Request Quote

Contract Model

Your data is safe with us. Check out our Privacy Policy to find out how we use the information you provide.

netherlands english

Learn More

About

Who are we

profile

Joel Aviad Ossi

Senior Penetration tester. Several years of experience of professional practice.

Founder & Pentester

profile

Polina Voronina

Graduated from Berlin School of Economics and Law in "International economics".

Consultant

profile

Ameer Ashhab

Graduate UI & Frontend Designer who focuses on designing empowering digital experiences.

Designer

Services

single

one-time pentest

€ RFQ

  • Handmatige pentestsManual pentest
  • Uitgebreide rapportenComprehensive report
  • Validated Security FindingsResults presentation
  • Pentest SealWebsite Seal
  • ISO 27001, NEN 7510, PCI DSSPCI, NEN, ISO and BIO Compliant
Get Started
stack

periodic pentest

€ RFQ

  • Handmatige pentestsManual pentest
  • Uitgebreide rapportenComprehensive report
  • Validated Security FindingsResults presentation
  • Pentest SealPentest Seal
  • ISO 27001, NEN 7510, PCI DSSPCI, NEN, ISO and BIO Compliant
Get Started
question

other services

€ RFQ

  • Red TeamingRed Teaming
  • Phishing testSocial engineering
  • Security Awareness TrainingSecurity Awareness Training
  • DigiD assessmentDigiD assessment
  • PCI-DSS / PCI-PTS pentestPCI assessment
Get Started

Model

Single Pentest
WebSec will agree on a fixed price with the client for a full pentest. When choosing this model WebSec will deliver more results, detailed proof-of-concepts and agree with the client on a fixed price. This model has no strings attached to it and is mainly for large businesses such as Financial Institutions who just need to be sure that every function has been covered and is secure!

Advantages:
- Enough Time: All pages and features will be tested.
- More Results: The more testing time, the more results.

Disadvantages:
- This model could get quite above the budget of the average startup and is therefore not suited for everyone.

Minimum Contract: 1 Week
Minimum Hours: 40 Hours

single

Monthly Pentest
WebSec will agree on a limited amount of hours a month which makes this affordable for even the smallest companies while retaining the same quality and expectations as expected from a full pentest. In addition to pentesting services the client can switch each month between other services from WebSec.

Advantages:
- Affordable: Same rates but less working hours, therefore the price tag can be lower.
- Flexible: Client can switch between a pentest or other services each month.

Disadvantages:
- One year minimum contract period.

Minimum Contract: 1 Year
Minimum Hours: 16 Hours / a month

single pentest

No Cure no Pay
WebSec will only charge the customer for discovered vulnerabilities, the costs depend on the severity and impact of the vulnerabilities discovered. Request a quote to learn more about the pricing tables for the No Cure no Pay business model.

Advantages:
- Client only pays for discovered vulnerabilities.

Disadvantages:
- WebSec only tests applications using this model for specific clients who meet certain conditions, contact us for more information.

Minimum Contract: 1 Week
Minimum Hours: 40 Hours

no cure no pay

Steps

Intake

We will setup a line of communication with you and discuss your needs such as scope, rules of engagement, and discuss requirements prior to the test.

WebSec Intake

Planning

We then will begin planning, we will pick a start and end date together and determine the contact person for the test.

WebSec Planning

Pentesting

After planning, we will begin our security assessment on the agreed dates and times to see how well your current systems can withstand todays threats. We will always keep the contact person in the loop of what's happening.

WebSec Pentesting

Documentation

After extensively pentesting your system we will begin writing our report. The report will consist of everything that has been done to your system, what vulnerbilities were found and detailed explenations on how to mitigate those findings.

WebSec Reporting

Delivery

We will then setup a meeting with you to show our findings and better explain in detail what the threats mean. We will also include what needs to be done to better prevent the threats.

WebSec Delivery

CVE Numbers

U.S. DoD

10/01/2019

WSDL Parser SQL Code Execution.

CVE-2018-16803

Serpico

18/12/2019

Privileges Escalation.

CVE-2019-19857

TopManage OLK

20/01/2020

Account Takeover Exploit.

