Penetration Testing

IntaForensics is a CREST certified penetration testing company. Our experienced team have helped hundreds of organisations from all sectors to secure their systems. Our services are customised to meet the needs and requirements of your business.

Crest Banner_Certified

What is Penetration Testing?

Penetration testing, also known as pen testing and ethical hacking, is a cyber-attack which is employed by our technical specialists to evaluate, probe and test a computer system, network or web application to identify any security vulnerabilities that could be exploited by cyber criminals. The cyber-attack process can be performed manually, or through the use of software applications and is designed to simulate an attack upon a system. It should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

IntaForensics offers penetration testing engagements to suit our client’s needs, enabling them to reinforce their cyber security policies and procedures to better protect them from future threats. Our team of experience penetration testers have all been independently qualified by industry-recognised bodies such as CREST (CPSA and CRT certified) and Offensive Security (OSCP certified).

Why does your Organisation need Penetration Testing?

The average cost of a data breach in 2021 is $4.24 million. We help to alleviate this risk by preventing breaches and keeping your company safe. Government agencies, FTSE 100 companies, educational, healthcare, and non-profits are among the organisations targeted every day. Most of these organisations are woefully unprepared to respond to security incidents. That is where IntaForensics can help. With thousands of hours of experience, practice, and passion for cyber security, we will use our skills to secure your environment.

In today’s technology-driven world, hacking has become commonplace, often as front-page news. These incidents can cost companies large sums of money by breaking customer trust, bad news coverage, and potential legal action by regulatory bodies. Penetration testing alleviates much of this risk by having an experienced cybersecurity professional simulate an attack. This involves the tester using the same techniques and tactics that real-world attackers would use. This includes (but is not limited to) taking advantage of vulnerabilities like SQL injection, remote code execution, social engineering, XSS, SSRF, and other less common vulnerabilities.

Types of Penetration Testing

Web Application Penetration Testing

Identify all security risks and vulnerabilities, including the OWASP Top 10, in your web applications or websites.

External Penetration Testing

Testing and evaluating your external network’s defences and identifying any vulnerabilities that attackers could be used to gain access.

Internal Penetration Testing

Simulating an attack from inside your corporate network to test internal defences and identify any vulnerabilities that could allow attackers to gain access to sensitive information and assets.

API Penetration Testing

Assessing and evaluating vulnerabilities in your APIs. This testing is ideal prior to integrating a new API into your systems.

Social Engineering

‘Phishing’ and ‘Smishing’ employees to assess security awareness and the overall vulnerability of the company to social engineering.

Cloud Security Assessment

Evaluating the security of your organisation’s cloud infrastructure and configurations to secure cloud assets, e.g. AWS, Azure, GCP.

Contact us for more details

Contact Us

Our Penetration Testing Methodology

Our custom methodology follows industry standards such as OWASP Web Security Testing methodology (which encompasses OWASP top 10 and CWE 25), Open-Source Security Testing Methodology Manual (OSSTMM), and the Penetration Testing Execution Standard (PTES).

At IntaForensics, we conduct tests to identify and address both critical and non-critical security issues in software applications. This includes many types of vulnerabilities, such as injection flaws (SQL, XSS, SSRF, NoSQL, and OS command injection), authentication weaknesses, poor session management, broken access controls, security misconfigurations, database interaction errors, input validation problems, and flaws in application logic. Using our custom methodology, we test for common and uncommon vulnerabilities that other organisations often miss and which aren’t discovered by automated systems, such as HTTP Smuggling, CRLF, IIS Shortname Enumeration, and Web Cache Poisoning.

Scoping

This involves meeting with the client to understand their objectives and the systems that require testing. During this meeting, we will also identify the IPs and domains that are in scope for the testing.

Reconnaissance

To gather information, passive Open-Source Intelligence (OSINT) is used to identify any data that has been publicly exposed on the internet. This includes leaked passwords, documents, and employee information.

Intelligence Gathering

This involves active Open-Source Intelligence (OSINT) to discover what data the organisation is leaking, such as secret directories, forgotten subdomains that may be vulnerable to subdomain takeover, and public administration login pages.

Vulnerability Discovery

This forms the bulk of the testing process, performing manual and automated tests to discover potential vulnerabilities such as those found in the OWASP Top 10 and the CWE 25. Additionally, we utilise our custom methodology to identify vulnerabilities that aren’t addressed by these standards.

Exploitation

This next step involves executing specific attacks, such as exploiting out-of-date software or attempting to perform blind XSS. It helps to identify how severe an issue is and what an attacker could do.

Report and debrief

A detailed and actionable report will be produced and issued to the client. A debriefing meeting will also be arranged to review the report and discuss the findings in detail. This provides an opportunity for questions and further discussion.

Contact us for more details

Contact Us

What happens next?

Each vulnerability discovered during testing will be laid out in a simple-to-understand format within the report. This includes a detailed description of the vulnerability, the risk it poses to the organisation, instructions on how to reproduce it, and resources and advice on how to resolve the issue.

Our reports are composed in an easy-to-understand format so that developers and other staff can quickly address the identified issues. Following the report’s publication, we will arrange a meeting to discuss all the raised issues. Additionally, IntaForensics provides remediation advice by email or telephone. Once the recommended actions have been taken, retesting can be organised.

IntaForensics offers free retesting of any vulnerabilities discovered during a penetration test. The report will then be amended to show which vulnerabilities have been addressed. There is no time limit imposed for retesting.

As regular customers of IntaForensics, I highly recommend the company for the services delivered by the cyber security team. I couldn’t praise their Cyber Essentials services and support highly enough.

Ryan James, Managing Director - nFocus

Incident Response for E-commerce Breaches: A Guide to Protecting Your Online Business

E-commerce has revolutionised how we shop, but with this digital transformation comes an increase in cyber threats. The stakes are […]

Read More

FAQs: Everything You Need to Know About Cyber Essentials and Cyber Essentials Plus

In this article, we will address the most Frequently Asked Questions (FAQs) about Cyber Essentials and Cyber Essentials Plus. From […]

Read More

Understanding the role of a SOC & SIEM for Enhancing Cyber Security

At IntaForensics, we understand the crucial role of SOC & SIEM in the current landscape. We thoroughly evaluate the benefits, […]

Read More

Contact our Cyber Security team today

Contact Us