Penetration testing

Penetration testing aims to detect vulnerabilities and errors that threaten the security of a system – ICT infrastructure, network, application, or website.

Pentest should be carried out systematically and can vary in scope, most often forming part of an audit of IT systems and infrastructure. Their main objective is to examine how resistant a network is to intrusion and the effectiveness of the security measures in place.

Black box, gray box, white box tests

We perform penetration testing at all levels:

White box or crystal box tests – testers work according to information about the system under the test provided by the client.

Black box tests – testers independently obtain the information necessary to compromise systems – this model best reflects an actual cyberattack.

Gray box tests – a hybrid of the two methods mentioned above.

An essential part of each test is a summary report that describes the problems identified and assesses the risk of occurrence. It includes specific recommendations aimed at their effective elimination.

Assess whether you would benefit from penetration testing

Penetration testing should be a mandatory part of your IT strategy if:

You are the owner or manager of a company that has an IT infrastructure

You store data, especially sensitive and personal ones

You want to protect your knowledge, patents, and company know-how

In your company, at least part of the team works remotely.

Effects of penetration testing

You will review the effectiveness of the security features

You will find out how well your assets are currently protected.

You will investigate the system’s vulnerability to a potential cyberattack

You will launch a hacking attack on the infrastructure in a controlled manner.

You will make the most of your equipment

You will learn how to get rid of vulnerabilities using existing solutions.

You will set up a recovery plan

You will receive detailed recommendations in line with the best security practices.

You will avoid the costs of a real attack

Both in terms of image and in terms of stopping production lines or operations.

You will gain credibility

You will appear to your business partners as a technologically aware partner that is ahead of the competition.

How do we conduct controlled attacks?

Preparatory phase

Defining the needs and establishing the scope of penetration testing, consulting with our experts and defining the client’s problems.
Q&A session with IT managers.
The signing of the audit agreement.

Penetration tests

Reconnaissance.
Scanning.
Data collection.
Use of detected vulnerabilities to test the resilience of systems.

Advisory phase

Drafting of a comprehensive report detailing the defined problems and recommending solutions.
Discussion of the report at a dedicated meeting with the customer.
Advisory support for the implementation of safety recommendations.
Optional re-testing.

Penetration tests – FAQ

How often should penetration tests be conducted?

It is best to do this periodically, at least once a year, and whenever changes are made to the systems. After the pentest phase, it is also worth performing a re-test, i.e. verification of the changes made (checking that they have been implemented correctly and have not led to new security vulnerabilities).

How long does pentesting last?

A pentest, depending on the type, size, and complexity of the structure being tested, can take from a few days to several weeks.

How do you check the competence of pentesters?

The technical competence of pentesters is confirmed by certifications, issued by international cybersecurity organizations. It is also important to participate in projects similar to yours.

What is the difference between a security audit and a penetration test?

A penetration test only deals with its specific part (infrastructure, application, network or website) and is part of a security audit. The audit covers the entire system being audited.

What documentation will I receive after the penetration tests?

Grandmetric’s safety reports are detailed and meticulously produced documentation. They include by default:

Executive Summary.
Technical description of the report.

A list of vulnerabilities with classification (high, medium, low).
Vulnerability listing.
Proof of finding for each vulnerability (Proof of Concept) with console dumps or screenshots.
A list of recommendations for each vulnerability.

Wondering if pentesting is worthwhile? Let’s talk!

Marcin Biały advisory architect Grandmetric

“In today’s world, the methods and so-called vectors of attacks and spreading hazards are exceptionally diverse, not to say – sophisticated. We are faced with an ever-increasing number of possible interfaces, protocols, and interfaces with different parts of the IT environment. This is why all places where a potential attack could occur should be taken into account.”

Marcin Biały, Advisory Architect | Board Member at Grandmetric