Pentests

Penetration Tests

Protect your company from cyber attacks

Vulnerabilities in your systems, components or applications can become a gateway for cyber criminals if they are not detected at an early stage. Data theft, blackmail and system failures, as well as the associated economic damage and loss of trust, are just some of the possible consequences of a successful cyber attack.

Best possible protection against hacker

Using customised penetration tests, you can uncover potential security vulnerabilities before cyber criminals do.

Pentests pay off

Prevention instead of rehabilitation: Pentests help you to prevent potential attacks and the associated financial and reputational losses.

Test report with recommendations for act

Once the pentests have been completed, you will receive an informative test report including recommendations for action to eliminate weak points.

What is a penetration test (short: pentest)?

A pentest is an IT security measure used to check the security of IT systems, networks and applications. The aim is to identify potential vulnerabilities and points of attack at an early stage before they can be exploited by cyber criminals, using methods and means that real attackers would also use.

Your benefits at a glance

Detect and close security gaps with penetration tests

As a central element of modern IT security strategies, a pentest not only provides valuable insights into existing vulnerabilities, but also offers a sound basis for targeted protective measures - summarised in the following benefits.

Identification of potential vulnerabilities
Pentests uncover security gaps & vulnerabilities before cybercriminals can exploit them.
Objective assessment & evaluation of security
Pentests are an efficient tool for evaluating the effectiveness of your IT security measures.
Pentests based on recognised standards
Our IT security experts carry out penetration tests in accordance with recognised standards & guidelines.
Compliance with contractual requirements
By carrying out pentests, you fulfil existing regulatory requirements & specifications.
Protection against financial and reputational losses
Prevention instead of aftercare: Pentests help you prevent attacks - and the associated damage.

Sound recommendations for action to rectify
The final report also includes recommendations for action to rectify potential vulnerabilities.
Increase IT security, reduce risks
Pentests help you to improve security within your organisation & reduce the risk of attacks.
Sensitisation of employees
By means of pentests, you simultaneously increase the security awareness of employees at all hierarchical levels.
Guidance for investments
By uncovering vulnerabilities, pentests reveal the areas in which you should best invest in the future.
Buildingtrust with customers & business partners
By conducting pentests, you strengthen the trust of your customers & business partners.

Pentests: An overview of 3 testing methods

Black box penetration test

In a black box pentest, the pentester does not receive any additional information about the test object in advance. This simulates a typical attacker who usually knows very little about their target.

Grey box penetration test

The grey box pentest is a mixture of a black and white box pentest. This means that the pentester already receives some information, such as test access data and (API) documentation, and determines the remaining information itself.

White box penetration test

In a white box pentest, the tester has extensive additional information, such as test access data, architecture/design documents, communication matrix or source code. This ensures efficient testing within a certain period of time or within a certain budget.

From A to Z

A holistic view of IT security in your company

In addition to a purely technical approach, we also offer tests relating to possible physical or human vulnerabilities as part of a holistic approach.

Red Teaming – Realistic attack scenarios for your security

Red Teaming provides a comprehensive, realistic endurance test of your cybersecurity. Our team of security experts acts like real attackers: from inconspicuous reconnaissance to subsequent exfiltration, they test all security-critical phases. They simulate targeted attacks on processes, systems and employees to uncover vulnerabilities that traditional penetration tests often fail to detect. The result: a clear, implementable action plan that strengthens your defence strategies in the long term.

Digital Forensics and Incident Response

Digital forensics (DFIR) is a central component of modern cyber security and complements penetration tests with the systematic investigation of security incidents. In the event of an attack, forensic analyses make it possible to preserve evidence, extract data and restore critical information. Methods such as network forensics, cloud forensics or IoT forensics help with threat detection, case analysis and investigation. DFIR tools are used to identify IT logs, malware traces and security vulnerabilities in order to prevent future attacks through targeted incident response.

How does a pentest work? – Sample project workflow

1

Preparation & Kickoff

Discussion of technical and organisational features and the necessary requirements for carrying out penetration tests.

2

Information gathering & analysis

Collection of essential information about the object of investigation (identification of components, data & functions).

3

Carrying out penetration tests

Investigation with regard to attack surfaces and vulnerabilities (basis: criteria specified in the kick-off & information collected).

4

Final report

Summary of all audit results in the form of an individual & meaningful final report (no automatic generation).

5

Optional: Re-test

After the test is before the test: Check whether the implemented improvement and defence measures are (effective) or repeat pentests due to new releases.

Optimally secured

Three areas of application – three penetration tests

Whether security risks in web applications, mobile apps or in IT infrastructure (ICT and OT infrastructure) and their mixed operations: With the right pentest procedure, you are on the safe side - in countless cross-industry areas, from product to process.

Ein Mann sitz an einem Schreibtisch mit zwei Bildschirmen und analysiert Daten.

Web pentest

Zwei Männer stehen in einem Rechenzentrum, einer tippt etwas in den Laptop, den er hält.

Mobile app pentest

Infrastructure pentest

Frequently Asked Questions (FAQ)

What you need to know about penetration tests

The duration of a pentest depends on various factors. For example, the test object and its complexity, the selected test depth and the procedure determine how many days a pentest takes. As a general rule, the more complex the object to be tested, the more time a corresponding pentest requires.

