Pentesting

One-off reality check
Research
  • bekwame pentest professionals

    Seasoned professionals

    World-class security experts perform the pentest.

  • pentest inclusief code reviews

    Go the extra mile

    Including code reviews, detection advice and more.

  • impactbepaling

    Fit your context

    Impact determination for your specific business context.

  • bevindingen pentest

    Actionable findings

    Implementation-ready advice, presented by real humans.

hacking

Why pentest?

You cannot evaluate your security if you do not test it. You will need a reality check to ensure that your priorities are correct and your risks are visible and controllable. Testing your own work is biased and therefore a risk in itself.

A pentest is a powerful tool for exposing security risks in your product and infrastructure at a certain moment in time. It immediately increases knowledge & awareness, and provides you with actionable insights to defend against real-world threats.

The goal of a pentest

The purpose of a pentest (or penetration test) is to find out how vulnerable an application (online or mobile), a system, or a (cloud) infrastructure is to attacks from within and from outside. A vulnerable (web) application or insufficiently secure system can have far-reaching financial consequences or lead to reputational damage. A pentest answers the question: Is my application, system or infrastructure resistant to attacks?

The pentest takes place after the scope of the investigation has been established. Afterwards, clients receive an extensive report on what vulnerabilities our pentesters have found. The results are presented to the client in a 'Findings meeting', during which concrete proposals for improvements are made, so that targeted action can be taken to bring the security up to standard.

pentest experts

The attacker mindset

Cyber criminals do not follow the happy path that you have created. They are extremely creative at finding alternative ways into your system, and often succeed.

All our experts have this same attacker mindset. They are equipped with the capabilities and tools to perform highly sophisticated attacks to test your web app, mobile app, (cloud) infrastructure, phishing awareness or WiFi. They can write specific malware aimed at your organization and collaborate to identify the weak spots. All in an ethical and legally approved way.

They focus on the areas that matter for your business, explaining the ‘why’ and sharing concrete, actionable advice.

Your test options

  • Pentest gebaseerd op laaghangend

    Time-boxed

    Pentest based on low-hanging fruit and popular attacks that are relevant to your business.

  • White-box, grey-box of black-box pentest

    Normal

    White box, grey box or black box pentest within your desired scope, including a presentation and detection advice.

  • scenariogebaseerde pentest

    Scenario based pentest

    Test a scenario

    Extensive scenario-based pentest for the sophistication level of your choice.

    More info
Phone on table

Mobile roots

We were the first mobile security testers in the Netherlands. Reverse engineering and the attacker’s mindset are deeply rooted in our DNA. Over the years this has enabled us to develop our own home grown tools to speed up our testing processes.

We are familiar with most SDKs, app protection, shielding solutions and OWASP standards.

webapp expertise

Web app expertise

We have performed more than 1000 code reviews of web apps. Many of our team members used to work as developers. Following their ambition, we helped them to become hackers. By sticking to standards like OWASP Security Verification Standard (ASVS), we add structure and measurements to our process. We like to be super specific, so we do not end with a report filled with recommendations, but also provide the exact code fixes.

Request a quote

Call usphone
Mail usmail

Type of pentest

There are three types of pentests. The Black Box Pentest, White Box Pentest and the Gray Box Pentest. The difference is mainly in the amount of information the pentest team has about the system to be tested.

  • White box pentest

    White Box pentest

    In a White Box test, the tester receives all possible information about the system to be tested in advance. This is the most thorough pentest and the most efficient way to perform the test. We prefer this variant and this is where we can offer the most added value.

  • Grey box pentest

    Grey Box pentest

    The intermediate form is the Gray Box test, in which we receive limited information in advance. The simulation level of the pentester here is comparable to that of a resentful (former) employee or a customer.

  • Black box pentest

    Black Box pentest

    In this form, the pentester does not receive any information in advance about the application, the system or the IT environment to be tested. The level of knowledge of our pentest team here is comparable to that of a malicious hacker.

The White Box Pentest is the most thorough and therefore our preference. Since our pentesters then have access to the source code, they can get to the root causes of vulnerabilities and make targeted recommendations.

The Grey Box Pentest can be used to assess the security of an application or environment from within. With this variance, we usually only get access to the environment with the associated accounts.

The Black Box Pentest is usually the least thorough variant. This is partly because a lot of time is spent investigating the unfamiliar environment.

Pentest process

The intake

The first step in performing a pentest is the intake interview. In this the scope of the test is determined and agreements are made about the best approach, methodology and the time frame in which the pentest takes place. Based on the intake interview, we make a quotation for the client.

The preparation

The preparation of the test consists of a detailed elaboration of the intake interview, including an inventory of the systems or environment to be examined. All relevant information is collected about the system with regard to users, IT architecture, network structure, accounts, source code, existing security and the like. In an internal kick-off meeting, the team comes together to discuss a strategy and devise attack scenarios.

The Pentest

The pentest follows at the agreed time in accordance with the previously established scope. Everything the pentest does and encounters during their attack is accurately logged and documented. The organization under investigation is informed of the start and end of the test via so-called 'start/stop emails'. There is also the option of 'every-day updates' with which the client is kept informed of the findings of the pentest team during the test. If the team encounters a high-risk vulnerability during the pentest, the client is immediately informed of this. All findings, recommendations and conclusions are presented in an extensive report that is presented to the client in a findings meeting.

After the pentest

After the pentest, depending on the findings and exposed risks, there is more or less work to be done: vulnerabilities must be repaired and risks adequately reduced. Where necessary, we advise clients on repairing vulnerabilities found and making adjustments to the software. It is recommended that after the recovery phase is completed, you pentest the applications and systems again, to assess whether the old problems have been solved and whether new ones have arisen. In addition, it is important for an application that is actively being developed to regularly test it to ensure that no new vulnerabilities have arisen during development.

Want to execute a pentest?

Call usphone
Mail usmail