Penetration Testing

Fingerprint Icon

Simulate attacks against your applications and systems.

Penetration testing is a simulated attack against your organisation’s information, applications and systems. The objective is to determine the effectiveness of your existing security controls, both technical and procedural.

Penetration testing seeks to emulate the capability and motivation of a typical threat actor, and uses a mixture of automated and manual techniques. The level of prior knowledge, attacker capability and underlying motivation will depend on the agreed rules of engagement, but typical examples include the following:

  • Opportunist attacker
  • Disgruntled employee
  • Malware distributor
  • Identity thief
  • Intellectual Property (IP) thief

There are many different types of penetration testing, and a wide range of approaches that can be taken. We discuss the specific requirements with our clients prior to beginning any engagement, however, in general, most engagements fall into the following categories.

Fingerprint Icon

Cloud Services Penetration Testing

Generally, the team will start with an initial connection to the cloud services over the Internet or via an authorised VPN connection, and explore further as they gain more understanding of the client’s specific service provision.

The specific steps will depend on the cloud service type, the features used by the client, and the degree to which features are exposed to the Internet or internal users.

Learn More
Fingerprint Icon

Infrastructure Penetration Testing

Generally, the team will start with a connection to the internal network, a low-privileged user account, and a typical workstation provided by the client. Depending on the scenario, the team may also have the ability to use a dedicated suite of tools to more rapidly assess the internal network, and may be provided with a limited amount of privileged information, such as a network diagram.

Learn More
Fingerprint Icon

NCSC CHECK IT Health Checks

Central Government departments and certain suppliers are required to carry out testing under the NCSC CHECK scheme to provide a greater level of assurance in the security of their technical systems. In the context of the NCSC CHECK scheme, the term “IT Health Check” means a penetration test (often supported by technical audits, build or configuration reviews) with the following additional requirements:

  • It must be carried out by an NCSC approved CHECK company.
  • It must be led by an individual holding the CHECK Team Leader (CTL) qualification.
  • All testers must hold at least CHECK Team Member qualifications.
  • All testers must hold at least SC clearance.
  • Upon completion of the test, a copy of the report is sent to NCSC.

Learn More
Fingerprint Icon

Red Team Engagement

Red Team engagements are designed to stretch and test the capability of network defenders, and to simulate the activities of known threat actors and malicious groups. As such, the capabilities and techniques used will prioritise covert access and data theft over assessment breadth and vulnerability assessment coverage. This means that the outcome of a Red Team Engagement should be treated differently to that of a penetration test.

Learn More
Fingerprint Icon

Website Penetration Testing

Generally, the team will start with an initial connection to the website over the Internet. Depending on the scenario, the team may have accounts provisioned for them by the client, which they can use to test the website(s), or they may register accounts themselves.

It is common for this type of testing to be performed against a dedicated copy of the website(s), however, the consultant teams are also experienced in testing against live, production environments.

Learn More