Frequently Asked Questions
What is a penetration test?
A pentest attempts to exploit your vulnerabilities to determine their potential impact, should they be used in a real hacking scenario. They provide a list of vulnerabilities with their respective level of severity, as well as technical recommendations to help your team apply corrective measures and focus on the most critical vulnerabilities.
These services allow your organization to answer the following questions, among several others:
- Can a hacker gain access to any sensitive information?
- Can a hacker hijack my technologies for any malicious acts?
- Could a malware infection spread through the network?
- Can an attacker escalate access to an administrative user?
Why perform a penetration test?
Penetration tests can be performed with various intentions and help reach various objectives. From meeting third-party requirements, to securing business partnerships, to testing a new feature as part of a development cycle, they can serve several purposes.
Here are some of the main reasons to perform a penetration test:
- Comply with requirements that mandate security testing. (3rd-party, PCI, ISO27001, etc.)
- Identify vulnerabilities and get a list of prioritized fixes.
- Protect data and systems from attackers.
- Get the perspective of a hacker.
- Prevent financial losses
How much does a penetration test cost?
The price of a penetration test can vary widely according to several factors. For this reason, there is no established price range for this type of assessment. Each project is tailored to your objectives and your technological environment. Many factors must be determined before the cost can be established.
Here are the main factors that can affect the cost of a penetration test:
- Scope of the project. (Nb. of targeted IPs, Nb. of features in the app, etc.)
- Performed in a production or development environment.
- Type of test. (Network, Application, SCADA, etc.)
- Testing approach. (Automated or manual approach)
- Objectives. (Compliance, best practices, etc.)
Learn more about the main factors that determine the cost of a penetration test →
When should I conduct a penetration test?
There are many contexts in which a penetration test should be performed.
Here are some common use cases for a pentest:
- As part of the development cycle of an application. (To test the security of a new feature/app)
- To comply with security requirements. (3rd-parties, PCI, ISO27001, etc.)
- To secure sensitive data from exfiltration.
- To prevent infections by malware. (Ransomware, spyware, etc.)
- To prevent disruptive cyberattacks. (Such as denial of service)
- As part of a cybersecurity risk management strategy.
All businesses are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, we generally recommend that quarterly tests are performed.
How long does a penetration testing project generally last?
The time required to successfully execute a penetration test depends on the scope and type of test. Most penetration tests can be performed within a couple of days, but some can span over several weeks, sometimes even months depending on the complexity of the project.
What is the difference between a pentest and a vulnerability scan?
Vulnerability assessments and penetration tests are the most common techniques to uncover and fix cybersecurity flaws within your technologies. While some similarities exist between the two, they are often misinterpreted as the same thing although they yield very different degrees of analysis.
Vulnerability scanners are generally used by IT staff in order to check network infrastructures for known vulnerabilities that may have been introduced during their implementation. Penetration tests, by contrast, identifies both well-documented vulnerabilities, as well as those that have never been seen before, while providing evidence of their potential impact on your company.
Learn more about the main differences between vulnerability assessments and pentests →
What is the difference between automated and manual pentests?
Similar to the previous point, automated tests (known as Vulnerability Scanners or Vulnerability Assessments), allow IT teams to identify potential misconfigurations and known vulnerabilities within the versions of their software, operating systems and technologies.
While automated tests are cost effective and require less expertise to be performed, they do not yield the same level of analysis and cannot identify complex vulnerabilities (Such as logic flaws in applications, or vulnerabilities in custom-built environments). Automated tests may also cause harm to your systems and pollute your databases, so its use should be limited, complementary to manual tests and should be performed by experienced professionals to limit their negative impact.
Manual tests, on the contrary, requires much more expertise and a deep understanding of various technological contexts. They allow your organization to contextualize their vulnerabilities and provide evidence of their potential impact on your company. They can identify even the most subtle vulnerabilities that could potentially have a critical impact, which automated tests cannot identify, causing as little harm as possible to your systems.
What are the best penetration testing methodologies and standards?
There are multiple recognized penetration testing methodologies and standards that can be used depending on the type of assessment. Here are some of the most recognized methodologies:
- OSSTMM – Provides a scientific methodology for network penetration testing and vulnerability assessment to identify vulnerabilities from various potential angles of attack.
- OWASP – Aims to identify vulnerabilities within Web and Mobile applications. Provides over 66 controls to assess in totals to identify potential vulnerabilities within functionalities found in modern applications today.
- PTES – Highlights the most recommended approach to structure a penetration test. This standard guides testers on various steps of a penetration test including initial communication, gathering information, as well as the threat modeling phases.
Learn more about the top penetration testing methodologies and standards →
How is Vumetric's pentest scoping performed?
One of our senior team members will gather information regarding your technical scope, the various technologies in place, allowing us to determine the required efforts for your test. Based on this information, we will assign specific team members with the right skills and experience for your project. Once the scope is well-defined, we will send you a proposal that includes:
- A list of activities
- Methodologies used
- Fixed pricing
How soon can you start my penetration testing project?
