Pentesting

One-off reality check
Research
  • bekwame pentest professionals

    Seasoned professionals

    World-class security experts perform the pentest.

  • pentest inclusief code reviews

    Go the extra mile

    Including code reviews, detection advice and more.

  • impactbepaling

    Fit your context

    Impact determination for your specific business context.

  • bevindingen pentest

    Actionable findings

    Implementation-ready advice, presented by real humans.

What is a Pentest?

A pentest (or penetration test) is an authorized way to break into IT infrastructures of organizations, bypass security systems and thus identify vulnerabilities and risks.

Pentesters, also known as ethical hackers, perform these pentests. The objective of a pentest is to map the vulnerabilities that are found in the security systems and therefore be able to protect the systems against attacks by, among other things, cyber criminals. Employees are not always aware of the authorized attack. This also provides valuable information about the resilience of the organization, whether an attack is detected and how your own employees respond to it.

In the current climate of real opportunities for cyber attacks, regular pentesting is a must for organizations to continuously increase their resilience.

Securify conducted high-quality and in-depth research for Payt, which revealed findings that had not previously been found.

Herman Hiddema - Payt
hacking

Why pentest?

You cannot evaluate your security if you do not test it. You will need a reality check to ensure that your priorities are correct and your risks are visible and controllable. Testing your own work is biased and therefore a risk in itself.

A pentest is a powerful tool for exposing security risks in your product and infrastructure at a certain moment in time. It immediately increases knowledge & awareness, and provides you with actionable insights to defend against real-world threats.

The goal of a pentest

The purpose of a pentest (or penetration test) is to find out how vulnerable an application (online or mobile), a system, or a (cloud) infrastructure is to attacks from within and from the outside. A vulnerable (web) application or insufficiently secure system can have far-reaching financial consequences or lead to reputational damage. A pentest answers the question: is my application, system or infrastructure resistant to attacks?

The pentest takes place after the scope of the investigation has been established. Afterwards, clients receive an extensive report on what vulnerabilities our pentesters have found. The results are presented to the client in a 'Findings meeting', during which concrete proposals for improvements are made, so that targeted action can be taken to bring the security up to standard.

pentest experts

The attacker mindset

Cyber criminals do not follow the happy path that you have created. They are extremely creative at finding alternative ways into your system, and often succeed.

All our experts have this same attacker mindset. They are equipped with the capabilities and tools to perform highly sophisticated attacks to test your web app, mobile app, (cloud) infrastructure, phishing awareness or WiFi. They can write specific malware aimed at your organization and collaborate to identify the weak spots. All in an ethical and legally approved way.

They focus on the areas that matter for your business, explaining the ‘why’ and sharing concrete, actionable advice.

Your test options

  • Pentest gebaseerd op laaghangend

    Time-boxed

    Pentest based on low-hanging fruit and popular attacks that are relevant to your business.

  • White-box, grey-box of black-box pentest

    Standard

    White box, grey box or black box pentest within your desired scope, including a presentation and detection advice.

  • Scenario based pentest

    Scenario Based Pentest

    Test a scenario

    Extensive Scenario Based Pentest based on a relevant scenario that fits your organization.

    Scenario based ➤
Phone on table

Mobile roots

We are the first mobile security testers in the Netherlands. Reverse engineering and the attacker’s mindset are deeply rooted in our DNA. Over the years this has enabled us to develop our own home grown tools to speed up our testing processes.

We are familiar with most SDKs, app protection, shielding solutions and OWASP standards.

webapp expertise

Web app expertise

We have performed more than 1000 code reviews of web apps. Many of our team members used to work as developers. Following their ambition, we helped them to become hackers. By sticking to standards like OWASP Security Verification Standard (ASVS), we add structure and measurements to our process. We like to be super specific, so we do not end with a report filled with recommendations, but also provide the exact code fixes.

Request a quote

Type of pentest

There are three types of pentests. The Black Box Pentest, White Box Pentest and the Gray Box Pentest. The difference is mainly in the amount of information the pentest team has about the system to be tested.

  • White box pentest

    White Box pentest

    In a White Box test, the tester receives all possible information about the system to be tested in advance. This is the most thorough pentest and the most efficient way to perform the test. Securify prefers this variant because we can offer the most added value.

