Penetration Testing FAQ
A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.
These services allow your organization to answer the following questions, among several others:
- Can a hacker gain access to any sensitive information?
- Can a hacker hijack my technologies for any malicious acts?
- Could a malware infection spread through the network?
- Can an attacker escalate access to an administrative user?
Here are some of the main reasons to perform a penetration test:
- Comply with requirements that mandate security testing. (3rd-party, PCI, ISO27001, etc.)
- Identify vulnerabilities and get a list of prioritized fixes.
- Protect data and systems from attackers.
- Get the perspective of a hacker.
- Prevent financial losses
Here are the main factors that can affect the cost of a penetration test:
- Scope of the project. (Nb. of targeted IPs, Nb. of features in the app, etc.)
- Performed in a production or development environment.
- Type of test. (Network, Application, SCADA, etc.)
- Testing approach. (Automated or manual approach)
- Objectives. (Compliance, best practices, etc.)
Here are some common use cases for a pentest:
- As part of the development cycle of an application. (To test the security of a new feature/app)
- To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
- To secure sensitive data from exfiltration.
- To prevent infections by malware. (Ransomware, spyware, etc.)
- To prevent disruptive cyberattacks. (Such as denial of service)
- As part of a cybersecurity risk management strategy.
The time required to successfully execute a penetration test depends on the scope and type of test. Most penetration tests can be performed within a couple of days, but some can span over several weeks, sometimes even months depending on the complexity of the project.
Vulnerability scanners are generally used by IT staff in order to check network infrastructures for known vulnerabilities that may have been introduced during their implementation. Penetration tests, by contrast, identifies both well-documented vulnerabilities, as well as those that have never been seen before, while providing evidence of their potential impact on your company.
Learn more about the main differences between vulnerability assessments and pentests →
While automated tests are cost effective and require less expertise to be performed, they do not yield the same level of analysis and cannot identify complex vulnerabilities (Such as logic flaws in applications, or vulnerabilities in custom-built environments). Automated tests may also cause harm to your systems and pollute your databases, so its use should be limited, complementary to manual tests and should be performed by experienced professionals to limit their negative impact.
Manual tests, on the contrary, requires much more expertise and a deep understanding of various technological contexts. They allow your organization to contextualize their vulnerabilities and provide evidence of their potential impact on your company. They can identify even the most subtle vulnerabilities that could potentially have a critical impact, which automated tests cannot identify, causing as little harm as possible to your systems.
- OSSTMM – Provides a scientific methodology for network penetration testing and vulnerability assessment to identify vulnerabilities from various potential angles of attack.
- OWASP – Aims to identify vulnerabilities within Web and Mobile applications. Provides over 66 controls to assess in totals to identify potential vulnerabilities within functionalities found in modern applications today.
- PTES – Highlights the most recommended approach to structure a penetration test. This standard guides testers on various steps of a penetration test including initial communication, gathering information, as well as the threat modeling phases.
One of our senior team members will gather information regarding your technical scope, the various technologies in place and the size of your project. Based on this information, we will assign specific team members with the right skills and experience to scope your project your send you a bespoke proposal with a list of activities, efforts, methodologies used, deliverables and budget.
While we may be flexible and adapt to your deadlines, the complexity of your project might affect project scoping delays and planning.
Contact us so we can get your project started right away.
Vumetric will always recommend the safest approach possible for your penetration test. Ideally, the tests will be performed in a testing/dev environment built with the same configurations as the targeted systems. However, our specialists have the expertise to test your systems and applications even if they are in production, without impacting your day-to-day operations.
For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which corrective measures need to be implemented quickly.
While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when assessing the risk level of each vulnerability:
- Potential impact: The potential impact of an attack based on a vulnerability, combined with its potential effect on the availability of the system, as well as the confidentiality and integrity of the data.
- Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to exploit increases the number of potential attackers and thus the likelihood of an attack. Different factors are considered when evaluating the exploitability potential of a vulnerability (e.g.: access vector, authentication, operational complexity, etc.)
The majority of our projects are performed remotely. Modern technologies allow our team to access any kind of infrastructure/systems in a secure manner. We provide various remote access options depending on your specific context. (Existing VPN infrastructure, jump box virtual machine, or our very own Vumetric Teleporter Device)
In some cases, some specialized types of penetration tests, such as SCADA / ICS / Industrial penetration tests, may require on-site testing, as those systems might not be accessible externally.
After each engagement, the pentesters will produce a technical report, detailing each vulnerabilities and recommandations. A comprehensive phone debriefing is conducted following submission of the report to explain each of our findings and their respective recommendations.
- Executive summary presenting the main observations and recommendations.
- Vulnerability matrix prioritised by risk level.
- Vulnerabilities details including the following:
- Risk Level based on potential impact and exploitability.
- Fixes & Recommendations to fix the identified vulnerabilities.
- References to external resources to facilitate the implementation of our recommendations.
- Technical details such as screenshots, system traces, logs, etc.
- Appendix detailing complementary technical information.
- Methodology used during the project. (based on recognized standards)
More details regarding these 5 items you should find in a penetration testing report →
Absolutely! Being flexible and on-demand is a key part of Vumetric’s pentest offering.
Contact one of our specialists so we can get your project started right away.
During each engagement, a Pentest Senior Team Member is responsible for ensuring that each individual finding and the overall report meets Vumetric’s high level of quality standards, based on the ISO9001 standard and leveraging over 20 years of refined expertise to ensure the best outcome for every project.
Absolutely! Our services will provide evidence, through a technical report and an official attestation, that you have identified and successfully fixed any exploitable vulnerabilities within card processing systems and your external infrastructure, allowing your organization to comply with the PCI-DSS 11.3.x requirements.
Conducting a penetration test with a recognized third-party is one of the main requirements requested by third parties for security compliance. (Partners, insurers, etc.)
Our services will provide evidence, through a technical report and an official attestation, that you conducted a professionnal penetration test with a recognized independant supplier.
Our pentest reports have helped organizations across all industries to successfully meet third-party security requirements. (Insurers, partners, providers, etc.)
This will allow your organization to meet regulatory compliance requirements, or to comply with third-party requests, while ensuring that no additional vulnerabilities have been introduced during the implementation of the corrective measures.