While we may be flexible and adapt to your deadlines, the complexity of your project might affect project scoping delays and planning.
Contact us so we can get your project started right away.
Are Vumetric's penetration tests performed in a live environment?
Vumetric will always recommend the safest approach possible for your penetration test. Ideally, the tests will be performed in a testing/dev environment built with the same configurations as the targeted systems. However, our specialists have the expertise to test your systems and applications even if they are in production, without impacting your day-to-day operations.
Can your penetration tests impact my business operations?
Various steps are taken over the course of the project to prevent the potential impact of our tests on the stability of your technological environment and the continuity of your business operations.
For this reason, a communication plan will be put in place at the beginning of the project to prevent and mitigate any potential impact. A representative of your organization will be identified to act as the main point of contact to ensure rapid communication in the event of a situation directly impacting the conduct of your daily operations, or if any critical vulnerabilities are identified, for which corrective measures need to be implemented quickly.
How do you measure the identified risks?
While we use a simple 4 levels risk rating approach (Critical, High, Moderate, Low), our risk assessment is actually based on the Common Vulnerability Scoring System (CVSS) standard. Two main criteria are considered when assessing the risk level of each vulnerability:
- Potential impact: The potential impact of an attack based on a vulnerability, combined with its potential effect on the availability of the system, as well as the confidentiality and integrity of the data.
- Exploitability: The potential exploitability of a vulnerability; a vulnerability that is easier to exploit increases the number of potential attackers and thus the likelihood of an attack. Different factors are considered when evaluating the exploitability potential of a vulnerability (e.g.: access vector, authentication, operational complexity, etc.)
Are your penetration tests performed on-site?
The majority of our projects are performed remotely. Modern technologies allow our team to access any kind of infrastructure/systems in a secure manner. We provide various remote access options depending on your specific context. (Existing VPN infrastructure, jump box virtual machine, or our very own Vumetric Teleporter Device)
In some cases, some specialized types of penetration tests, such as SCADA / ICS / Industrial penetration tests, may require on-site testing, as those systems might not be accessible externally.
What can you target during a penetration test?
There are no projects out of the ordinary for us. We have performed penetration tests in the most diverse environments and on a wide range of technologies. Whether it’s for IoT/smart devices, industrial systems, cloud infrastructures, applications of all types with various API integrations, to corporate networks, we never leave stones unturned no matter your technological context.
What happens after a penetration test is completed?
After each engagement, the pentesters will produce a technical report, detailing each vulnerabilities and recommandations. A comprehensive phone debriefing is conducted following submission of the report to explain each of our findings and their respective recommendations.
What are the deliverables of a penetration test?
- Executive summary presenting the main observations and recommendations.
- Vulnerability matrix prioritised by risk level.
- Vulnerabilities details including the following:
- Risk Level based on potential impact and exploitability.
- Fixes & Recommendations to fix the identified vulnerabilities.
- References to external resources to facilitate the implementation of our recommendations.
- Technical details such as screenshots, system traces, logs, etc.
- Appendix detailing complementary technical information.
- Methodology used during the project. (based on recognized standards)
More details regarding these 5 items you should find in a penetration testing report →
I need a pentest report ASAP, can Vumetric help me?
Absolutely! Being flexible and on-demand is a key part of Vumetric’s pentest offering.
Contact one of our specialists so we can get your project started right away.
How does Vumetric ensure the quality of their reports?
During each engagement, a Pentest Senior Team Member is responsible for ensuring that each individual finding and the overall report meets Vumetric’s high level of quality standards, based on the ISO9001 standard and leveraging over 20 years of refined expertise to ensure the best outcome for every project.
Can Vumetric's services help me satisfy PCI-DSS requirements?
Absolutely! Our services will provide evidence, through a technical report and an official attestation, that you have identified and successfully fixed any exploitable vulnerabilities within card processing systems and your external infrastructure, allowing your organization to comply with the PCI-DSS 11.3.x requirements.
How can Vumetric help me comply with 3rd-party requirements?
Conducting a penetration test with a recognized and independent supplier is one of the main requirements mandated by third parties for security compliance. (Partners, insurers, etc.)
Our services will provide evidence, through a technical report and an official attestation, that you conducted a professional penetration test with a recognized independent supplier.
Our pentest reports have helped hundreds of organizations across all industries to successfully meet third-party security requirements. (Insurers, clients, partners, providers, etc.)
Can you perform a retest to validate the fixes we implemented?
Absolutely! We can retest the identified vulnerabilities to validate the implementation of our recommended corrective measures and depending on your needs, provide an attestation that previously identified vulnerabilities have been successfully fixed.
This will allow your organization to meet regulatory compliance requirements, or to comply with third-party requests, while ensuring that no additional vulnerabilities have been introduced during the implementation of the corrective measures.