CREST approved CREST approved CREST approved
Payment card industry data security standard Payment card industry data security standard Payment card industry data security standard
ISO 27001 certified ISO 27001 certified ISO 27001 certified
ISO 9001 certified ISO 9001 certified ISO 9001 certified

Why choose Defense.com as your penetration testing company?

Competitive Pricing

Competitive pricing

Businesses of all sizes can benefit from a penetration test thanks to our competitive prices.

Dashboard reporting

Dashboard reporting

Track your report findings, prioritise threats and access remediation advice within the Defense.com™ platform.

Certified Experts

Certified experts

Our penetration testers are certified by globally recognised bodies such as CREST and OSCP.

Free Vulnerability Scans

Free vulnerability scans

Protect your business all year round with 12 months of free vulnerability scans as part of your pen test package.

Penetration testing services delivered by experts

A complete range of penetration testing customized to your exact requirements.

Web application penetration testing

Web application penetration testing

  • Expose vulnerabilities, misconfigurations and insecure functionality
  • Identify all critical security risks & weaknesses, including the OWASP Top 10
  • Multiple test types, including authenticated and API testing to understand every risk
Network & infrastructure pen tests

Network & infrastructure pen tests

  • Test your network & infrastructure for weaknesses and security vulnerabilities
  • Comprehensive check of services, patch levels and configurations
  • Two key test types including external and internal testing
Mobile application penetration tests

Mobile application penetration tests

  • Uncover vulnerabilities and insecure functionality with minimal disruption
  • Expose common cloud app weaknesses including external data sharing and vulnerable APIs
  • Identify all security risks, including the OWASP Top 10
Cloud penetration testing

Cloud
penetration testing

  • Identify security threats, vulnerabilities and cloud misconfigurations
  • Expose weaknesses in your encryption & your supply chain
  • Assessment & testing for any cloud system: Amazon AWS, Google’s GCP, Microsoft Azure, IBM Cloud
Social engineering prevention services

Social engineering prevention services

  • Certified social engineers use recon & intelligence to simulate real-world hacking
  • Test your first line of defence to prevent phishing, vishing, and SMShing threats
  • Media baiting, impersonation and physical entry options available
Red team security testing

Red team
security testing

  • Identify and exploit gaps in physical, cyber, and technological defences
  • Comprehensive mix of pen testing, social engineering and physical intrusion
  • Real-world simulated attack to assess your threat detection & response capabilities

Penetration testing methodology

Most penetration testing follows a 6-step lifecycle:

CREST Certified CREST Certified
Certified Ethical Hacker (CEH) Certified Ethical Hacker (CEH)
CompTIA Cyber Security Analyst CompTIA Cyber Security Analyst
Certified Information Security Manager (CISM) Certified Information Security Manager (CISM)
Certified Information Systems Security Professional (CISSP) Certified Information Systems Security Professional (CISSP)
Offensive Security Certified Professional (OSCP) Offensive Security Certified Professional (OSCP)

Our penetration testing team

We pride ourselves on building and developing the best cyber talent to ensure our service is as evolutionary as the threat landscape. Our team of 30+ penetration testers are qualified against the leading industry standards and have years of experience delivering all types of penetration tests.

Defense.com™ Threat Management

Smart report delivery and remediation advice

After your penetration test, your report findings will be hosted in your secure Defense.com™ platform. Each vulnerability found during the test will be detailed along with actionable remediation advice.

In addition to your PDF report, each vulnerability highlighted during the test will be added to your Threat Dashboard so you can quickly identify, prioritise and remediate the threats affecting your business.

Get a quote

Protecting the world’s leading brands

Dell logo Dell logo Dell logo
Ocado logo Ocado logo Ocado logo
Agilico logo Agilico logo Agilico logo
Blue Zinc logo Blue Zinc logo Blue Zinc logo

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by submitting your requirements via the form below.

For more information about how we collect, process and retain your personal data, please see our privacy notice.

Penetration testing FAQs

Penetration or pen testing, assesses your IT infrastructure security by methodically testing your systems and applications. Pen tests are carried out by skilled ethical hackers, called penetration testers, to find weaknesses and misconfigurations in your cyber security that could put your business at risk.

