THE PROBLEM

Historically, internal networks have been considered the secure enclave. But modern threat landscape is changing this attitude, also reflected in Zero Trust model that is based on perimeter-less defense paradigm. Just look at social engineering – more than 80% of successful attack started with some sort of social engineering. Internal user being tricked into revealing her credentials or other secrets, effectively letting intruder into the corporate network regardless of network architecture.

 

As companies adopt to market changes, undergo M&A cycles and implement new solutions, corporate networks become layered with defensive solutions resulting in non-transparent, sparsely documented and costly to maintain infrastructure. Chasing next business requirement, it is never a good time to look back, reassess and realign.

Solution

We provide full spectrum of cyber security testing services, independent from relevant software developers and can support customers choosing the most optimum for their needs without relying on marketing buzzwords.

IT infrastructure penetration testing service is one of the possible services.

 

We offer on-prem and cloud-based infrastructure penetration testing and network security assessment for one or more of the following scenarios:
  • Internal network vulnerability assesment.
  • Internal network penetration testing from infected/evil workstation perspective.
  • Internal network penetration testing from compromised account perspective.
  • Remote access (VPN, MFA, etc..) solution pen test and network security assessment.
  • Active Directory pen test and security assessment.
  • Your Company’s standardized workstation pen testing and configuration security assessment.
  • Physical access control system pen testing and assessment.

hOW?

During security testing, we first create a threat matrix according to your risk profile and then evaluate attack vectors based on relevance to the risk profile.

Skilled penetration testers focus on the most relevant risks to find weaknesses in your systems.

Testing is done in black box or grey box format and accounts with various levels (from user to administrator) are required for grey box test scenarios.

For infrastructure assessment, we have developed checklists based on best practices and recommendations from vendors.

 

Penetration testing report is final deliverable, it includes results from all testing scenarios and:
  • the management summary, which will summarize the findings for the non-technical audience,
  • technical report, which will cover the technical findings of the audit in depth and in full detail:

 

Our report will give you a roadmap for improving security of the service and prioritized risk and remediation task list according to impact on company and customer data.

Our unique differentiators

Each of our tests is prepared by at least two experts and quality control of the results shall be ensured. Reports only include vulnerabilities that have been verified manually. As part of quality control, the risk levels, evidence, and completeness of the recommendations previously attributable to the vulnerabilities are assessed.

Q&A

How penetration testing is different from vulnerability assessment?

Vulnerability assessment is the process of using automated professional tools to detect, categorize, and score vulnerabilities existing in a system. Penetration testing refers to the active exploitation of vulnerabilities to determine their severity, applicability to system in scope, potential for causing damage to customer business. Manual penetration testers can ensure zero false positives. However, vulnerability scanning is an important part of penetration testing.

How penetration testing is different from red-teaming?

There is no single “correct” definition for “red-teaming”. Usually, the goal of a pen-test is to find as many vulnerabilities as possible, try to exploit them, and access each vulnerability’s risk level. A red-team testing goal is to find one way in, exploit it and then escalate laterally through your system to access the most valuable data. Often, “red-teaming” is also associated with longer, higher fidelity, stealthy engagements with only very few restrictions for methods and tactics. As such, red-teaming mimics very determined, focused attacker.