Your Cybersecurity Specialist.

Pentest is an abbreviation for 'penetration testing'. In a pentest, pentesters put themselves in the shoes of a hacker. They try in all kinds of ways and with all possible means to gain access to the tested IT environment. That way. they expose the weak spots of your website, application or even the entire IT infrastructure. After a pentest you can use targeted measures to remedy these vulnerabilities as well as possible.

Pentests provide insights with which an organization can strengthen security. This can be useful in all kinds of cases. For example, a pentest can identify the weaknesses of a server or website. In other cases it can also be valuable to map the overall security level of the organization.

The duration of a pentest depends entirely on the intended purpose, the chosen method and the available budget. Some pentests are very specifically aimed at a particular website or application. Other pentests are more broadly aimed, often even on the entire IT infrastructure. Depending on its size and complexity, a pentest can take weeks or even months.

A vulnerability scan checks IT systems for weaknesses through an automated process. As a result, a vulnerability scan is limited to known security errors. In many cases, a vulnerability scan does not have the intelligence to discover vulnerabilities that deviate from these known patterns.

A pentest goes much further: Pentesters search manually and automatically in the widest possible way for weaknesses in the IT environment, depending on available time, budget and scope of the assignment, using creative attack techniques, methods and tooling such as a vulnerability scan.

Roughly speaking, three test methods can be distinguished. There is no 'best' method, each variant has its own specific advantages and disadvantages. The choice therefore depends entirely on the circumstances.

1. Black box
In a black box pentest, the ethical hacker does not receive any information about the IT infrastructure in advance, but in many cases a scope is agreed to guarantee a complete investigation. The pentester simulates, as it were, the mindset of an opportunistic, uninformed hacker.Because the pentester has no prior information in addition to the scope, but is limited by time and budget, this test variant is usually the least thorough. useful when, for example, you are performing a test for the first time and want to get a general idea of ​​the security level.

2. Gray Box
A gray-box test is a cross between a black box and a white box test n hereby limited information about the IT infrastructure in advance, such as a customer / employee account.

Gray box tests are usually less thorough than white box tests, but they have a realistic starting point. The pentesters thus have about as much prior knowledge as, for example, a rancorous customer / employee or a well-informed hacker. Gray box surveys, for example, are often used to assess how safe an environment is from a customer or employee perspective.

3. White Box (also known as: Crystal box)
Pentesters get full disclosure with a white box pentest in advance. This allows them to perform the pentest very thoroughly. The disadvantage of this method is that it takes a lot of time, because the entire scope is examined in detail. This method is often applied to a limited scope, for example an application that is very important (business-critical) for the customer.

A security company with good intentions will always sign an NDA (Non Disclosure Agreement) in advance. That is a non-disclosure agreement. Any data found is then in safe hands, often under penalty of a hefty fine.

An important distinguishing factor is the way in which we guide customers. Good consultation runs like a red thread throughout the entire process. We clearly determine the scope, approach and objectives of the pentest in advance. This is how we maximize effectiveness. of the test.

Afterwards ovwe record and present all findings. We provide a clear report direction for management, and discuss a technical report with the IT department and/or programmers.