Penetration testing

Penetration tests are the cornerstone of IT security and should be conducted continuously - for example, when there are changes in the code. Regular penetration tests of relevant assets, such as web applications, APIs, mobile apps, or general services, foster trust in your IT security.

What is a Penetration Test?

A "pentest", short for "penetration test", is a type of security test that aims to identify vulnerabilities in a computer system, network or application by simulating an attack by a malicious actor.

During a pentest, an experienced security professional (also called a "penetration tester" or "ethical hacker") will use various techniques and tools to attempt to exploit vulnerabilities in the system or application to gain unauthorized access, steal data or compromise security otherwise compromise the system. The tester might also attempt to escalate their privileges or move laterally on the network to gain access to additional systems.
The goal of a pentest is to identify security vulnerabilities before they can be exploited by real attackers and provide recommendations to improve system security. Pentests can help organizations identify weaknesses in their security posture and prioritize resources to address the most critical issues first.

How much does a penetration test cost?

Our current average value (net) over the last 15 penetration tests is around 7,200 euros. The majority of our customers have a medium-complex web application (SaaS, based on a well-known framework like Django, Laravel, Java Spring or .Net) tested. There are no on-site meetings. The test is usually carried out in 1-2 weeks. A final technical report concludes the project. Communication usually takes place via email, Slack or telephone.

BEWARE: In general, it is difficult to say what costs you will incur without knowing what the goal is and what approach we as contractors must/may choose (see the different types of penetration tests below). Applications, software, networks and infrastructures are very different and can range from “very small” to “very large”. The same can be said about the costs - so it's worth simply arranging a free meeting to discuss the point "costs". The absolute majority of our customers come with a fixed budget.

If the budget is small, we usually find a satisfactory solution - for example, we can focus on critical assets (VPN, portals with customer data, ...) or parts of the software (upload functionality, file processing, ...). The number of employees working on a pentest can also be minimized. The same applies to the scope of the final report and presentation.

Still - you definitely want some clues: A typical penetration test costs between 5,000 and 25,000 euros. Small applications in which only a certain part needs to be analyzed can also be tested for less than 5,000 euros. Especially for applications that are based on "standard components" (e.g. WordPress), you should think about whether it's worth just testing your own developments and plugins. Here it is quite common for the bill to be in the range of 1,500 and 3,000 euros. Larger projects that include several complex interrelated applications, system variants or networks can cost more than 50,000 euros.

Types of Penetration Tests

The broad types of penetration testing can be divided into black box, gray box and white box categories. In addition, you are increasingly seeing terms such as “mobile penetration test” or “API pentest” - these usually only contain statements about the target system, but not how the specific procedure is carried out.

Blackbox Pentest

A black box penetration test is usually a realistic way in which a company is attacked today. The attacker starts with no information and has to acquire it. For this purpose, various phases are passed through, which ultimately enable the attacker to carry out a successful cyberattack on the target. This approach is based heavily on military approaches, in which a lot of time is invested in reconnaissance and information gathering before the actual attack. Various sources can be used here. As a rule, the attacker has no internal information here.

Depending on the type of order, an information gathering phase is often not really necessary because, for example, the so-called scope is a specific application and the tester's job is to look for security gaps from the outside.

Greybox-Pentest

Penetration tests that follow the gray box approach are often similar to the classic black box pen test. Here, however, the tester has the opportunity to obtain certain information. For example, he is granted part of source code, documentation, API schema, access data to accounts with few rights. There is often close collaboration with the customer, who provides further information depending on the situation.

Here, too, the goal is to concentrate on what is actually important: finding relevant security gaps in the system being tested, without losing time in the reconnaissance phase. Typically, this approach has the best cost-benefit ratio.

Whitebox-Pentest

In a white box pen test, all information is made available to the testers. This allows the tester to get a comprehensive picture of the system being tested, it is clear how it communicates with other systems and, thanks to the source code that is usually available, even complex security gaps can be found. It is to be expected that the results here will be particularly good. The disadvantage, however, is that the white box test can often be very lengthy and therefore expensive.

Pentest: Blackbox vs Greybox vs Whitebox

Blackbox Greybox Whitebox
Goals Simulation of a realistic external attack and identification of external vulnerabilities. Simulation of a partially informed attack and identification of vulnerabilities with limited knowledge. Comprehensive analysis of the system and identification of internal and external and external weaknesses.
Initial situation No prior knowledge and no access to internal resources Limited prior knowledge and access to internal resources Full access to all resources and source codes
Advantages Realistic simulation of a cyberattack No internal influence Combines elements of black and white box tests
More efficient identification of vulnerabilities
In-depth analysis possible Identification of vulnerabilities in source codes and configurations
Disadvantages Potential overlooking of internal & more complex vulnerabilities. Possibly not as profound as a whitebox test. Requires a lot of time and only simulates realistic attack scenarios to a limited extent.
Time effort Low Medium High

Our pentest guidelines

Federal Office for Information Security

Link

OWASP Web Security Testing Guide

Link

Why are penetration tests so important and indispensable?

