If your company has a computer system or application that is connected to the internet, you should perform a penetration test before your vulnerabilities are exploited. Penetration testing is the most effective method for assessing and improving your security level in terms of price and quality.
Our penetration test, or pentest, is a security exercise, an analysis, where our ethical hackers simulate a series of attacks on your environment, application (web, mobile, or API) or network to find and list your vulnerabilities, their exploitability which attackers could take advantage of and their impact. We do this manually, our trademark, as this is more effective and delivers a higher quality than standard automated tooling.
The output of our pentest is to list your vulnerabilities, the risks they may pose to your application or network, and a concluding report. Common vulnerabilities include design errors, configuration errors, software bugs etc.
Vulnerabilities found during this penetration test can be used to improve your network security, patch your applications, identify common weaknesses across applications, and in general strengthen your entire security posture against future attacks.
It’s best to have a penetration test performed by somebody with practically no knowledge of how your inner network or application is secured in light of the fact that they may be able to uncover vulnerabilities missed by the developers who build it. That’s where The Security Factory comes in.
Our ethical hackers systematically attempt to penetrate a computer system, application or environment commissioned by its owners, you – and, most importantly, with your permission – to tests measure the distribution and severity of your vulnerabilities and their exploitability. Our ethical hackers use the same skills, methods and techniques to carry out a penetration test as their unethical counterparts.
We evaluate the security of your IT infrastructure and critical assets by performing attacks from external and internal threats.
Internal pentest: Our ethical hacker perform the penetration test from within your organization’s internal network. This test can determine how much damage an unreliable employee can cause or what a hacker can do when launching malware through a phishing attack for example.
External pentest: We try to penetrate the environment from the outside with a range of IP addresses. This way we can assess the security of your externally facing systems such as websites, email infrastructure, VPN endpoints…
Application penetration test: We test the security of any or all applications and websites that you have. We’ll look for vulnerabilities and investigate how far an attacker can penetrate the application. This includes web applications, web services and mobile apps.
A penetration test can be performed both manual or automated. The purpose of the two tests is the same: to test measure the distribution and severity of your vulnerabilities, their exploitability which attackers could take advantage of and their impact.
The difference between these two tests is the way they are conducted. An automated pentest is done by an automated tool. As the name suggests a manual pentest is done by humans, experts in this field. It is performed by an ethical hacker and is needed to provide complete coverage including design, business logic and compound flaw risks that can only be detected through manual (human) testing. The Security Factory conducts these tests manually, as this is more effective and delivers a higher quality than standard automated tooling.
Some differences between a manual and automated penetration test are:
| Manual Penetration Test | Automated Penetration Test (Scan Test) |
| Performed by experts in the field | Can be performed by less experienced professionals in the field |
| Can discover problems with standard vulnerability classes and certain design flaws | Can discover problems with standard vulnerability classes |
| Takes more time, but covers more possible vulnerabilities and flaws | Faster, but less thoroughly |
| Understands the business needed and alter test cases accordingly | Cannot detect business logic defects |
| Less prone false positives | More prone to false positives |
