What Penetration Testing is (to us).
Penetration Testing is a robust suite of manual tests, supported by customized tools, performed by teams of expert “ethical hackers” to identify weaknesses and exploit vulnerabilities in a system, network or software, so these risks can be eliminated or mitigated.
There are three different types of Penetration Tests—Black Box, Grey Box and White Box—and organizations will often combine different testing methodologies, depending on their goals and technology.
In a Black Box Penetration Test, an organization will be able to understand the level of risk they face from any type of malicious party (ranging from an inexperienced “script kiddie” to an exceptionally well resourced and skilled nation state) who has decided to focus their efforts on that organization, their clients, or their products.
In a Grey Box Penetration Test, we take an interactive, authenticated look at applications and/or infrastructure. Our testing is designed to determine how far we can escalate our privileges and exploit business logic and application weaknesses. Our goal is to show the end-to-end impact of these risks, so we can recommend appropriate actions to secure your assets.
In a White Box Penetration Test, we leverage any available system and application design information, along with privileged accounts, to fully explore all attack scenarios. This “open book” approach explores all of the application, infrastructure and environmental factors at length, in order to provide the most comprehensive set of recommendations to address present risks.
What test does your app or infrastructure need?
Find out with these 10 quick questions.
Our 7-step process
This isn’t your average pen test. It's based on OWASP’s technical guidelines, with the option to add retesting and attestation as proof that your app or infrastructure is secure.
A robust discovery is critical to proper test scoping and useful results. We dig deep to understand your goals, your context, and the specific infrastructure, app or firmware you need to protect so nothing gets missed.
Our scoping documents are clear and comprehensive. They outline the tools, methods, timing, team and rationale so you understand exactly what to expect—plus the how, who, when, why and how much.
Depending on the type of penetration test you need, we do everything from scouring publicly available information and social media networks to investigating your internal and external footprints and even covert onsite investigations to gather intelligence that could be used against you.
We identify all potential vulnerabilities, then take things to the next level by validating those vulnerabilities so you aren’t wasting resources rectifying vulnerabilities that don’t matter. We perform active and passive vulnerability testing and document all attack avenues in an attack tree.
This is where we use the information we’ve gathered to gain access to your systems. Options include cracking passwords, brute force attacks, radio frequency access, VPNs and more. Once we’ve gained access, we see what activities we’re able to accomplish behind-the-scenes.
A Cycura penetration testing report tells you exactly what we discovered, the business impacts of different breaches and recommends actions to rectify vulnerabilities. Our reports are clearly written so they’re easily understood and acted on. Our goal is to empower your team to make changes or provide the information required to quickly engage with a partner to address issues.
Every testing engagement includes an invitation to discuss next steps, either for support in addressing vulnerabilities or confirmation that all issues have been rectified. We’re available for retesting and can provide proof, in the form of a legal attestation, that you can show to a prospective client or your COO.
Cycura’s penetration testing isn’t for everyone. Is it for you?
Find out with a free discovery.
© 2021 CYCURA Data Protection Corp.