One of the most effective ways to identify security weaknesses in your system is to have us perform a penetration test (aka pentest). During a pentest, we simulate a hacker who is trying to gain access to your system. While we customize penetration tests for each client and scenario, generally pentests help answer questions like
- Can an outsider gain access to company data with little/no knowledge of our network?
- Are my firewalls and defense systems properly configured?
- How can I strengthen our network to minimize risk?
Penetration tests are a critical component of comprehensive security audits and may be required for compliance.
Before the Pentest
First, we make sure to set clear goals for both the client and the simulated hacker. For example, if you want to ensure your WiFi networks are properly DMZed from sensitive company data, we will design the penetration test assuming a hacker will try to compromise the WiFi network. We can operate in a black box environment (the hacker knows little/nothing about your network) or in a white box environment (the hacker has some knowledge, like a subcontractor or employee would). From these goals, we craft a scenario that establishes how we will operate during the test, set the parameters for success, and specify what measures are off limits. We will also establish when the test should take place.
During the Pentest
We will attempt to gain access to your system according to the scenario. Our security experts use hacker-grade tools and utilities, attempt to exploit known vulnerabilities, and take other steps to bypass your security controls, including social engineering and phishing efforts. The test ends when we successfully breach the network and gain access to the target or run
After the Pentest
We will write a report of exactly what we did, what the results were, and any next actions applicable (e.g., close X port). Our reports include summaries that do not require IT knowledge; we will also deliver specifics that help your IT staff or provider make adjustments and understand exactly where we found security vulnerabilities.