Penetration Testing

Penetration Testing Icon

A penetration test is an authorized, time-constrained cyberattack utilizing the same tactics, techniques, and procedures as an adversary might. The objective is to exploit the identified vulnerabilities to achieve a predefined goal, such as access to sensitive information, accounts, etc., and report the exploitation steps to strengthen the security posture and prevent cyberattacks by a malicious actor. Depending on the scope and perspective penetration tests are:

  • External: the attack is conducted from the perspective of an outside threat actor leveraging techniques such as open-source intelligence (OSINT), credential stuffing, social engineering, etc.;
  • Internal: the attack is conducted from the perspective of an inside threat actor, leveraging internal resources and insider knowledge;
  • Application: the starting point of the attack is a particular application - an API, web application, mobile application, etc.;
Penetration Testing Audit

The Methodology

Our methodology is based on the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, and OWASP Testing Guide and consists of the following stages:

  • Reconnaissance: gathering information about the target - network topology, technology stack, software architecture, etc.;
  • Enumeration: analyzing the testing scope utilizing the intelligence information from the previous stage;
  • Vulnerability Assessment: utilizing the accumulated information to identify potential security weaknesses for exploitation;
  • Exploitation: exploiting the identified vulnerabilities to accomplish advancement to the goal;
  • Reporting: thoroughly documenting each attack vector employed during the test and present it to the relevant stakeholders.