Comprehensive penetration testing services delivered by certified experts

Penetration or pen testing, assesses your IT infrastructure security by methodically testing your systems and applications. Pen tests are carried out by skilled ethical hackers, called penetration testers, to find weaknesses and misconfigurations in your cyber security that could put your business at risk.

Penetration testing enables you to quickly find your security flaws, giving you the chance to fix them before a hacker exploits them. Penetration testing is highly beneficial to businesses of all sizes:

• Keep hackers out of your infrastructure
• Prevent data breaches
• Increase customer confidence in your services
• Enhance your reputation
• Follow security best practises
• Meet your compliance obligations

Regular penetration testing is a fundamental part of running a modern business. Cyber attacks increase steadily year-on-year across all markets and sectors, making pen testing a core consideration for businesses of all sizes.

In addition to keeping safe from cyber criminals, pen testing can help to increase customer confidence in your services. Regular penetration testing from a reputable provider such as Defense.com™ demonstrates that you take security seriously, which will prove to your existing and prospective customers that you can be trusted with their data.

Internal/authenticated

Internal infrastructure or authenticated application tests simulate the damage a malicious attacker could do if they were to breach your network perimeter or phish login credentials for an application. It’s a much more involved test, and also models the impact of a rogue employee or other insider threat.

External/unauthenticated

External infrastructure or unauthenticated application tests explore what damage a malicious hacker could achieve without privileged access. It’s a quicker test that models the more common ‘opportunistic’ type threat actor.

A Defense.com™ penetration testing engagement is split into several distinct stages:

1. Pre-engagement

   This is where the scope is discussed and defined, and the ultimate goals of the pen test are analysed and set. This stage will determine the types of testing activities and is essential for a professional and productive test outcome.

2. Intelligence gathering
   Reconnaissance is performed to gather as much info as possible on the target systems. This data then informs what types of attack vectors the pen test will make use of.
3. Vulnerability analysis
   This stage seeks to uncover every security flaw in the target networks/systems/applications (as appropriate), using both passive mechanisms and active scans.
4. Exploitation
   This is where the vulnerabilities discovered in the previous phase are exploited in an attempt to gain access. It can involve a mix of pre-made and bespoke tools, and is where the insight and ingenuity of the pen tester comes into play.
5. Post-exploitation
   Here the worth of the compromised targets is assessed, in their own terms and as opportunities to escalate privileges and to pivot to more valuable systems. Crucially, compromised targets will be cleaned of any tools used during the exploitation phase to ensure that security is not harmed by the pen test activities.
6. Reporting

   Having a good report is the key to getting good value from a penetration test engagement. Defense.com™ reports are split into Executive Summary and Technical Breakdown sections, and it includes crucial remediation advice.

The detail in pen test reports should include:

• All risks based on the current server/application setup/configuration
• Vulnerabilities and running services for the servers and applications
• What has been done to exploit each security issue
• Remediation steps
• Near-term and long-term actions
• Vulnerabilities that cannot be exploited must also be included in the final report

It’s a good idea to seek a sample report before engaging a pen test provider – this way you’ll know what you can expect to receive. If a report is full of jargon and difficult to decipher, its use to you is limited. Defense.com™ follows best–practice standards for undertaking a pen test, including OWASP and PTES.

When defining a penetration test, it is important to define how much information is disclosed up-front, also known as the box colour:

• Black Box

  A black box test is where almost nothing is known about the target environment ahead of the test. Whilst this positions the tester in a similar position to a real-world hacker, it means precious test time is wasted on simple discovery tasks.

• White Box

  A white box test is where everything about the environment, possibly even the source code, is known by the pen tester ahead of the test. Whilst this has the potential to make for a very thorough test, it’s not reflective of a real-world hack, and can cause the scope to become diluted.

• Grey Box

  There’s also a third option; as the name implies, a grey box test is a mix of white and black box tests, where the pen tester has limited information about the target environment. This is a ‘best-of-both-worlds’ approach and often leads to tests with the best – and most cost effective – outcomes.

Yes! At Defense.com™ we have qualified pen testers with a wide range of experience in all kinds of infrastructure, network, application and cloud penetration testing. No matter what your security objective, get in touch with our friendly team for a fast, accurate quote.