We have experience in testing virtually any kind of system, platform and codebase for everything from start-ups to large enterprises. Regardless of the type of system, our penetration testing methodology ensures a thorough assessment and provides our clients with actionable results and clear-cut mitigation strategies that improves the security of the system.
We normally recommend white-box penetration tests where we have access to any source code, documentation and system users that are available. This is much more efficient for us, and we avoid the risk of missing vulnerabilities that would otherwise require some form of guesswork to be uncovered. However, we do understand that in some cases this is not feasible, such as when working with vendors with closed-source products, in due-diligence processes in acquisitions etc. and we have a good track record working in these conditions as well.
A penetration test is most often limited in time. We have automated the discovery and reporting of simple vulnerabilities, so we can focus on finding the more complex ones. We commonly report our findings continuously in our clients' systems, be it Jira, Shortcut, directly in the IM channel or something else. The team responsible for remediating the findings can assess it immediately, we can discuss them before the project is finished and when the final report arrives, it will not contain any surprises. This also has the added benefit of being much easier to digest than a hundred page PDF report.
We test your applications end-to-end, regardless of the platform and technologies used. While no two applications are the same, and we adapt our methodology for each project, we rely on recognized open source standards such as OWASP ASVS and OWASP WSTG.
We have experience from testing a large number of mobile applications for iOS and Android, following standards such as OWASP MSTG and MASVS. We test for vulnerabilities in the application, data storage, OS integration, backend APIs and more.
We are well versed in testing cloud and hybrid environments in all the big cloud providers, and we know the security pitfalls. We have even found vulnerabilities in the cloud providers' systems, including Azure EventHubs, Azure DevOps, Google Cloud Endpoints and more.
We test your infrastructure from a given starting point, such as the internet or the internal corporate network. We exploit the vulnerabilities in a controlled manner to provide a realistic severity based on both system and business impact.
While most of the penetration tests we perform can be categorized as one of the above, we have experience with more uncommon types of test as well, such as locked down clients, embedded systems, ships, power plants and OT systems.