Penetration testing

Our testing and assessment methods include evaluation of IT infrastructure, cyber-physical or OT infrastructure, applying blackbox testing, testing from the perspective of an authorized user (grey-box) and analyzing configuration of each infrastructure component and application (white or crystal-box).

What are you looking for?

Penetration Test areas

Website / Web application

For most large enterprises, these are complex systems, as they have a huge database behind them, as well as authentication, authorization and other convenience and security features. We create attacker models for the tested websites and web applications at the beginning of the examination and execute the test using these models. Our methodology is based on the OWASP standard, but we have already improved it based on our own experience and knowledge.

Mobile app test

We can model all attack models and all use cases on both iOS and Android operating systems. For Android, in addition to static analysis, we perform testing in emulated environments and real physical environments on live devices. Our methodology cover a wide range of scenarios: we test on rooted, non-rooted and emulated environments. For iOS, we examine the application statically and also dynamically in a native environment. Mobile payment options have been increasing, and soft token solutions (enabling transactions with a mobile app) are becoming more common. We are prepared to test these on real devices in a realistic way.

Infrastructure pentest / Network pentest

We also carry out external and internal infrastructure tests. During and external examination, we check what services are running on the public servers of the customer (mail, VPN, DNS, etc.) and whether these services are secure or can be exploited through the public Internet. In case of an internal infrastructure test, the same tests are performed on the internal network only. In addition, in an internal network, we also execute common test cases and attack scenarios used against Windows environments.

Desktop App pentest

Desktop applications are designed to meet specific business needs and create specific security situations. They usually involve testing some kind of Windows application that can be traditionally installed, which means that the testers need to be familiar with the deeper layers of the operating system, thick client and thin client testing.

IoT / Hardware / Smart device pentest

It's a very new area within IT, not many people in the market understand it, but we have the expertise. IoT examination has a physical part (whether the particular device is put together correctly), a network wireless communication part (checking all kinds of wired and wireless communication) and a software part (where the software running on the device is examined). For a traditional network-connected device or an IoT ecosystem with multiple components, the examination is extended with a smaller scale infrastructure test.

API / backend pentest

In case of mobile and desktop applications, the important business logic is not done on client-side, but rather on server-side by an API server at the service provider. An API is a web-based service, which do not have a website to visit, but they control and ensure the flow of information to the relevant backend services. Logical problems and other access control problems in an API that were not identified during the development phase need to be detected. These problems are usually much more severe than the weaknesses in the client-side components (mobile or desktop applications).