A vulnerability assessment seeks to establish an entity’s risk threatscape and baseline security posture through, typically, scanning a scope asset set. A penetration test takes this a step further and analyzes the real world likelihood of exploitation and attempts to actualize a measurable result. Let’s take entering a house - imagine the vulnerability assessment as understanding that a door exists and someone may enter through it. A penetration test take it a step further by entering the door and conveying the true impact of the exploitative event that just occurred.

Ensure appropriate situational awareness in line with the type of penetration test or engagement type. For example, red team engagements may seek to test specific responder Service Level Agreements (SLAs) or seek to determine the threshold for detecting exploitation from an organizational level. In these instances, notifications to local defenders may not be required.

Conversely, a Grey or Whitebox penetration test may seek a more guided objective of holistically finding all possible vulnerabilities. In this instance, custodians of the servers, networks and devices in scope may be required to ensure no disruption to testing occurs.

Penetration tests can last as long as is set forth by the SLA within the contract proposed and signed. Depending on the scope and level of effort involved, penetration testing may last a few days, a month or even a year (e.g. testing of 400,000 assets).

Yes, depending on the service type being requested. We are passionate about what we do and want to ensure the true posture of the environment post initial analysis is captured in the penetration testing window allotted.

Every engagement is different but the key methodology components we seek to assert is the impact of implementing least privilege and a strong defense in depth strategy. Item description.

We take a hybrid approach and use a mix of:

• NIST 800.53
• OWASP v4 Testing Guide
• OWASP Top 10 API/Web/Mobile
• MITRE ATT&CK Framework
• PTES

Our staff have numerous world renounced cybersecurity certifications from vendors such as (ISC)2, Offensive Security, Amazon Web Services (AWS), EC-Council and GIAC (SANS). These certifications can be found on our Certifications page.

We focus on Impact vs Likelihood as well as the impact of vulnerability exploitation based on your company’s specific industry. If an attacker needs to jump multiple access points, authorization and authentication mechanisms to exploit a high impact vulnerability, the likelihood may be low but the impact is naturally high. This would result in a lowered finding.

Conversely, if said vulnerability were found externally without any or weak safeguards to stop exploitation, it would be deemed Critical. Item description

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.