We would be happy to offer you a non-binding initial consultation.

When it comes to penetration tests, the following applies: after the test is before the test. This means that pentests should always be an integral part of a holistic approach to IT security within a company. As attack methods are constantly evolving, this is the only way to ensure that networks, IT systems, web applications and mobile apps can withstand potential cyber attacks.

In principle, vulnerability scans and penetration tests pursue the same goal: to uncover potential vulnerabilities within the company's IT.

In contrast to penetration tests, however, vulnerability scans are software-supported and fully automated. They therefore provide basic findings regarding potential vulnerabilities and serve as a starting point for more in-depth checks such as penetration tests. However, as vulnerability scanners rely on databases with already known security vulnerabilities, they reach their limits, especially with self-developed applications.

Penetration tests are largely carried out manually by appropriately trained IT security experts. The focus here is primarily on more complex security vulnerabilities and the unauthorised exploitation of certain functions. Companies also receive a test report with specific recommendations for remedial action following the test.

First things first: Penetration tests are generally not aimed at restricting availability. We only carry out denial of service attacks after consultation with the client. Nevertheless, in rare cases it can happen that availability is restricted during the implementation. In general, however, the focus is on identifying vulnerabilities. The risk of an interruption to business operations is kept as low as possible.

Unfortunately, there is no generalised answer to how much a pentest costs. The final cost depends on various factors such as the test object, test configuration and security level. We would be happy to provide you with a free, non-binding quote.

In general, a distinction can be made between external and internal penetration tests.

In an external pentest, the attack on systems and networks is carried out from outside / from the internet and therefore from the perspective of an external attacker. The focus here is on the question of how secure a company is against such attacks.

In an internal pentest , auditors have access to a company's internal infrastructure. This simulates the further actions of attackers who have succeeded in overcoming the external security measures and gaining access to the internal network.

Test object:

IT infrastructure penetration test
Possible targets are various systems and IT infrastructure components, e.g. web & email servers, VPN gateways, domain controllers or file & database servers. In addition, firewalls, switches, WLAN access points, virtualisations and complete network areas/infrastructures can also be checked for vulnerabilities.
Web application penetration test
As part of penetration tests (incl. backend systems, web services & APIs), a web application is analysed for the most critical or most frequently exploited security risks.
App penetration tests
As part of penetration tests, a mobile Android / iOS app is analysed automatically and manually for security vulnerabilities. The aim is to identify the most critical or most frequently exploited security risks for mobile apps.
Social engineering
Social engineering aims to exploit human characteristics such as helpfulness, curiosity or trust in order to skilfully manipulate people in this way.

Test method:

Black box penetration test
In a black box penetration test, the pentester does not receive any additional information about the test object in advance. This simulates a typical attacker who usually knows very little about the target of the attack.
White box penetration test
In a white box pentest, the tester has extensive additional information, such as the test access data, the architecture/design documents, the communication matrix or the source code. This ensures efficient testing within a certain period of time or within a certain budget.
Grey box penetration test
The grey box pentest is a mixture of black and white box pentest. This means that the pentester already receives some information, such as test access data and (API) documentation, and determines the remaining information itself.

Starting point:

External pentest
An external penetration test focuses on the question of how secure a company is against attacks from outside / from the internet.
Internal pentest
In an internal penetration test, the testers have access to a company's internal infrastructure. This assumes either that an IT system or user account has been compromised from the outside or that an internal attack has been carried out by an employee. The pentest starts at this point and simulates the further course of action of an attacker.

Before pentests can be carried out, the consent of the company to be tested is absolutely necessary. If this is not the case, it would be a criminal offence. Without prior, comprehensive clarification of the conditions, a pentest would be nothing more than an unauthorised hacker attack that could be punished, which is why the contract concluded must specify all modalities such as test period, test object and test depth.

In addition, only objects that clearly belong to the commissioning company may be inspected. For this reason, it should be clarified in advance which software services, such as cloud services, are not owned by the company so as not to infringe the property rights and/or copyrights of third parties. Alternatively, contractual agreements can be made with existing third-party providers or service providers before carrying out pentests.

The APrüfbericht is always created by our experts individually and in an easily understandable way (no automatic generation) and contains at least the following information:

Introduction: Brief description of the test object, objective of the pentest and documentation of special features during the investigation.
Management/Executive Summary: Summary of the results and assessment of the general safety level.
Risk assessment: Assignment of a risk level to each vulnerability (informative, low, medium, high or critical risk), which describes the criticality of the respective vulnerability.
Clear presentation: Clear presentation of all identified vulnerabilities in a table as well as in a risk beam, which shows the number of vulnerabilities per risk level.
Detailed description of vulnerabilities & proof-of-concept: For each vulnerability, there is an individual description that shows exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).
Evaluation of automated tests: The results of the automated tests are evaluated by the TÜV IT security experts, checked for false positives and then summarised in the report.
Recommendation of measures to eliminate the vulnerability: For each vulnerability, there is a recommendation of measures to eliminate the vulnerability.
References: If available, we provide references to vulnerability databases (e.g. CVE).
Technical attachments : If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.