Services

Pentest

What is pentest?

Pentest (Penetration test or penetration testing) is a simulation of the actions of intruders to identify weaknesses and vulnerabilities in computer systems. Penetration testing allows you to look at the security of your systems and networks through the eyes of hackers.
During a penetration test, we look for attack vectors that cybercriminals can exploit to make unauthorized intrusions into your systems.

Pentest vs hacker attack

One of the goals of hacker attacks is to illegally seize control of other people’s systems. Hackers also hunt for personal information, logins and passwords from accounts, incl. financial.
The activity of a pentester, in turn, is legal and involves imitating the actions of an attacker in order to identify vulnerabilities in the system that need to be secured in the first place, thereby minimizing the chances of a successful attack by a hacker.

WHAT DOES PENTEST NEED FOR?

Pentesting is necessary to find vulnerabilities in infrastructure, networks, systems and software before these vulnerabilities are discovered by attackers.
Without regular pentesting, a company may be exposed to various risks as a result of hacker attacks, such as: direct financial losses (theft of money from accounts, lost multimillion-dollar lawsuits, lawyer costs), indirect financial losses (impossibility to conduct business due to non-functioning systems or networks ), non-financial risks (leaks of personal data, theft of intellectual property), reputational losses, etc.

PENETRATION TESTING STEPS:

// step 1

PENETRATION TEST INITIATION

At this stage, the NDA and the contract are signed, working meetings are held to clarify the legal framework, determine the goals and timing of the pentest, work plan and scope, as well as the testing method (white-box, gray-box or black-box) and the degree of exploitation of the discovered vulnerabilities . The cost of pentest services depends on the scope and complexity of the work.

// step 2

INTELLIGENCE AND OSINT

We collect and analyze information from online search engines and public sources such as social networks, blogs and forums. We find e-mail addresses, usernames, associated accounts on external resources and other data that, with certain agreed testing methods, can play a key role in the further successful completion of pentest work.
Also at this stage, we perform a reverse DNS lookup, scan ports, analyze traffic, find subdomains, determine the technologies used, etc.

// step 3

Threat Modeling

At this stage, we identify targets and potential attack vectors, as well as conduct an in-depth analysis of the data obtained during the Exploration stage, and structure probable threats into: internal (employees and management, partners and suppliers) and external (web applications, open ports, network protocols and traffic).
Also at this stage, we use automatic scanning tools, in particular, our own development – the CryEye platform, after which the results are processed and analyzed, followed by planning and modeling of further actions.

// step 4

Exploitation

After a thorough analysis and validation of all previously obtained results, we determine the possibility of further exploitation of confirmed vulnerabilities.
Then, in accordance with the previously agreed permitted degree of exploitation, we simulate a real attack from a potential attacker.
Depending on the needs of the customer, such attacks can be carried out as: attacks on web applications, networks or Wi-Fi, hardware, social engineering, zero-day vulnerabilities, etc.
When exploiting vulnerabilities, we are guided by technical knowledge, professional experience and intuition, which, combined with manual penetration testing techniques, allows us to identify the maximum number of critical vulnerabilities and minimize the risks and possible consequences of cyber attacks.

// step 5

RISK ANALYSIS, RECOMMENDATIONS, CLEARING TRACES

Based on the results of the penetration test, we conduct a risk analysis, structure the discovered vulnerabilities and develop recommendations for their elimination.
After that, we remove temporary files, created accounts, elevated privileges and other traces of testing, returning the system to its original configuration, or transfer information about any significant changes to the customer.

// step 6

Report

At the final stage, we provide a detailed structured report on the methods used to find and exploit vulnerabilities, evidence in the form of data obtained by us, steps to reproduce and screenshots.
The report will also include our suggestions for improving the existing security system to protect your company from cybercriminals.

Report

Mobile
devices

Enter your contact information and we will send you examples of our reports.

    Report

    Internal
    network

    Enter your contact information and we
    send you examples of our reports.

      Report

      Web
      applications

      Enter your contact information and we
      send you examples of our reports.

        There are three types of pentest

        Black box

        During Black Box testing, you only provide us with your company name or your website address, and do not provide any additional information about your system’s IT infrastructure, IP addresses, etc. In this case, we find out all the additional information we need on our own. The advantage of this method is that in this way a real situation with an attack by a hacker is simulated. The disadvantages of the Black Box method include the fact that it does not allow you to fully assess the security of your company, since the attacker, as a rule, conducts lengthy preparations and reconnaissance. A pentester, unlike a hacker, is limited by rigid time frames.

        Gray box

        When testing with the Gray Box method, you tell us only some of the initial parameters of the test object. At the same time, in order to reduce the time of testing and to best direct our efforts, we may periodically request additional information from you necessary during the testing process.
        The Gray Box method combines the advantages of White Box and Black Box, while maintaining a fairly close resemblance to the actions of a real hacker.

        White box

        White Box testing is the complete opposite of Black Box. In this type of testing, you provide us with all the necessary data about the infrastructure, including administrative access to all servers and other information related to the test object. At the same time, your security team is also aware of the penetration test, and testing is more like an independent audit. The advantage of the White Box is the most complete and comprehensive approach to testing that allows you to detect the maximum number of vulnerabilities, since the pentester does not spend extra time collecting information about the object and fully concentrates on the testing process. As a drawback, we can note the fact that white box testing is the least close to a real hacker attack.

        External pentest

        Assumes that we are evaluating the ability of hackers to break into your system if there is no access to the corporate network.

        Internal Pentest

        Conducted if you suspect that a potential cybercriminal can connect to your corporate network, while not having administrator privileges.

        Wi-Fi hotspot testing

        This type of work will also be of interest to those who want to check the security of their Wi-fi access points and wireless data transmission technologies.

        Our cyber security certifications

        Our experts are regularly take certifications and trained in cybersecurity. We use unique methodologies and full automation to find all potential vulnerabilities using the CryEye engine which includes more than 1500 audits.

        Interesting
        to know

        1

        All our pentests are carried out exclusively according to our private methodologies, which are completely dependent on technologies and services for the purpose specified in the scope.

        2

        In all projects, we use full automation and manual work of our specialists, thereby covering all possible vulnerabilities in the system from different angles.

        3

        It is worth considering that each of our audits is carried out exclusively using our development – CryEye. This is a complete, automated and multifunctional platform for managing projects and finding all possible technical vulnerabilities in them, which can be covered using the tools built into CryEye.

        PENTEST OPTIMIZATION THROUGH AUTOMATION

        CRYEYE

        Our development of CryEye gives huge advantages in penetration testing by expanding the definition of possible attack vectors. By following integrated methodologies, Cryeye covers all potential vulnerabilities that can be detected automatically, which saves time for specialists, allowing them to concentrate more on finding more complex vulnerabilities through manual analysis.

        Про Cryeye

        Order
        service

        PENTEST

          Other services

          Vulnerability Assessment

          Monitor, search and analyze real-time breaking systems/Avoid cyber threats/Proactive threat prevention

          Learn more

          Social Engineering

          Spear phishing/ Phishing/ Malicious attachments

          Learn more

          Performance Testing

          Load testing/ Stressful testing/ Stability testing/ Configuration testing

          Learn more

          Penetration Testing

          Monitor, search and analyze real-time breaking systems/Avoid cyber threats/Proactive threat prevention

          Learn more

          Infrastructure Protection by CRYEYE

          Increase the security level in your IT infrastructure with the help of dynamic compliance service

          Learn more

          Ready to secure?

          Let's get in touch