Simulate attacks against your applications and systems.
Penetration testing is a simulated attack against your organisation's information, applications and systems. The objective is to determine the effectiveness of your existing security controls, both technical and procedural.
Penetration testing seeks to emulate the capability and motivation of a typical threat actor, and uses a mixture of automated and manual techniques.
The level of prior knowledge, attacker capability and underlying motivation will depend on the agreed rules of engagement, but typical examples include the following:
- Opportunist attacker
- Disgruntled employee
- Malware distributor
- Identity thief
- Intellectual Property (IP) thief
There are many different types of penetration testing, and a wide range of approaches that can be taken. We discuss the specific requirements with our clients prior to beginning any engagement, however, in general, most engagements fall into the following categories.
Cloud Services Penetration Testing
Typically focused on an opportunistic, Internet based, attacker, this type of penetration testing focuses on compromising or obtaining privileged access to data stored or processed by a client's Cloud services, such as those provided by Amazon Web Services (AWS) and Microsoft Azure.
Infrastructure Penetration Testing
Typically focused on the disgruntled employee, or in support of other activities such as internal technical compliance, this type of penetration testing focuses on obtaining privileged access to internal systems or information.
Mobile App Penetration Testing
Typically focusing on bespoke mobile apps developed by or for the client, this type of penetration testing is concerned with using the app to compromise the mobile device running it, any online web services or application programmable interfaces (APIs) that the app interacts with, or any data held or processed by the app.
Red Team Engagement
This is an in-depth and extremely individualised simulated attack against an organisation, which will utilise some or all of the techniques and approaches discussed above, as well as others discussed elsewhere on the website.
Depending on the agreed scenario, this type of penetration testing will usually involve impersonating an opportunistic attacker, someone intending to distribute malware, or someone seeking unauthorised internal access to an organisation's systems.
Website Penetration Testing
Typically focused on an opportunistic, Internet based, attacker, this type of penetration testing focuses on compromising or obtaining privileged access to data stored or processed by a client's website(s).