  • Grey box pentest

    Grey Box pentest

    The intermediate form is the Gray Box test, in which we receive limited information in advance. The simulation level of the pentester here is comparable to that of a resentful (former) employee or a customer.

  • Black box pentest

    Black Box pentest

    In this form, the pentester does not receive any information in advance about the application, the system or the IT environment to be tested. The level of knowledge of our pentest team here is comparable to that of a malicious hacker.

The White Box Pentest is the most thorough and therefore our preference. Since our pentesters have access to the source code, they can get to the root causes of vulnerabilities and make targeted recommendations.

The Grey Box Pentest can be used to assess the security of an application or environment from within. With this variance, we usually only get access to the environment with the associated accounts.

The Black Box Pentest is usually the least thorough variant. This is partly because a lot of time is spent investigating the unfamiliar environment.

Pentest process

The intake

The first step in performing a pentest is the intake interview. In this the scope of the test is determined and agreements are made about the best approach, methodology and the time frame in which the pentest takes place. Based on the intake interview, we make a quotation for the client.

The preparation

The preparation of the test consists of a detailed elaboration of the intake interview, including an inventory of the systems or environment to be examined. All relevant information is collected about the system with regard to users, IT architecture, network structure, accounts, source code, existing security and the like. In an internal kick-off meeting, the team comes together to discuss a strategy and devise attack scenarios.

The Pentest

The pentest follows at the agreed time in accordance with the previously established scope. Everything the pentest does and encounters during their attack is accurately logged and documented. The organization under investigation is informed of the start and end of the test via so-called 'start/stop emails'. There is also the option of 'every-day updates' with which the client is kept informed of the findings of the pentest team during the test. If the team encounters a high-risk vulnerability during the pentest, the client is immediately informed of this. All findings, recommendations and conclusions are presented in an extensive report that is presented to the client in a findings meeting.

After the pentest

After the pentest, depending on the findings and exposed risks, there is more or less work to be done: vulnerabilities must be repaired and risks adequately reduced. Where necessary, we advise clients on repairing vulnerabilities found and making adjustments to the software. It is recommended that after the recovery phase is completed, you pentest the applications and systems again, to assess whether the old problems have been solved and whether new ones have arisen. In addition, it is important for an application that is actively being developed to regularly test it to ensure that no new vulnerabilities have arisen during development.

Want to execute a pentest?

Our other services

  • Scenario based pentest

    Scenario Based Pentest

    Test a scenario

    Extensive Scenario Based Pentest based on a relevant scenario that fits your organization.

    Scenario based ➤
  • Shark

    Red Teaming

    Test your infa and org

    Organizational reality check by simulating real attacks.

    Red Teaming ➤
  • Code editor

    Agile Security

    Test your code and app

    Continuous code reviews for your agile dev team.

    Agile Security ➤

FAQ Pentest

What is a Pentest?

A pentest or penetration test, performed by pentesters, is an authorized way to break into systems (such as (web) applications, websites, IT infrastructures, API links and mobile apps) to detect specific security vulnerabilities. With a pentest, an extensive report is drawn up about how and where vulnerabilities were found, to test them and to fix them efficiently. Security can be optimized by following the identified recommendations.

Why have a Pentest performed?

The purpose of performing a Pentest is to test a specific part of systems, to gain insight into security problems and to efficiently remedy them with the information obtained. Pentesting is also performed to see if an application's security meets the standard. In addition, some applications also require periodic pentesting like for example a DigiD investigation.

Who will benefit from a Pentest?

A pentest is suitable for any organization that wants to measure the security level of their websites, ICT infrastructures, API links, mobile apps and (web) applications.

What's the difference between a Pentest and a Scenario Based Pentest?

Where a pentest tests a specific part of the ICT infrastructure within organizations, the demand for a company-wide security test is increasing. A scenario-based pentest has a larger (organization-wide) scope and different goals, namely: how resilient and/or mature is the organization to defend itself against certain threats. And preferably a test that approaches the reality of a cyber attack as closely as possible, so that the result of the test optimizes the security for this scenario. To meet this demand, Securify has developed the Scenario Based Pentest. Since companies do not need to have a SOC and a blue team as with a Red Teaming exercise, a Scenario Based Pentest is suitable for most organizations.

What's the difference between a Pentest and a Red Teaming?

