Who performs these tests?
The penetration testers performing the assessments are the best in industry and they have the following certifications:
What testing methodologies are you using?
We combine our own expertise with well known methodologies such as the OWASP Testing Guide and the Penetration Testing Execution Standard. The tests are performed both manually and automatically and we validate all the findings returned by the security scanners. Depending on the complexity and the time available, we also try to demonstrate the vulnerabilities by providing small proof-of-concepts.
How long does it take?
The pentest is performed in a fixed-interval schedule of 3 days (during working hours). We are focusing on the key aspects of application security and we're able to offer a comprehensive picture of the relevant security issues that affect your web application. The report will be delivered in maximum 48 hours after the test is completed.
What does the report contain?
The deliverable of this penetration test is a pdf report containing all the necessary information for you to understand, reproduce and fix the vulnerabilities. Here you can see more details about the report.
Is this actually a Vulnerability Assessment?
No. Exploitation makes the difference between a vulnerability assessment and a penetration test. Furthermore, exploitation is necessary to prove the real risk of a vulnerability instead of just estimating it. In our pentests we do limited exploitation (time-bound) but enough to understand the risk of the vulnerability. For the high-risk issues, you will receive basic Proof-of-Concepts that show how to trigger the vulnerabilities and how a basic exploitation can be performed.
What approvals do I need?
You need to have explicit authorization from the owner of the target system in order to test it. If you are using a shared hosting or managed service (ex. Amazon, Azure, etc) you need to ask and obtain explicit permission for the test.
Can I have a pentest against a client system?
Yes, of course. You can test your clients' systems as long as you have authorization from them to do that. This scenario is mostly applicable to consultancy companies, web development agencies or managed service providers.
How can you do it so cost effective?
Since we are using the platform Pentest-Tools.com for scanning, aggregating results and reporting, the time for an engagement is significantly decreased. This allows us to do highly focused manual work to test the important aspects and not waste time with setup, configurations, data gathering and manual reporting.
How does the payment work?
After you submit your pentest request, you will receive a link where you can do the payment. All payments are performed via FastSpring, which gives you the option for Credit Card, PayPal, WireTransfer, etc.
Is re-testing included in this price?
You have one re-test included in this price. Re-testing means punctual re-verification of all the findings mentioned in our initial report (re-testing is not a full pentest). The result of a re-test will be an email with the status of each finding (Fixed / Not fixed) and a short explanation for each one.
What if I have more questions?
Please use this contact form to ask us additional questions and we will happily respond and clarify them.