Real Pen Tests
Let us find the weak links in your network perimeter and web applications.
Providing network reconnaissance, enumeration, vulnerability scanning, exploitation attempts, social engineering, and real-time cyber threat analysis, CyberHunter Pen Testing 2.0 is a unique blend of theoretical and actual risk identification.
What Is Pen Testing?
A penetration test, or pen test, is an authorized simulated cyber attack on one or more computer systems, applications, networks or devices. It is performed to evaluate the security of the system under test. The web server penetration testing is performed to identify security weaknesses (also referred to as vulnerabilities), that can lead to a full breach or damage to Confidentiality, Integrity or Availability (also known as CIA) of the information, application or device.
CyberHunter’s website pen testing service can help you identify issues and fix the issues to prevent a major cybersecurity breach.
Vulnerability scanning and penetration testing are terms that are used interchangeably but are ultimately different services. In plain terms, if we imagine that your application or network is a locked door, a vulnerability assessment trying to identify all the possible locks that exist on the door. Penetration testing, on the other hand, is where an ethical hacker takes their big bag of “keys” (these are tools, techniques, and procedures) and attempts to open each one of the locks with every single “key”, hoping to open the door — but with permission.
Penetration Testing
Also known as Pen Testing, this is an authorized, controlled and simulated cyber attack service that is conducted on one or more computer systems, applications, networks or devices. It is performed to evaluate the security of the system under test.
While Vulnerability Scans look for known security issues, a vulnerability scan does not attempt to exploit them as a Pen Test does. Penetration Testing takes the extra step and uses tools, techniques and procedures that hackers use to attempt to exploit any identified vulnerabilities and any other flaws in the configuration or business logic that may exist.
The goal of a Pen Test is to always try to impact any of the Confidentiality, Integrity or Availability (CIA) of the device, application or service being tested.
Unlike many organizations, CyberHunter will not simply identify an issue and move on to the next finding. We will identify the issue, produce evidence that it can be exploited, discuss the issue in plain terms with your team, and we will also recommend ways to fix the issues. Furthermore, all CyberHunter Penetration Tests come with a free targeted re-test (contact CyberHunter for details).
CyberHunter performs the following types of penetration testing:
- Black box external network testing
- Web application testing (credentialed)
- Internal “post-breach” simulation testing
- Social engineering
- Mobile application (iOS / Android)
- Wifi network
What Type of Pen Test Do You Need?
Pen Test Categories
In general, there are two categories of penetration testing or “pen test” that customers usually want: customer-driven / compliance-driven, OR penetration tests that attempt to exploit people, process or technology with the objective of breaking into the network and gaining access to digital assets and/or measuring the actual security effectiveness of the organization.
Scenario 1 Pen Testing
Customer-Driven or Compliance-Driven
Example: “We have a new web application and one of our biggest clients / partners needs us to get a 3rd party pen test performed for their risk team or auditor”.
This scenario is quite common with many start-up organizations. The ultimate goal is to receive a clean bill of health (or report) that can be shared with an external audience that shows rigorous security testing was performed and the target being tested responded very well with some minor issues.
In this type of situation, CyberHunter will first work with your team to ensure the proper type of testing is performed so that an auditor or risk team will accept it. We will test the target with a variety of methods, including vulnerability scanning and manual penetration testing. Once it is completed, we will deliver a technical report outlining any verified issues as well as how to resolve them. When the remediation phase is completed and all the important issues and vulnerabilities are fixed (Critical, High, and Medium severity at a minimum), CyberHunter will retest the findings and re-issue the report, also including an executive summary that can be shared with a 3rd party audience.
In some cases, regular penetration testing services are required (yearly, bi-annually or quarterly). CyberHunter is happy to work with your team to provide these continuous services so that development can keep on top of issues prior to any new software or service launch.
Scenario 2 Pen Testing
Breach the Network (Red Team Exercise)
Example: “We are looking to test and improve our overall cybersecurity posture and we need an ethical hacker to try to break into our network.”, OR “We would like to test the detection and response capability of our security controls / security operation center.”
This scenario describes a more traditional penetration test. This type of pen test (also called a Red Team exercise) simulates an adversarial role and is a far more realistic way to test the security readiness of an organization. This testing covers exploitation attempts against People, Process, and Technology.
There are two phases to this type of operation. First, we need to breach the network perimeter and get invited into the network by an insider. This is usually done using social engineering techniques (e.g. phishing).
Given enough time and effort, social engineering will almost always work. So, in order to reduce the scope and budget required, CyberHunter will often begin testing from an inside position (i.e. as if an insider has clicked the wrong link or opened a malicious attachment). From that vantage point, your internal security posture can be measured in terms of “did you see us / did you stop us?”. Or, there can be a specific objective such as retrieving a file from an executive fileshare.
Why Choose CyberHunter?
At CyberHunter, we believe that every client is unique and each project should be treated as priority #1. Our team members are highly credentialed penetration testing and cybersecurity professionals (CISSP, OSCP, OSWP, CJIS Level 4, CompTIA Security+, IBM Certified Application Developers, etc.) and are absolutely the best that the industry has to offer.
We guarantee professional, timely, accurate results and ensure that each client is 100% satisfied with the work that is delivered.
The CyberHunter Assessment Process
1) Requirements Discussion
The initial kick-off typically involves email exchanges, phone call discussions with team members, meetings and possibly a demonstration of the test targets (if required). The objective is to collect enough information to build a Proposal.
2) Service Proposal
Next, CyberHunter will deliver a Proposal to the Client. The Proposal will contain a high-level Statement of Work (SoW) and a Quote for the requested services. Once both parties are satisfied with the Proposal contents, CyberHunter will send a DocuSign version for electronic signature.
3) The Paperwork
Any legal paperwork that is required by the Client or CyberHunter shall be exchanged at this stage. This can include such documents as a Non-Disclosure Agreement (NDA) or a Master Services Agreement (MSA) if there is ongoing work required.
4) Invoicing for Services
Once the paperwork has been exchanged and the testing is ready to begin, a deposit will be required from the Client according to the Terms outlined in the signed agreement.
5) Test Initiation
At this point, the testing shall be scheduled and team members will be assigned to the effort.
6) Initial Technical Report Delivery
After the first round of testing has been completed, an Internal Detailed Findings Report shall be delivered to the Client within 2-3 business days if possible. The Client is welcome to engage the testing team in discussion to review results and question any findings and remediation guidance that they provided.
7) Remediation of Discovered Issues
At this stage, the Client should begin the work to remediate any Critical, High and Medium severity issues identified by CyberHunter during the initial penetration testing. Low and Informational severity findings are items that were not exploitable, and should be resolved in the fullness of time.
8) Targeted Retesting
For penetration testing service offerings, CyberHunter will retest any issues that were identified during the initial penetration test and have been fixed. It is desirable that this retesting be done within a single test window within 90-120 days following the initial test.
9) Final Report Delivery
CyberHunter shall offer the Client the option of two final reports if required:
-
- Internal Detailed Report – A technical report showing original findings, and any successfully remediated issues. Suitable for internal use.
- External Summary Report – This is a high-level summary of outstanding issues. Technical descriptions of outstanding issues are summarized but not detailed and can be shared with interested 3rd parties requiring evidence of testing.