Click any segment below for details of the service scope or to request a quotation.

What is Vulnerability and Penetration Testing [VA/PT]?

Click here to watch a 3-minute animation.

Why do I need Vulnerability and Penetration Testing [VA/PT]?

Click here to watch a 6-minute animation.

An External Assessment will perform the following CVE & OWASP tests against a public facing IP Asset

  1. CVE and KPR vulnerability scans of infrastructure
  2. OWASP scans of visible or hidden applications
  3. DNS validation & security review
  4. SQL Injection of all forms
  5. Authentication bypass attempts on Server
  6. Authentication bypass attempts on Applications
  7. Authentication bypass attempts on VPN
  8. Authentication bypass attempts on WAF
  9. Authentication bypass attempts on DDoS mitigation

Based on the industry requirements the external assessment will use one or more of the NIST, OWASP, GDPR, PCI-DSS and SWIFT Risk management Frameworks using the CSM, CVE & KPR references

An Internal Assessment will perform the following CVE & OWASP tests against a private network IP Asset performed from within the network

  1. CVE and KPR vulnerability scans of infrastructure
  2. OWASP scans of visible or hidden applications
  3. DNS validation & security review
  4. SQL Injection of all forms
  5. Authentication bypass attempts on Server
  6. Authentication bypass attempts on Applications
  7. Authentication bypass attempts on VPN
  8. Authentication bypass attempts on WAF
  9. Authentication bypass attempts on DDoS mitigation

Based on the industry requirements the internal assessment will use one or more of the NIST, OWASP, GDPR, PCI-DSS and SWIFT Risk management Frameworks using the CVE & KPR references

A Web Application Assessment will perform the following OWASP testing, API checks and Coding Best Practices.

The latest top 10 OWASP are:

  1. Broken Access Control
  2. Cryptographic Failures
  3. Injection
  4. Insecure Design
  5. Security Misconfiguration
  6. Vulnerable and Outdated Componentsn
  7. Identification and Authentication Failures
  8. Software and Data Integrity Failures
  9. Security Logging and Monitoring Failures
  10. Server-Side Request Forgery (SSRF)

Based on the industry requirements the Web Application Assessment will use one or more of the OWASP, GDPR, PCI-DSS, HIPAA and SWIFT Risk Management Frameworks

The Social Engineering assessment first scans all publicly available data sources to build a picture of your Company's publicly exposed data. Press releases, company and private social media are examined for exploitable resources.

Once a baseline is established, a phishing campaign is crafted to test your Company resilience to these attacks either as a one off, semi or annually.

Industry best practices for Social Media usage, DNS configuration and DMARC / DKIM email practices are used as the reference frameworks.

While a user convenience for access and mobility, wireless is one of the most susceptible communications methods and protocols.

A wireless assessment is performed covering:

  1. WAP location
  2. Physical security
  3. Rogue intrusion
  4. Man in the Middle
  5. Encryption practices
  6. SSID assignment and grouping
  7. Password management

Industry best practices for creating a Trusted Wireless Environment (TWE) and DNS configuration are used as the risk frameworks along with CVE & KPR reference frameworks.

The Physical assessment can cover a multitude of areas including

  1. Security and Loss management for mobile devices & laptops
  2. ID and Access management controls
  3. Physical security of buildings
  4. Physical security of work areas
  5. Physical security of data centers
  6. Physical security of data backup storage
  7. Warehouses & surrounding/neighboring facilities
  8. High risk or hazardous material storage
  9. Logistics risks in transporting or receiving high risk or hazardous material storage
  10. Environmental risks

ISO 27000 and 14000 series standards are used as the reference frameworks for the analysis.

Using your Company name and domains / websites, the Deep Web data sources and Dark Web marketplaces are searched for your domain, tradename and personnel associated data including password and credit card breaches

Once established and immediately remediated, this is a continuous monitoring service for 12 months, until terminated with immediate notification of any future risks