Penetration Testing – Have an Ethical Hacker try and crack your systems Penetration Testing – Have an Ethical Hacker try and crack your systems

What is penetration testing?

Penetration testing, also known as pen testing, is a detailed test of your IT infrastructure security performed by specially trained and qualified ethical hackers – called penetration testers. Penetration tests simulate a real-world attack by a skilled hacker by methodically testing your applications and infrastructures for security weaknesses. Unlike a real attack, pen tests are conducted in an authorized, orderly and safe manner.

Penetration tests typically check for misconfigurations, outdated software and logical flaws. Pen testers will also look for ways to escalate privileges if they manage to gain access, making it important that even low-level systems are included in a pen test scope.

Defense.com™ dashboard

Benefits of penetration testing

Penetration testing enables you to quickly find your security flaws, giving you the chance to fix them before a hacker exploits them. Penetration testing is highly beneficial to businesses of all sizes:

  • Keep hackers out of your infrastructure
  • Prevent data breaches
  • Increase customer confidence in your services
  • Enhance your reputation
  • Follow security best practices
  • Meet your compliance obligations

Penetration testing in Defense.com

A complete range of penetration testing customised to your exact requirements.

Web application penetration testing

  • Uncover vulnerabilities and insecure functionality
  • Identify all security risks, including the OWASP Top 10
  • Multiple test types, including authenticated and API testing
  • Proven track record for exposing security flaws

Network & infrastructure penetration testing

  • Test your network & infrastructure for weaknesses
  • Check services, patch levels and configurations
  • Multiple test types, including external and internal testing
  • Established pedigree for exposing vulnerabilities

Mobile application penetration testing

  • Uncover vulnerabilities and insecure functionality
  • Identify all security risks, including the OWASP Top 10
  • Multiple test types, including authenticated and API testing
  • Proven track record for exposing security flaws

Cloud
penetration testing

  • Uncover vulnerabilities and insecure functionality
  • Identify all security risks, including the OWASP Top 10
  • Multiple test types, including authenticated and API testing
  • Proven track record for exposing security flaws

Social engineering prevention services

  • Uncover vulnerabilities and insecure functionality
  • Identify all security risks, including the OWASP Top 10
  • Multiple test types, including authenticated and API testing
  • Proven track record for exposing security flaws

Red team
security testing

  • Uncover vulnerabilities and insecure functionality
  • Identify all security risks, including the OWASP Top 10
  • Multiple test types, including authenticated and API testing
  • Proven track record for exposing security flaws

The most comprehensive security bundle available

Enterprise security shouldn’t have to be expensive, so we include many powerful features as standard.

Evaluate your external-facing systems for security vulnerabilities with expert testers who work with you to strengthen your security perimeter. Easily track your results and remediations from your Threat Dashboard.
Live data from penetration tests, VA scans and threat intelligence against your assets, feeds into a central dashboard showing you exactly where your critical risks lie and the severity of each threat.
Train your staff to spot malicious emails and test your incident response plan regularly with our easy-to-use phishing campaign tool. Fully managed phishing campaigns can also be built to suit your own tailored requirements (Business package only).
It’s best practice to run regular vulnerability scans to complement your pen testing schedule. This feature makes it easy for you to schedule regular scans or perform a quick on-demand test.
Security analysts search your systems’ logs to provide real-time analysis of security alerts from your network and applications, including Office365. Choose our full managed service for 24/7 proactive protection.
Advanced anti-virus and anti-malware gives you peace of mind that every workstation, server, mailbox and mobile device is protected at all times.
Engaging video training that covers all the essential security topics is combined together with exams to ensure your staff are fully trained and tested. In addition, you can get access to live instructor-led training from fully qualified security experts.
Get a comprehensive audit of your business against the government backed Cyber Essentials scheme. Conducted by expert consultants, you can be confident you have the right technical controls in place.

The most comprehensive security packages available

Choose a Defense.com™ package with a penetration test to evaluate your external-facing systems against known and unknown vulnerabilities. You can identify threats and take action to strengthen your security perimeter and prevent data breaches.

Head with checked rosette inside

Certified pen testers

All of our penetration testers are experts in their field, and hold industry-recognized qualifications such as CREST, OSCP, CISSP and more.

Screen with checked rows inside

Comprehensive reports

Receive a detailed report showing the results of your pen test. Any threats are automatically added to your Defense.com™ Threat Dashboard for remediation.

Stopwatch tilted sideways

Fast delivery

Security shouldn’t wait, so your penetration test will be scheduled quickly at a time that suits you. Reports are delivered within 7 days of a completed test.

Support is always on-hand

Expert Consultancy Expert Consultancy

Expert Consultancy

Security consultants will be on-hand to help you strategize, set action plans and review policies.

Security Helpline Security Helpline

Security Helpline

Around the clock support to ensure you are getting the best protection from every feature.

Panic Button Panic Button

Panic Button

24/7 emergency support for security events, cyber incidents, and data breaches.

