During the intake we determine the research question, the scope, the planning, and the duration of the test. The research question is central to the test. It is important to identify what you want to have tested with a pentest. To which question do you want an answer?
A research question can be:
Has the web application been found to be safe?
Can a hacker access certain data in my system?
In the scope we define what can be tested. For example, the website, network environment, systems, applications and so on. We determine the scope on the basis of a questionnaire. We advise to include the entire infrastructure in the scope for the best result in reducing risks. Environments are not allowed to be tested will be made a note of in the scope.Before the pentest will be executed, the client signs a declaration of indemnity (Pentest waiver). In this declaration, the client agrees to the pentest, in which an attempt is made to gain access to the systems without login data.
When can the pentest be executed? This can be done, for example, on a number of fixed days, number of fixed weeks, out of office hours etc. Things to take into account:
Moments when testing is not allowed.
Who is the contact person within the company during the pentest?
Our pentests are done by the hour. Depending on the scope, the pentester determines with the client how much time is required. The size of a website, how many pages and/or applications are active on the website, and how many IP addresses that need to be tested all influence the duration.
This is the exploratory phase. We make an inventory of the target, perform various scans and ensure that everything the pentester encounters is clearly mapped out.
Go / No Go
If the exploratory phase reveals any critical vulnerabilities, there is a possibility to stop the pentest. Once these vulnerabilities are fixed, the pentest will be continued.
In this phase the test will be executed in all aspects.
The results from the pentest are recorded into a report by the ethical hacker.
Reporting and advice
The report exists in two forms: an extended report that can be shared with your clients and customers, and a report for internal use. All vulnerabilities are classified through the CVSS (Common Vulnerability Scoring System) 3.0. Each report is double checked by a second security specialist/ethical hacker and finally by a communication specialist. The document is thereafter securely shared and discussed with you. If desired, we will present our findings and advice with you on location.
Ask our consultants: +31 (0) 20 7881030