A pentest looks at a specific part of the systems. A Red Teaming targets specific targets through a series of attacks based on a chosen miter att&ck® threat modeling. Securify simulates a real APT (Advanced Persistent Attack: constant, hidden and advanced hacking techniques) with the aim of, for example, exfiltrating data (leaking data to the outside world) or simulating a ransomware attack. Red Teaming is usually performed at a company or organization if they themselves have a Blue (defensive) Team and thus a Security Operations Center. The difference between a Scenario Based Pentest and a Red Teaming is that a Scenario Based Pentest examines part of a complete attack. So you do not go through a complete attack from start to finish (in-through-out), but limit yourself to, for example, a part where you already have access to the internal network and you assume that a laptop has already been taken over or you are investigating how the escalation is proceeding if you run a Phishingmail campaign.

What's the difference between a Pentest and a Vulnerability Scan?

A pentest is performed by a pentester with all the knowledge required to perform the test. With a pentest, an extensive report is drawn up about how and where vulnerabilities were found by testing them and then efficiently resolving them. Security can be optimized by following the identified recommendations. A vulnerability scan is an automated quick check by means of a software program without further steps and/or indepth about the detected vulnerabilities.

What's the difference between a Pentest and a Code Review?

A pentest ensures that a specific part of the system is tested for security vulnerabilities and the information obtained can be used to fix the security problems. There are three types of pentests: black box, gray box and white box. Code review is applied to software to see where there are security flaws and provides a clear and deep code analysis to get to the root of the problem. In principle, this comes very close to a white box pentest. The recommendation at Code Review is to do this in the development phase of the software to save time and repair costs.

Securify combines a pentest with a code review and sees this as an added value for customers, because it offers more depth to the research (added value). Other security parties usually limit themselves to performing a black or gray box pentest. Securify also looks under the hood (in the code) of your application in order to identify vulnerabilities faster/better and therefore make a better recommendation to the customer.

What is an automated Pentest?

An automated Pentest is an automated quick check by means of a software program without further steps and/or depth about the detected vulnerabilities.

How long does a pentest take to perform?

A pentest takes an average of 1-4 weeks.

What are the different types of Pentests?

In addition to the standard Pentest that can be performed according to various methods such as Black Box, Gray Box and White Box, Securify also offers the Scenario Based Pentest. In a Scenario Based Pentest, a security assessment is performed at a company or organization by simulating an advanced attack based on a specific scenario, for example a ransomware attack. The aim of the test is to assess an organization's existing security level in order to arm itself against realistic cyber attacks. The security level is determined by three aspects: prevention, detection and response.

Which type of Pentest should I choose?

You choose a type of Pentest in consultation with a cybersecurity specialist, such as Securify. They look at which Pentest best suits your company or organization. It is recommended to choose a Pentest that not only detects vulnerabilities in systems, but where recommendations can be given in particular. And by following these recommendations you can optimize the security of systems (or have them optimized). There are three types of pentests: black box, gray box and white box. With a White Box test, the pentester receives all possible information about the system to be tested in advance. This is the most thorough Pentest and the most efficient way to perform the test. Securify prefers this variant because we can offer the most added value.

According to which methodologies do we conduct Pentesting?

We have three different methods for performing a Pentest in websites, ICT infrastructures, API links, mobile apps and (web) applications: Black box, Gray box and White box. The Black Box Pentest is a real cyber attack as cybercriminals would perform. In this form, the pentester does not receive any information in advance about the application, system or IT environment to be tested. The level of knowledge of our pentest team here is comparable to that of a malicious hacker. The Gray Box Pentest is a so-called intermediate form, in which the pentester receives limited information in advance. The simulation level of the pentester here is comparable to that of a resentful (former) employee or a customer. With the White Box Pentest (Crystal Box) all possible information is obtained in advance by the client about the system to be tested. This is the most thorough pentest and the most efficient way to conduct the test. Since our pentesters have access to the source code, they can more quickly get to the root causes of vulnerabilities and make targeted recommendations.

How do I become a Pentester?

There are currently no courses where you can study for a pentest. But a bachelor's degree in Cyber Security or a master's degree in Information Security Technology is a good starting point. There are also a number of certifications for pentesting and information security. Experience shows that most pentesters started in the profession because they are curious by nature and do a lot of research and figuring things out for themselves (intrinsic motivation). There are online free trainings that people can follow to get the “feel” (HTB/tryhackme). And then gain experience at specialized Cybersecurity companies, such as Securify.