Penetration testing enables you to quickly find your security flaws, giving you the chance to fix them before a hacker exploits them. Penetration testing is highly beneficial to businesses of all sizes:

  • Keep hackers out of your infrastructure
  • Prevent data breaches
  • Increase customer confidence in your services
  • Enhance your reputation
  • Follow security best practises
  • Meet your compliance obligations

Regular penetration testing is a fundamental part of running a modern business. Cyber attacks increase steadily year-on-year across all markets and sectors, making pen testing a core consideration for businesses of all sizes.

In addition to keeping safe from cyber criminals, pen testing can help to increase customer confidence in your services. Regular penetration testing from a reputable provider such as Defense.com™ demonstrates that you take security seriously, which will prove to your existing and prospective customers that you can be trusted with their data.

There are many different types of penetration tests available. The scope of your test will depend on exactly what systems or applications you are looking to check. Here are some common types:

  • Infrastructure pen test

    Infrastructure pen testing, also known as network pen testing, focuses on the hardware, firmware, and operating systems in your IT estate. This includes things like servers, network devices, and virtualized environments.

  • Application pen test

    Application penetration tests focus on applications that are hosted on the underlying infrastructure, rather than the infrastructure itself. This could be web apps and APIs, or it could be mobile apps, such as iOS and Android penetration testing.

  • Cloud pen test

    Cloud penetration testing audits the security of your cloud-based infrastructure, applications and services. AWS, Azure and GCP-hosted systems are the most commonly tested.

Internal/authenticated

Internal infrastructure or authenticated application tests simulate the damage a malicious attacker could do if they were to breach your network perimeter or phish login credentials for an application. It’s a much more involved test, and also models the impact of a rogue employee or other insider threat.

External/unauthenticated

External infrastructure or unauthenticated application tests explore what damage a malicious hacker could achieve without privileged access. It’s a quicker test that models the more common ‘opportunistic’ type threat actor.

A Defense.com™ penetration testing engagement is split into several distinct stages:

  1. Pre-engagement

    This is where the scope is discussed and defined, and the ultimate goals of the pen test are analysed and set. This stage will determine the types of testing activities and is essential for a professional and productive test outcome.

  2. Intelligence gathering

    Reconnaissance is performed to gather as much info as possible on the target systems. This data then informs what types of attack vectors the pen test will make use of.
  3. Vulnerability analysis

    This stage seeks to uncover every security flaw in the target networks/systems/applications (as appropriate), using both passive mechanisms and active scans.
  4. Exploitation

    This is where the vulnerabilities discovered in the previous phase are exploited in an attempt to gain access. It can involve a mix of pre-made and bespoke tools, and is where the insight and ingenuity of the pen tester comes into play.
  5. Post-exploitation

    Here the worth of the compromised targets is assessed, in their own terms and as opportunities to escalate privileges and to pivot to more valuable systems. Crucially, compromised targets will be cleaned of any tools used during the exploitation phase to ensure that security is not harmed by the pen test activities.
  6. Reporting

    Having a good report is the key to getting good value from a penetration test engagement. Defense.com™ reports are split into Executive Summary and Technical Breakdown sections, and it includes crucial remediation advice.

The detail in pen test reports should include:

  • All risks based on the current server/application setup/configuration
  • Vulnerabilities and running services for the servers and applications
  • What has been done to exploit each security issue
  • Remediation steps
  • Near-term and long-term actions
  • Vulnerabilities that cannot be exploited must also be included in the final report

It’s a good idea to seek a sample report before engaging a pen test provider – this way you’ll know what you can expect to receive. If a report is full of jargon and difficult to decipher, its use to you is limited. Defense.com™ follows best–practice standards for undertaking a pen test, including OWASP and PTES.

When defining a penetration test, it is important to define how much information is disclosed up-front, also known as the box colour:

  • Black Box

    A black box test is where almost nothing is known about the target environment ahead of the test. Whilst this positions the tester in a similar position to a real-world hacker, it means precious test time is wasted on simple discovery tasks.

  • White Box

    A white box test is where everything about the environment, possibly even the source code, is known by the pen tester ahead of the test. Whilst this has the potential to make for a very thorough test, it’s not reflective of a real-world hack, and can cause the scope to become diluted.

  • Grey Box

    There’s also a third option; as the name implies, a grey box test is a mix of white and black box tests, where the pen tester has limited information about the target environment. This is a ‘best-of-both-worlds’ approach and often leads to tests with the best – and most cost effective – outcomes.

Yes! At Defense.com™ we have qualified pen testers with a wide range of experience in all kinds of infrastructure, network, application and cloud penetration testing. No matter what your security objective, get in touch with our friendly team for a fast, accurate quote.