Frequently Asked Questions

What is the workflow of a penetration test?When will I receive my pentest report?What is the difference between web app testing and network penetration testing?What is the difference between external and internal network penetration testing?How often should I run a penetration test?What does a security scan vs. a pentest bring? What are the different types of penetration testing?What is a Phishing Simulation?Are Phishing Simulations effective?What is a live hacking demo? I have a specific scope, can you provide tailored pricing?

Before each penetration test, we start with a personal introductory meeting with all key stakeholders. In this session, we outline the scope and discuss the approach for performing a penetration test on the customer’s systems. The test only delivers real value when it’s aligned with the customer’s context and requirements. Once all details are finalized, the penetration test is performed within the agreed timeframe.

Following the test, a review meeting is held to present the identified vulnerabilities along with recommended solutions. A comprehensive report is also provided. More information about our online platform, where customers can log in to monitor and evaluate the security of their applications in real time during testing? New Penetration Test Reporting for Real-Time Insight

With our real-time insight feature, you don’t have to wait until the end of the test. As our testers work, each finding goes through a short internal quality check before being shared. Once validated, it’s immediately pushed to you through our online platform allowing you to track them and take early action — even before the final report is delivered.

Want to learn more about how our platform lets you monitor and evaluate your application’s security in real time during testing? Discover our blog about our Penetration Test Reporting with Real-Time Insight

Web application penetration testing focuses on identifying security vulnerabilities in web-based applications, such as login forms, user inputs, APIs, and session management. It targets application-specific risks like SQL injection, cross-site scripting (XSS), broken authentication, and insecure configurations. The goal is to uncover flaws that could be exploited through the web interface.

Network penetration testing, on the other hand, assesses the security of the underlying network infrastructure, such as servers, routers, switches, and firewalls. It can be conducted externally (from outside the organization) or internally (from within the network) and focuses on vulnerabilities like open ports, outdated software, misconfigurations, and weak credentials.

In short: web app testing targets the software layer, while network testing targets the infrastructure layer.

External penetration testing simulates an attack from outside your organization’s network, typically over the internet. It focuses on publicly accessible systems such as web applications, email servers, firewalls, or VPNs, assessing how vulnerable they are to external threats like hackers or malicious bots.

Internal penetration testing, on the other hand, simulates an attack from within your network, such as from a compromised employee device or a malicious insider. It evaluates what an attacker could access if they bypassed external defenses or had internal access, focusing on internal systems, network segmentation, and privilege escalation. TSF never requests credentials for this type of test and always performs the assessment without initial access to accounts.

Together, both approaches provide a comprehensive view of your organization’s security posture

The ideal frequency for penetration testing depends on your industry, the sensitivity of your data, and how attractive your systems are to potential attackers.

For organizations handling highly sensitive information, such as financial services, healthcare, or government agencies, it’s recommended to conduct penetration tests multiple times per year. This helps ensure you’re staying ahead of evolving attack methods.

For companies in less sensitive sectors, penetration tests should still be performed regularly, especially after significant changes, such as launching a new application version, adding key features, making major infrastructure changes (e.g. new firewalls, cloud migrations), or reorganizing your network.

Penetration testing isn’t just about identifying technical vulnerabilities. It’s also a valuable way to assess how well internal teams, like IT, development, and security, are working together to maintain a secure environment. It should be viewed not as a one-time event, but as an ongoing best practice integrated into your security strategy.

In short, test regularly, and always test when something significant changes.

A security (vulnerability) scan is an automated process that identifies known vulnerabilities in your systems. It provides a broad overview of potential issues, such as outdated software, misconfigurations, or exposed services, by comparing your environment against a database of known threats. It’s a great first layer of defense and is useful for routine checks. However, it typically does not confirm whether those vulnerabilities can actually be exploited or what their real-world impact might be.

In contrast, a penetration test (or pentest) is a manual and semi-automated security assessment conducted by skilled professionals. Testers simulate real-world attacks, actively exploiting vulnerabilities to understand their impact, uncover logic flaws or complex attack paths that scanners can’t detect, and provide detailed insight into the actual risks your organization faces. Every pentest is customized to your systems and business logic.

In short:

Security scan = fast, automated, wide coverage, high-level results
Penetration test = slower, manual, deep analysis, actionable risk assessment

External Penetration Testing

Simulates an attack from outside the organization, targeting publicly accessible assets like websites, mail servers, and firewalls.

Internal Penetration Testing

Mimics an attack from within the network, such as by a malicious employee or someone with internal access, to test what can be done once the perimeter is breached.