Penetration testing is necessary to identify security vulnerabilities in a system, network or application and help organizations improve their overall security posture. By identifying vulnerabilities and offering remediation recommendations, organizations can reduce the risk of a successful cyberattack and protect their sensitive data, systems and reputation.
Although more and more providers are trying to revolutionize the market with "automated penetration tests", it is almost impossible to replace the creativity of a human.

The results of a penetration test can vary depending on the scope of the test and the organization's specific goals. However, here are some common results that can be expected from a penetration test:

  1. Identifying Vulnerabilities: A penetration test can identify vulnerabilities in a system that could be exploited by an attacker. This includes software bugs, configuration weaknesses and other security vulnerabilities.
  2. Risk assessment: A penetration test can help organizations assess the risk associated with various vulnerabilities and prioritize which ones should be addressed first.
  3. Remediation Recommendations: A penetration test can provide recommendations to remediate identified vulnerabilities and improve the security posture of the system.

Activities

Aviation industry

As an external Red Team, we were allowed to attack one of the largest aviation companies.

Universities

At a British research institute we found external and internal threats.

Car manufacturers

We found dozens of security gaps for a German manufacturer.

IT companies

We were able to detect a large PII leak in a Brazilian company.

Insurance companies

We regularly assess the external IT security of potential policyholders.

Robotics

At regular intervals we carry out penetration tests against a well-known robotics application.

Railway companies

We were allowed to analyze the entire infrastructure of a foreign railway company.

SaaS providers

SaaS providers are classic customers - the complexity of these applications makes regular pen tests necessary.

Gaming

Gaming portals are also part of our customer portfolio.

Process of a penetration test

Kickoff

In a kickoff meeting, important things are discussed with responsible people. It will be clarified what and how will be tested. All things that may have already been discussed before are confirmed and critically questioned (application functions, roles/rights, test environments, no-gos, technology, ...). Together with the customer, we lay a foundation that allows us to successfully carry out the penetration test. The customer's individual wishes are also taken into account (communication during the test, test times, VPN, ...).

Execution

We get to work. As a team, we look for security gaps and problems within the defined scope. If it's a classic black box pen test against a web application, for example, we use tools such as Nmap or Burp Suite. In the first phase we try to understand the target and its regular function. We then go through each function in a structured manner and look for security gaps, incorrect configurations and general technical problems. The exact procedure, the level of automation and the selection of tools depend in detail on the specific order. Customers often require not only a very focused technical penetration test, but also a certain red teaming component. In such a case, we use OSINT, threat intelligence and others to compromise the target application in other ways if necessary (e.g. access to source code or access data through leaks on the Internet).

Reporting

We usually create a detailed report as a PDF. The report includes a summary for the management as well as the technical part. The latter describes the scope, methodology and all findings. We ensure that the customer's technical staff can reproduce our findings. It has proven useful for us to point out current problems of a general nature within the report - this way we can quickly see whether a function could become a problem in the future and what the developers would have to do to prevent this. We want to help the customer proactively. The technically responsible person receives the report at an agreed date - usually via a secure channel.

Final meeting

In a final discussion, we clarify the customer's questions, explain our findings and ensure that the customer has really understood the impact. Each final interview is very individual and is planned accordingly.

Retesting

Optionally, we offer to check the developers’ fixes. Here we not only re-execute our initially provided payloads, but also consider potential bypasses that the developers may not have had on their radar. In this way, the applications can be strengthened again.

Unfortunately, many of our customers do not want to be named. Unfortunately, showing concrete results or reports is also often undesirable or not permitted via NDA - which is more than understandable. In order to be able to prove to you as a potential customer that we know what we are doing and are successful at it, almost all of our employees are heavily involved in the area of bug bounty hunting. We search for, find and report complex critical security gaps to companies such as PayPal, Tesla or Apple. We recommend searching for the names on the Internet. You will find various public reports on platforms such as HackerOne or BugCrowd but also on "Thank you" pages from Apple, SAP or Microsoft.
We are also happy to arrange personal contacts with customers.

Services complementing a pentest

Continuous monitoring

Our eASM platform "Argos" is able to monitor your entire external infrastructure non-stop - so you and we can quickly identify potential problems. The platform looks for and reports anomalies to us.

Red Teaming

Red teaming combines all IT security disciplines to achieve a defined goal. If you are confident that your infrastructure and applications are secure, red teaming is a solid tool to ensure they stay that way.

Darknet Intelligence

Too often we are part of highly complex technical penetration tests, but these do not prevent employee data from being leaked on the Internet for the portal being tested. As a customer you should know about it!

What clients say about us