Penetration Testing

Our Red Team with 15+ years of expertise in offensive cybersecurity and intelligence is able to uncover technological vulnerabilities from multiple digital assets by mimicking real-world cyberattacks using main methodologies, helping Client to improve their resilience and OPSEC:

  • Web Application Penetration Testing:
    Our Web Application Penetration Testing (WAPT) focuses on evaluating in-depth the security of a Web Application. The process involves an active analysis of the application in order to identify any weaknesses, technical flaws and vulnerabilities analyzing different realms like Configuration and Deployment Management, Identity Management, Authentication, Authorization, Session Management, Input Validation, Error Handling, Weak Cryptography, Business Logic and Client Side. We try to identify and exploit all vulnerabilities on Client's web application showing its attack surface by performing 66+ security controls according to OWASP international standard.

  • Mobile Application Penetration Testing:
    MAPT focuses on evaluating in-depth the security of a Mobile Application (Android, iOS, Windows, BlackBerry). The process involves an active analysis of the application for any weaknesses, technical flaws and vulnerabilities analyzing different realms like Platform Usage, Data Storage, Communication, Authentication, Cryptography, Authorization, Client Code Quality, Code Tampering, Reverse Engineering, Extraneous Functionality and so on. We start with a full installation of the application and then perform a complete analysis, using all the various functions available. The activity continues by analyzing where sensitive data is required, how it moves within the application, how it is used and so on. In particular, we will examine where and how the application handles sensitive information, whether the application is using the native APIs correctly and whether user credentials, session tokens, personal information and / or any other sensitive data are stored securely. As part of this analysis, checks will be carried out that will examine the memory to ensure that sensitive data is properly deleted from the application. During this testing phase, we will attempt to access hidden features, as well as attempt to escalate privileges. In addition, the communication between the mobile application and all remote systems/services will be examined. Testing is performed on test mobile devices as well as by using device emulators - depending on the application type and functionality. We try to identify and exploit all issues on Client's mobile application showing their attack surface.

  • Network Penetration Testing:
    NPT focuses on evaluating in-depth the security of a server (or a whole network). The process involves an active analysis of the server for any weaknesses, technical flaws and vulnerabilities. We start by mapping Client's network (either external or internal) and then we try to identify and exploit all vulnerabilities, through exploiting and privilege escalation, showing the attack surface of the analysis target.

  • WiFi Penetration Testing:
    WPT focuses on evaluating in-depth the security of a WiFi network. The process involves an active analysis of WiFi assets for any weaknesses, technical flaws and vulnerabilities. We try to identify and exploit all issues on Client's WiFi network, as well as the employees behaviour to sophisticated attacks (ie. Evil-Twin, Rouge AP, etc.) showing their attack surface.

  • Vulnerability Assessment:
    VA focuses on evaluating the security of a server (or a whole network) via automated vulnerability scanning. The process involves an active analysis of the server for any weaknesses, technical flaws and vulnerabilities. We start by mapping Client's network perimeter and after we try to identify any vulnerabilities via security scanning removing false-positive and showing Client's attack surface.

Rules of Engagement

  • Mission: Attacking Client's digital assets evaluating their attack surface
  • Modality: Black-box, Gray-box
  • Methodology: OWASP, OSSTMM, CEH, PTES
  • Location: Both from a remote side and within Client company simulating both an external and internal attacker
  • Privacy: NDA, encrypted deliverables, secure-deletion
  • Deliverable: Technical Security Report with an in-depth description of any vulnerabilities found and their risk/business impact, Security Remediation and a Remediation Plan
  • Price: Get a quote

Copyright © 2012-2021 Fulgur Security - P.iva/Vat IT03343330795