Cloud Penetration Testing

Targets cloud-based infrastructure (AWS, Azure, Google Cloud, etc.) to identify misconfigurations, insecure interfaces, and weaknesses in cloud-specific services.

Web Application Penetration Testing

Focuses on identifying security flaws in web-based applications, including issues like SQL injection, cross-site scripting (XSS), broken authentication, and insecure APIs.

Mobile Application Penetration Testing

Focuses on mobile apps (iOS, Android) and their interaction with backend services, checking for insecure storage, weak authentication, and data leakage.

API Testing

Focuses on evaluating the security of application programming interfaces (APIs). The test checks for common vulnerabilities such as improper authentication, lack of encryption, and insufficient access controls. It ensures that APIs are securely handling sensitive data and preventing unauthorized access.

Fat/Thick Client Testing

Focuses on security assessments of desktop applications that are installed on end-user devices. These applications often interact with backend systems and store sensitive data locally. The test evaluates risks such as weak encryption, insecure data storage, or potential vulnerabilities in client-server communication.

Kiosk Breakout Testing

Tests the security of self-service kiosks (e.g., in retail or public spaces) to see if an attacker can break out of the kiosk’s restricted environment. The test evaluates the risk of unauthorized access to the underlying system or network, which could lead to data theft or malware installation.

Wireless Penetration Testing

Tests the security of wireless networks (Wi-Fi), including encryption protocols, rogue access points, and wireless client vulnerabilities.

Digital Social Engineering

Evaluates the human element of security, often through phishing or pretexting to determine how susceptible employees are to manipulation.

Physical Social Engineering

Assesses physical security by attempting to gain unauthorized access to buildings, data centers, or secure areas.This type of test often includes a health check, where we look for common physical security issues—such as passwords on post-its, unlocked devices, or unattended access badges.

USB Drop Test

Simulates a scenario where malicious USB devices are dropped in public or accessible areas, such as office spaces or parking lots. The test evaluates whether employees are likely to plug in these devices, potentially giving attackers unauthorized access to the network or introducing malware.

Red Team Testing

A full-scope, multi-layered simulation of a real-world attack that combines many of the above techniques over a longer period to test an organization’s detection and response capabilities.

A Phishing Simulation is a security exercise designed to mimic a real-world phishing attack in a controlled environment. The goal is to assess how susceptible employees or users are to phishing attempts and to raise awareness about the risks of social engineering.

At the Security Factory, we are partnering with Phished.io. Phished.io is a solution that automates the entire phishing awareness process and provides customised phishing simulations and training to help employees report phishing attempts and identify vulnerabilities.

The automated phishing simulations are designed to trick recipients into performing actions such as:

Clicking on malicious links
Downloading infected attachments
Entering sensitive information (e.g., login credentials) on fraudulent websites

The outcomes of phishing simulations help organizations understand:

Employee awareness: How well employees can recognize suspicious emails or messages.
Training needs: Identifying knowledge or behavior gaps that require attention.
Risk assessment: Assessing the potential risks of falling victim to a phishing attack.

Yes, phishing simulations are effective, when done correctly. They are a valuable tool for improving organizational security awareness and reducing the risk of real-world phishing attacks. Here’s why:

Increase awareness: Simulations train employees to recognize suspicious emails, helping them develop a habit of verifying links, attachments, and sender identities.
Identify vulnerable users or departments: They help pinpoint individuals or teams that are more likely to fall for phishing attacks, allowing targeted follow-up training.
Reduce click rates over time: Regular phishing simulations can significantly lower the percentage of employees who click on malicious links.
Reinforce security culture: By making phishing awareness part of routine behavior, simulations support a stronger overall security mindset across the organization.
Test incident response readiness: Some simulations can include reporting mechanisms or escalation paths, testing whether employees follow proper procedures when spotting a suspicious email.

Read more about the vision of our partner Phished in our Q&A with their CEO.

During our interactive demos, our team of ethical hackers takes center stage, showcasing just how easy it is to fall victim to a cyberattack if you’re not cautious.

Picture this: two screens side by side, one displaying the hacker’s perspective and the other, the unfortunate target being hacked.

Brace yourself as we unveil the methodologies hackers employ, the latest tricks up their sleeves, and most importantly, the key areas you should focus on to bolster the security of your precious data and systems.

Live demos visually and emotionally engage the audience, helping them better understand how threats work. Seeing an exploit in action often leaves a stronger impression than theory alone.

Absolutely. You can schedule a call with one of our advisers, who will review your specific requirements and provide a customized pricing proposal based on your needs.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-51190277-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
AnalyticsSyncHistory	1 month	No description
li_gc	5 months 27 days	No description