Pentests

Infrastructure Penetration Testing

Effectively protect IT systems and networks

Theft, espionage, sabotage, extortion, and system failures are the most common goals hackers pursue when attacking companies. Systems and IT infrastructure components that are insufficiently secured or have vulnerabilities serve as gateways for these attacks. We support you in increasing the security of your IT infrastructure and protecting it against cyberattacks.

What is an IT infrastructure pentest?

Infrastructure penetration testing is an IT security measure used to check the security of a company's underlying IT infrastructure.

The aim is to uncover vulnerabilities in networks, servers, firewalls or other components and identify potential points of attack. This involves the use of techniques that would also be used by real attackers.

Your benefits at a glance

Penetration tests for secure IT infrastructure

An infrastructure pentest provides a sound basis for objectively assessing the security of your IT environment and optimising it in a targeted manner. The following benefits show how you can uncover vulnerabilities, minimise risks and sustainably increase your overall security level through professional security testing.

Objective analysis & evaluation
Pentests analyse and evaluate the established security measures in the area of system & network security.
Identification of specific vulnerabilities
Pentests identify specific vulnerabilities at system & network level - including recommendations for remediation.
Testing based on recognised standards & best practices
Pentests test the IT infrastructure based on recognised standards and best practices (e.g. NIST, OSSTMM & BSI).

Increased efficiency
Pentests allow you to increase efficiency and the overall security level through individually derived recommendations for action.
Reliable risk assessment
Pentests provide you with a reliable risk assessment of your network security by identifying actual risks.
Proactive prevention
With the help of pentests, you can proactively prevent financial and reputational losses caused by security incidents.

Procedure for a pentest against a web application

1

Preparation & Kickoff

Discussion of technical and organisational features and requirements.

2

Analysis & execution of the pentests

Examination of the implemented security measures with regard to their effectiveness and completeness.

3

Final report

Compilation of the results in a final report. Optionally with a final presentation.

5

Optional: Re-test

Check whether the implemented improvement and defence measures are (effective).

We will support you – no matter what

Get started at last!

We advise you

TÜV NORD IT Secure Communication I Berlin

To the consulting services Contact us

Goal achieved?

We check it

TÜV Information Technology I Essen

To the test offers Contact us

Customised for you

Selection of modules or examination activities

Depending on what you want to test using a pentest, you can choose between different modules or test activities. Possible targets are various systems and IT infrastructure components, e.g. web & email servers, VPN gateways, domain controllers or file & database servers. In addition, we also check your firewall, switches, WLAN access points, virtualisation and complete network areas/infrastructures for vulnerabilities.

Summarised for you

The final report contains the following

Analysis and recommended action

All results of an audit are made available to you in the form of a detailed final report.

The final report is always customised by our experts and is easy to understand (no automatic generation).

The report shall contain at least the following information:

Introduction: Brief description of the test object, objective of the pentest and documentation of special features during the investigation.
Management/Executive Summary: Summary of the results and assessment of the general security level.
Risk assessment: Assignment of a risk level to each vulnerability (informative, low, medium, high or critical risk), which describes the criticality of the respective vulnerability.
Clear presentation: Clear presentation of all identified vulnerabilities in a table as well as a risk beam that shows the number of vulnerabilities per risk level.
Detailed description of the vulnerabilities and proof-of-concept: Each vulnerability is accompanied by an individual description that describes exactly how the vulnerability was found and how it can be exploited by an attacker (proof-of-concept).

Evaluation of automated tests: The results of the automated tests are evaluated by the TÜVIT experts, checked for false positives and then summarised in the report.
Recommended measures to eliminate the vulnerability: For each vulnerability, there is a recommended measure to eliminate the vulnerability.
References: If available, we provide references to vulnerability databases (e.g. CVE).
Technical attachments: If available, further information and files on the tests carried out are provided as attachments, e.g. the raw results of the port and vulnerability scans.

Frequently Asked Questions (FAQ)

What you need to know about infrastructure pentests

The aim of penetration tests is to identify generally known and current vulnerabilities as well as insecure, unknown or non-essential services and systems. We can also use our analyses to uncover vulnerabilities and incorrect configurations in your network infrastructure/architecture.

As a result, we provide you with a detailed report that identifies specific, comprehensible risks and proposes appropriate measures to remedy any identified weaknesses.

The tests can be carried out externally and therefore against systems accessible from the internet as well as internally, directly from the respective network segment (e.g. your office network or a DMZ).

The target can therefore be various systems and IT infrastructure components, e.g. web and e-mail servers, VPN gateways, domain controllers or file and database servers.

We also check your firewall, switches, WLAN access points, virtualisations and complete network areas/infrastructures for vulnerabilities.

In addition to automated analysis and attack techniques, we also always carry out manual investigations and verifications. Our IT security experts always use the latest attack techniques/tools from the hacker and security scene as well as tools and scripts developed in-house.

In addition, the approach of the TÜVIT experts is based on recognised standards and best practices, such as those of the BSI.