IT Security Check & Pentest+
IT-Security Infrastructure Check (Pentest+)
With our IT security check, we examine your infrastructures like a possible attacker, inside and outside your network, for technical security deficiencies and risks.
Together with you, we define the possible attack scenarios and check your infrastructure exactly as described. You receive a report and a recommendation for improving your IT security.
Your advantages at a glance
- Our IT experts are absolute professionals in this field
- We have a suitable solution for every security gap
- Your IT infrastructure is in safe hands with us
- Standards for certifications in the IT security sector can thus be met
- Decision support for security optimisation, also in connection with our CyberSecurity-as-a-Service offer
- Realistic execution of the simulated attack thanks to our many years of experience as a cloud service provider
- Cyber protection insurances take pentests into account in their premiums. Ask your insurance company here
IT security check in 6 steps
Comprehensive cyber security check for your IT infrastructure – individually tailored to your needs.
01.
Needs assessment
- Audit at a fixed price
- Clarification of your needs
- Clearly defined service description and structure of the company-related audit
Β
In the first step of a pentest, the individual goals and requirements of your company, the intended procedure and techniques used are recorded. Relevant legal and organisational requirements as well as possible contractual agreements of your company are also taken into account in order to avoid potential risks. For a joint overview, our experts record all details of the pentest in writing.
02.
Procurement of information
- Automated execution for all common security threats
- Manual check and verification of the scan results tailored to your infrastructure
Β
In the second step of a pentest, all available information about the target to be tested is collected. For the external IT infrastructure, all accessible system components are examined, while for the internal IT infrastructure, all available systems are inventoried to identify network areas, devices and services.
This information is used to check the IT infrastructure. This is done partly passively but also via an active audit, where information is correlated to identify versions and patch levels of network services, operating systems, software applications and databases. The results of the audit are used to identify vulnerabilities in the systems and applications. For this purpose, in one part there is an automated vulnerability scanner in the other part exploits are searched for and included in the test .
In summary, in the second step, the experts obtain as comprehensive an overview as possible of the system environment to be tested in order to identify possible vulnerabilities and points of attack.
03.
Risk analysis and definition
- Clearly structured report and final meeting with the technical manager
- Recommendations and support to eliminate future risks
Β
In the third step of a pentest, the information collected about the systems to be tested is thoroughly analysed and evaluated. This also takes into account the objectives of the pentest, the potential risks to the systems and the estimated effort required to identify security vulnerabilities that may be found during subsequent intrusion attempts. Based on this analysis, our specialists determine the specific attack targets for the fourth step.
04.
Risk analysis and definition
- Clearly structured report and final meeting with the technical manager
- Recommendations and support to eliminate future risks
Β
In the fourth step of the pentest, the previously identified vulnerabilities are specifically exploited to gain access to the IT infrastructure. If our specialists successfully penetrate the systems, they collect data that serve as the basis for the IT security report in the fifth step as well as the final presentation. Highly sensitive information is only documented in consultation with your company and is treated as strictly confidential. This step is generally only carried out at the client’s request, as critical systems could possibly be compromised.
05.
Risk analysis and definition
- Clearly structured report and final meeting with the technical manager
- Recommendations and support to eliminate future risks
Β
During the previous steps, a comprehensive summary of all identified systems, uncovered security gaps and possible solutions was created. The results of the pentest and the associated risks for your company are presented in a written final report, which also explains the individual test steps. If activities have taken place in step four, we will, upon request, present the collected data to you in a personal meeting, where the exploits used will also be explained.
06.
Risk analysis and definition
- Clearly structured report and final meeting with the technical manager
- Recommendations and support to eliminate future risks
Β
Based on the final report, we will draw up a comprehensive catalogue of measures for you, which you can also cover in connection with our CyberSecurity-as-a-Service solution if desired.
Test procedure
Test methods and types of pentests
An external pentest simulates an external threat that targets the company’s IT infrastructure. The pentester analyses the IT infrastructure and collects information to identify vulnerabilities that could be exploited to gain unauthorised access or cause damage. Various techniques are used, e.g. fingerprinting, scanning of networks and web applications, and social engineering.
An internal pentest, on the other hand, is conducted on the internal network within the company’s IT infrastructure. The test aims to uncover security vulnerabilities that could be exploited by internal users to access confidential data or compromise the company’s systems. This uses similar techniques to the external test, but the methods and approach are usually different because the tester already has some level of access and can therefore be more targeted.
Both tests, internal and external, can be carried out either as blackbox, greybox or whitebox tests, depending on your needs and objectives. You can find more information in our infoboxes:
Blackbox Testing
The tester has no or very limited knowledge of the systems or applications being tested.
Simulates an attack situation from outside (Internet).
The aim is to find vulnerabilities from the perspective of an external attacker.
The tester must use techniques such as fingerprinting and scanning to visualize the network.
Tests the system's resistance to external attacks.
Greybox Testing
The tester has partial knowledge of the systems or applications being tested.
Simulates an attack situation from within, with the tester having limited access rights.
The aim is to find vulnerabilities from the perspective of an internal user.
The tester has access to information such as system and network architecture, source code, log files, etc.
It is tested whether users with limited access to the system are able to access confidential information or cause damage.
Whitebox Testing
The tester has complete knowledge of the systems or applications being tested.
Simulates an attack situation from within, with the tester having full access rights.
The aim is to find vulnerabilities from the point of view of an attacker with full access rights.
The tester has access to information such as source code, database structures, configuration files, etc.
It is tested whether the system is sufficiently protected against insider attacks and whether there are possible weak points with increased access rights.