top of page
th (3)_edited.jpg

Penetration testing

Penetration Tests (Pen-Tests) are an established method for independent security assessment in which qualified specialists simulate real-world attack scenarios to identify and evaluate vulnerabilities in systems, applications, and data. The tests are conducted in a controlled manner, following a predefined scope and written authorization (Rules of Engagement). All activities are aligned with the client’s IT environment and include measures to minimize operational risk. 

Web Penetration Test. We combine primarily manual testing supported by automated tools. The standard methodology (e.g., OWASP) typically includes the following phases:

  • Reconnaissance / Information Gathering

  • Scanning and Vulnerability Analysis

  • Exploitation / Gaining Access

  • Privilege Escalation and Post-Exploitation

  • Reporting and Re-test

The focus includes logical vulnerabilities, OWASP Top 10 issues, configuration errors, authentication flaws, and access control weaknesses.

Network Penetration Test. Evaluation of the security of network services, protocols, and devices (servers, routers, switches, access points, firewalls, IDS/IPS, etc.) conducted under two main scenarios:

  • External — simulating an attack from the perspective of an external threat actor (internet-based).

  • Internal — assessment performed from within the client’s internal network.

Network tests follow methodologies such as PTES or NIST SP 800-115, and include phases for discovery, exploitation, post-exploitation, reporting, and re-test.

Types of Tests by Scope:

  • Black-box — performed with minimal or no prior knowledge of the target, simulating an external attacker and revealing realistic opportunities for intrusion and detection.

  • Gray-box — the testing team receives partial information (e.g., valid user accounts, architectural diagrams), combining the realism of black-box testing with the efficiency of white-box assessments.

  • White-box — full access to architecture, source code, and configurations allows for the most comprehensive analysis and detection of logical and code-level vulnerabilities

bottom of page