CVE-2020-6844

LabVantage 8.3

17/02/2020

Information Disclosure Exploit

CVE-2020-7959

AdminPanel

22/05/2020

SQL Injection and XSS

CVE-2020-13433

0-day

xx/xx/2020

CVE is reserved but yet to be published.

CVE-2020-9002

0-day

xx/xx/2020

CVE is reserved but yet to be published.

CVE-2020-9000

0-day

xx/xx/2020

CVE is reserved but yet to be published.

CVE-2020-8999

Common Questions

What is a pentest?

Pentest is an abbreviation for 'penetration testing'. In a pen test, pen testers put themselves in the shoes of a hacker. They try in all kinds of ways and by all possible means to gain access to the tested IT environment. In this way, they expose the weaknesses of your website, application or even entire IT infrastructure. After a pentest, you will receive a report which contains solutions to remedy these vulnerabilities.

When is a pen test useful?

Pentests provide insights with which an organization can strengthen security. This can be useful in many cases. For example, a pen test can identify the weaknesses of a new server or website. In other cases, it can be valuable to map the overall security level of the organization.
Pentests generally make sense for organizations that rely heavily on the availability of their IT systems or have valuable data where integrity and confidentiality are paramount.

How long does a pentest take?

The duration of a pentest depends entirely on the intended goal, the chosen method and the available budget. Some pen tests are very specifically aimed at a particular website or application. Other pen tests have a broader focus, often even on the entire IT infrastructure. Depending on its size and complexity, a pen test can take weeks or even months.

What is the difference between a pen test and a vulnerability scan?

A vulnerability scan checks IT systems for weaknesses through a fully automated procedure. As a result, a vulnerability scan is limited to known security errors. In many cases, a vulnerability scan does not have the intelligence to discover vulnerabilities that deviate from these known patterns.
A pentest goes much further. Pentesters search manually and automatically in the widest possible way for weaknesses in the IT environment, depending on available time, budget and scope of the assignment. They use creative attack techniques, methods and tooling such as a vulnerability scan.

Which different test methods can be used in a pen test?

1. Black box
With a black box pen test, the ethical hacker does not receive any information about the IT infrastructure in advance. In many cases, however, a scope is agreed to guarantee a complete investigation. The pen tester simulates the mindset of an opportunistic, uninformed hacker, as it were. Because the pentester has no preliminary information in addition to the scope, but is limited by time and budget, this test variant is usually the least thorough. Black box testing is useful when, for example, you are performing a test for the first time and want to get a general idea of ​​the security level.

2. Gray Box
A gray box test is a cross between a black box and a white box test. The pentesters receive limited information about the IT infrastructure in advance, such as a customer / employee account.

Gray box tests are usually less thorough than white box tests, but they do have a realistic starting point. The pentesters thus have about as much prior knowledge as, for example, a rancorous customer / employee or a well-informed hacker. Gray box surveys, for example, are often used to assess how safe an environment is from a customer or employee perspective.

3. White Box / Crystal Box
Pentesters get full disclosure in advance with a white box pen test. This allows them to perform the pen test very thoroughly. The disadvantage of this method is that it takes a lot of time, because the entire scope is examined in detail. This method is often applied to a limited scope, for example an application that is very important (business-critical) for the customer.

My organization has confidential data. Are they in good hands with a pentester?

A pentest organization with good intentions will always sign an NDA (Non Disclosure Agreement) in advance. That's a nondisclosure agreement. Data found is then in safe hands, often under penalty of a hefty fine.

How does WebSec distinguish itself from the competition?

An important distinguishing factor is the way in which we guide customers. Good consultation runs like a thread through the entire process. We clearly determine the scope, approach and objectives of the pen test in advance. In this way we maximize the effectiveness of the test.

Afterwards, we discuss and present all findings. We provide a clear management letter to the business and discuss the technical details with IT. Together with the customer, we look at the feasibility and desirability of any measures and can help prioritize them. Because ultimately, a pentest must of course result in a higher security level.

All of our pentesters are CEH and OSCP Certified, therefore you can rest assured that only the most skilled professionals will test your systems!

Contact

WebSec B.V. Map