PENTESTING

It is becoming increasingly important for organisations to be aware of cybersecurity. Whether you want to demonstrate compliance with ISO 27001 or NEN 7510 certification or simply find it important to properly protect your data: preventive actions are the most important. 

Even when you think you have arranged everything properly (on paper), this often turns out to be different in practice. By having a pen test performed, you gain insight into the vulnerabilities. We do not look for a single way in, but give advice about the total picture. We will work with your organisation to reduce the risk of a data breach as much as possible. We are therefore happy to be your partner in the field of cybersecurity. 

However, we don’t care what the subject of the pen test is. Together we ensure that the information security of your organisation is as good as possible. Some examples of tests we perform are: 

Vulnerability scan 
Risk assessment/Security audit
Cloud security
Code review
SOC/SIEM assessment
Configuration check
Social Engineering
DigiD assessment 

In addition to what we can pen test for you, there are various options for approaching these tests. In addition to one-time compliance pen testing, we can also help your organisation through agile or continuous pen testing. 

What is a pentest?

By performing a pen test, you give our ethical hackers permission to hack (part of) your organisation. Instead of abusing the vulnerabilities, you gain insight into the possibilities for carrying out an attack on your organisation. We are happy to help you on your way to a well-secured IT infrastructure with concrete advice.

What requirements must a pen test meet?

We are happy to discuss which guidelines we use to carry out the pen test. It may be that this has already been established, for example because you want to start using DigiD. If you do not have fixed guidelines that must be met, we will be happy to advise you on the most appropriate guidelines. 

OWASP Application Security Verification Standard (ASVS)
OWASP Mobile Application Security Verification Standard (MASVS)
NCSC ICT security guidelines for web applications (DigiD assessment)
NIST Technical Guide to Information Security Testing (800-115)
Baseline Government Information Security (BIO)
MITRE ATT&CK Framework. 

What requirements must a pen test meet?

Simply put: everything! It does not matter what your organisation wants to subject to a pen test. Everything can be viewed from the principle: “How can this be abused?”. Of course, it is important that performing the pen test is of value to your organisation. We are happy to look with you to determine what is important. 

Some examples of this are:

Web application(s)
Application Programming Interface (API)
Systems and network (IT infrastructure)
Mobile applications. 

A pen test does not have to be focused only on technology. We believe it is important to help you in the long term to become as independent as possible regarding to cybersecurity. For example, how can new vulnerabilities be prevented within your organisation? By not only looking at the IT infrastructure, but also, for example, at surrounding processes, you get a better grip on the security of your organisation. 

What can I expect from a pen test?

The most important thing is that your organisation gains insight into the vulnerabilities within the IT infrastructure. How we share this with you is up to you to decide! It may be desirable to receive a detailed report, which can be used for audits. We will prepare this for you with concrete advice on how to resolve the findings and a recommendation on how to approach them. If you do not need a report? You may prefer that the findings be posted directly to the development team’s backlog. In short: everything is negotiable.