A penetration test (aka pen-test), is an authorised simulated cyber-attack on a computer system, performed to evaluate the security of the system. As part of the penetration testing process the strengths and weaknesses of the system will be highlighted where the weaknesses (known in the industry as vulnerabilities) will be exploited to help understand the full technical risk. Note that a pen-test is different from a vulnerability test where the latter is conducted to identify vulnerabilities (weaknesses) in the system but attempts to exploit these vulnerabilities will not be made.
Pen-testing typically follows a strict methodology using a white-box or black-box approach. A white-box pen-test simply means that information about the target has been shared with the pen-testers prior to starting, this can be useful to help focus the testing and in some cases speed up the process. Black-box pen-testing simply means no information about the target has been shared with the pen-testers. As such, with this approach pen-testers use best efforts to identify all weaknesses, however, full coverage may not be made in the time available and stuff could get missed.
Good question. There are many reasons for doing a pen-test, it could be a validation exercise of your ability to design, develop and secure a new system or application or it could be as part of a regulatory or a mandatory requirement such as PCI-DSS or ISO 27001. It could also be to understand how your business will stand up to an attack in readiness for when it actually happens. It’s a highly recommended exercise and should be performed regularly particularly when changes have been made to infrastructure and/or applications that may have introduced a vulnerability and exposed a weakness that will be exploited at some point in time.
We’re different. Firstly, let’s get the standard stuff out of the way. We’ll follow industry standard methodologies and best practice just like any other provider. We understand the risks associated with testing and take care to avoid disruption or impact on the business during testing. We’ll also ask for a technical point of contact whilst testing and you can rest assured our findings will use the Common Vulnerability Scoring System (CVSS) which provides a numerical score identifying the severity of the vulnerability. How we differ. Our intuitive scoping process will capture and refine your requirements in readiness for test scheduling. The pen-test booking process is simplified, you choose the dates, we’ll provide the testers and we can usually begin testing within a 48 hour lead time. You’ll notice that our estimates are in hours, that’s how we charge. We don’t add a magical ‘plus one day’ for reporting, if we don’t need all of the hours for the pen-test, we won’t use them. We’ll give them back to be used on your next engagement. We publish findings in real time with alerts/notifications to allow for immediate triage and remediation, if required. This also gives an ongoing risk profile of the system under test during the engagement. Oh.. did I mention that we don’t charge cancellation or rescheduling charges? Projects don’t always run to plan, we get that – need to reschedule a pen-test? No worries.
This also gives an ongoing risk profile of the system under test during the engagement.
Yes. Pen-tests are only a snapshot of your infrastructure and/or applications risk status at the time of testing, should any changes be made, such as bug fixes or patching we recommend a re-test of issues to ensure they are fixed and closed. Further pen-tests are recommended at regular intervals or at least annually – depending on your requirements.
I’m co-founder of Siege Cyber and passionate about Cyber Security, Hiking and Mountain Biking. I’ve been working within Cyber for the past 20 years and most of thoses years as a penetration tester. As a penetration tester I’ve tested some of the biggest companies in Australia before branching out and starting Siege Cyber. Siege Cyber was created to be an Australian owned and operated bespoke cyber security firm focusing on helping our customers secure their organisation and stay up to date with their compliance requirements listed in PCI-DSS, GDPR, ISO 27001 and others.
Happy to chat, happy to help.