Frequently Asked Questions

Regular penetration testing is a fundamental part of running a modern business. Cyberattacks increase steadily year-on-year across all markets and sectors, making pen testing a core consideration for businesses of all sizes.

In addition to keeping safe from cyber criminals, pen testing can help to increase customer confidence in your services. Regular penetration testing from a reputable provider such as Defense.com™ demonstrates that you take security seriously, which will prove to your existing and prospective customers that you can be trusted with their data.

There are many different types of penetration tests available. The scope of your test will depend on exactly what systems or applications you are looking to check. Here are some common types:

  • Infrastructure pen test

    Infrastructure pen testing, also known as network pen testing, focuses on the hardware, firmware, and operating systems in your IT estate. This includes things like servers, network devices, and virtualized environments.

  • Application pen test

    Application penetration tests focus on applications that are hosted on the underlying infrastructure, rather than the infrastructure itself. This could be web apps and APIs, or it could be mobile apps, such as iOS and Android penetration testing.

  • Cloud pen test

    Cloud penetration testing audits the security of your cloud-based infrastructure, applications and services. AWS, Azure and GCP-hosted systems are the most commonly tested.

Internal/authenticated

Internal infrastructure or authenticated application tests simulate the damage a malicious attacker could do if they were to breach your network perimeter or phish login credentials for an application. It’s a much more involved test, and also models the impact of a rogue employee or other insider threat.

External/unauthenticated

External infrastructure or unauthenticated application tests explore what damage a malicious hacker could achieve without privileged access. It’s a quicker test that models the more common ‘opportunistic’ type threat actor.

A Defense.com™ penetration testing engagement is split into several distinct stages:

  1. Pre-engagement

    This is where the scope is discussed and defined, and the ultimate goals of the pen test are analyzed and set. This stage will determine the types of testing activities and is essential for a professional and productive test outcome.

  2. Intelligence gathering

    Reconnaissance is performed to gather as much info as possible on the target systems. This data then informs what types of attack vectors the pen test will make use of.
  3. Vulnerability analysis

    This stage seeks to uncover every security flaw in the target networks/systems/applications (as appropriate), using both passive mechanisms and active scans.
  4. Exploitation

    This is where the vulnerabilities discovered in the previous phase are exploited in an attempt to gain access. It can involve a mix of pre-made and bespoke tools, and is where the insight and ingenuity of the pen tester comes into play.
  5. Post-exploitation

    Here the worth of the compromised targets is assessed, in their own terms and as opportunities to escalate privileges and to pivot to more valuable systems. Crucially, compromised targets will be cleaned of any tools used during the exploitation phase to ensure that security is not harmed by the pen test activities.
  6. Reporting

    Having a good report is the key to getting good value from a penetration test engagement. Defense.com™ reports are split into Executive Summary and Technical Breakdown sections, and it includes crucial remediation advice.

The detail in pen test reports should include:

  • All risks based on the current server/application setup/configuration
  • Vulnerabilities and running services for the servers and applications
  • What has been done to exploit each security issue
  • Remediation steps
  • Near-term and long-term actions
  • Vulnerabilities that cannot be exploited must also be included in the final report

It’s a good idea to seek a sample report before engaging a pen test provider – this way you’ll know what you can expect to receive. If a report is full of jargon and difficult to decipher, its use to you is limited. Defense.com™ follows best-practice standards for undertaking a pen test, including OWASP and PTES.

When defining a penetration test, it is important to define how much information is disclosed up-front, also known as the box color:

  • Black Box

    A black box test is where almost nothing is known about the target environment ahead of the test. Whilst this positions the tester in a similar position to a real-world hacker, it means precious test time is wasted on simple discovery tasks.

  • White Box

    A white box test is where everything about the environment, possibly even the source code, is known by the pen tester ahead of the test. Whilst this has the potential to make for a very thorough test, it’s not reflective of a real-world hack, and can cause the scope to become diluted.

  • Gray Box

    There’s also a third option; as the name implies, a gray box test is a mix of white and black box tests, where the pen tester has limited information about the target environment. This is a ‘best-of-both-worlds’ approach and often leads to tests with the best – and most cost effective – outcomes.

Yes! At Defense.com™ we have qualified pen testers with a wide range of experience in all kinds of infrastructure, network, application and cloud penetration testing. No matter what your security objective, get in touch with our friendly team for a fast, accurate quote.

Request a scoping call

Have one of our expert pen testers scope out your project and provide you with a detailed quotation to your exact requirements.

By submitting this form, I agree to the Defense.com™ privacy notice .

Protecting the world’s leading brands and SMBs

Ocado logo Ocado logo Ocado logo
Safety Services Company logo Safety Services Company logo Safety Services Company logo
Dell logo Dell logo Dell logo
Blue Zinc logo Blue Zinc logo Blue Zinc logo
Feedback from Paymentsense

We’ve always been very impressed with the cyber security services provided to us. Their professional approach, knowledge and flexibility have ensured they have become a key trusted partner in our supply chain.