World-class security experts perform the pentest.
Including code reviews, detection advice and more.
Impact determination for your specific business context.
Implementation-ready advice, presented by real humans.
You cannot evaluate your security if you do not test it. You will need a reality check to ensure that your priorities are correct and your risks are visible and controllable. Testing your own work is biased and therefore a risk in itself.
A pentest is a powerful tool for exposing security risks in your product and infrastructure at a certain moment in time. It immediately increases knowledge & awareness, and provides you with actionable insights to defend against real-world threats.
The purpose of a pentest (or penetration test) is to find out how vulnerable an application (online or mobile), a system, or a (cloud) infrastructure is to attacks from within and from outside. A vulnerable (web) application or insufficiently secure system can have far-reaching financial consequences or lead to reputational damage. A pentest answers the question: Is my application, system or infrastructure resistant to attacks?
The pentest takes place after the scope of the investigation has been established. Afterwards, clients receive an extensive report on what vulnerabilities our pentesters have found. The results are presented to the client in a 'Findings meeting', during which concrete proposals for improvements are made, so that targeted action can be taken to bring the security up to standard.
Cyber criminals do not follow the happy path that you have created. They are extremely creative at finding alternative ways into your system, and often succeed.
All our experts have this same attacker mindset. They are equipped with the capabilities and tools to perform highly sophisticated attacks to test your web app, mobile app, (cloud) infrastructure, phishing awareness or WiFi. They can write specific malware aimed at your organization and collaborate to identify the weak spots. All in an ethical and legally approved way.
They focus on the areas that matter for your business, explaining the ‘why’ and sharing concrete, actionable advice.
Pentest based on low-hanging fruit and popular attacks that are relevant to your business.
White box, grey box or black box pentest within your desired scope, including a presentation and detection advice.
Extensive scenario-based pentest for the sophistication level of your choice.More info
We were the first mobile security testers in the Netherlands. Reverse engineering and the attacker’s mindset are deeply rooted in our DNA. Over the years this has enabled us to develop our own home grown tools to speed up our testing processes.
We are familiar with most SDKs, app protection, shielding solutions and OWASP standards.
We have performed more than 1000 code reviews of web apps. Many of our team members used to work as developers. Following their ambition, we helped them to become hackers. By sticking to standards like OWASP Security Verification Standard (ASVS), we add structure and measurements to our process. We like to be super specific, so we do not end with a report filled with recommendations, but also provide the exact code fixes.
There are three types of pentests. The Black Box Pentest, White Box Pentest and the Gray Box Pentest. The difference is mainly in the amount of information the pentest team has about the system to be tested.
In a White Box test, the tester receives all possible information about the system to be tested in advance. This is the most thorough pentest and the most efficient way to perform the test. We prefer this variant and this is where we can offer the most added value.
The intermediate form is the Gray Box test, in which we receive limited information in advance. The simulation level of the pentester here is comparable to that of a resentful (former) employee or a customer.
In this form, the pentester does not receive any information in advance about the application, the system or the IT environment to be tested. The level of knowledge of our pentest team here is comparable to that of a malicious hacker.
The White Box Pentest is the most thorough and therefore our preference. Since our pentesters then have access to the source code, they can get to the root causes of vulnerabilities and make targeted recommendations.
The Grey Box Pentest can be used to assess the security of an application or environment from within. With this variance, we usually only get access to the environment with the associated accounts.
The Black Box Pentest is usually the least thorough variant. This is partly because a lot of time is spent investigating the unfamiliar environment.
The first step in performing a pentest is the intake interview. In this the scope of the test is determined and agreements are made about the best approach, methodology and the time frame in which the pentest takes place. Based on the intake interview, we make a quotation for the client.
The preparation of the test consists of a detailed elaboration of the intake interview, including an inventory of the systems or environment to be examined. All relevant information is collected about the system with regard to users, IT architecture, network structure, accounts, source code, existing security and the like. In an internal kick-off meeting, the team comes together to discuss a strategy and devise attack scenarios.
The pentest follows at the agreed time in accordance with the previously established scope. Everything the pentest does and encounters during their attack is accurately logged and documented. The organization under investigation is informed of the start and end of the test via so-called 'start/stop emails'. There is also the option of 'every-day updates' with which the client is kept informed of the findings of the pentest team during the test. If the team encounters a high-risk vulnerability during the pentest, the client is immediately informed of this. All findings, recommendations and conclusions are presented in an extensive report that is presented to the client in a findings meeting.
After the pentest, depending on the findings and exposed risks, there is more or less work to be done: vulnerabilities must be repaired and risks adequately reduced. Where necessary, we advise clients on repairing vulnerabilities found and making adjustments to the software. It is recommended that after the recovery phase is completed, you pentest the applications and systems again, to assess whether the old problems have been solved and whether new ones have arisen. In addition, it is important for an application that is actively being developed to regularly test it to ensure that no new vulnerabilities have arisen during development.