulness, curiosity or trust in order to cleverly manipulate people in this way. |
Test method:
Black box penetration test | In a black box pentest, the pentester does not receive any additional information about the test object in advance. This simulates a typical attacker who usually knows very little about their target. |
White box penetration test | In a white box pentest, the tester has extensive additional information, such as the test access data, the architecture/design documents, the communication matrix or the source code. This ensures efficient testing within a certain period of time or within a certain budget. |
Grey box penetration test | The grey box pentest is a mixture of a black and white box pentest. This means that the pentester already receives some information, such as test access data and (API) documentation, and determines the remaining information itself. |
Starting point:
External pentest | An external penetration test focuses on the question of how secure a company is against attacks from outside / from the Internet. |
Internal pentest | In an internal penetration test, the testers have access to the internal infrastructure of a company. This assumes either that an IT system or user account has been compromised from the outside or that an internal attack has been carried out by an employee. The pentest starts at this point and simulates the further course of action of an attacker. |
Before pentests can be carried out, the consent of the company to be tested is absolutely necessary. If this is not the case, it would be a criminal offense. Without prior, comprehensive clarification of the conditions, a pentest would be nothing more than an unauthorized hacker attack that could be punished. Therefore, the concluded contract must specify all modalities such as test period, test object and test depth.
In addition, only objects that clearly belong to the commissioning company may be inspected. For this reason, it should be clarified in advance which software services, such as cloud services, are not owned by the company so as not to infringe the property rights and/or copyrights of third parties. Alternatively, contractual agreements can be made with existing third-party providers or service providers before carrying out pentests.
The final report is always prepared by our experts individually and in an easily understandable way (no automatic generation) and contains at least the following information:
- Introduction: Brief description of the test object, aim of the pentest and documentation of special characteristics during the test.
- Management/Executive Summary: Summary of the results and assessment of the general security level.
- Risk assessment: Assignment of a degree of risk to each vulnerability (Informative, Low, Medium, High or Critical Risk), with which the criticality of the respective vulnerability is described.
- Clear presentation: Clear presentation of all identified vulnerabilities in a table as well as in a risk graph, which shows the number of vulnerabilities per risk level.
- Detailed description of the vulnerabilities & proof-of-concept: For each vulnerability, there is an individual description that shows exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
- Evaluation of automated tests: The results of the automated tests are evaluated by the TÜVIT experts, checked for false positives and then summarized in the report.
- Recommendation of measures to eliminate the vulnerability: For each vulnerability, there is a recommendation of measures to eliminate the vulnerability.
- References: If available, we provide references to vulnerability databases (e.g. CVE).
- Technical attachments: If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.