Approach

Our Pentesting Process

Our standardized processes lead you quickly and easily to the ordering and comissioning of your desired penetration test.

1. Offer

You receive a customized offer using our configurator or contacting us independently.

2. Verification

Your configurator selection is checked by our experts in a meeting together with you. Here we also answer further inquries and get to know each other.

3. Comissioning

For the comissioning of a penetration test you receive two documents to sign. Our pentesting frame contract, as well as a service request document with the parameters of our offer.

4. Kick-Off

In a common kick off meeting we coordinate the parameters of the penetration test. We resolve things like contact persons, testing periods, testing scope, as well as remaining tasks required before the test can commence.

5. Pentest

Our ethical hackers conduct the penetration test actively. You will be notified about the test start and end. After the test is completed, you will receive a detailled report including Management Summary and remediation recommendations.

6. Finalization

One to two weeks after our report is delivered, we will conduct a common review meeting. During this optional meeting you can ask questions regarding the identified vulnerabilities.

Comissioning of a penetration test

Our Process

We adhere to a standardized process for the comissioning and execution of penetration tests. For the comisssioning of a penetration test you receive an offer, as well as two documents to sign. The first document is our pentesting contract which defines the legal parameters for all penetration tests. This document needs to be signed only once and applies for all subsequent orders. The second document, the service request, contains specific parameters of the offer and is based on the frame agreements of the pentesting contract. This document needs to be signed before the penetration test can commence.

More information can be found under Pentesting-Standards.

You have further questions regarding our penetration test procedure? Feel free to contact us.
Our experts will gladly guide you through all steps.

Standards and qualifications

We follow recognized international standards for our pentest procedure.

Our penetration testers are highly qualified and certified with several recognized hacking certificates.

Frequent questions regarding penetration tests (FAQ)

After you have created an offer with our configurator, our experts will contact you promptly. We will then share and coordinate our next available dates with you. We gladly schedule your desired date nonbinding in advance.

Please note that the organizational contract process including signing often takes the most time. Furthermore, this step depends on your time-wise availability. Depending on the parameters of a penetration test, you may require additional time for the creation of test accounts or the application of firewall exceptions.

Our reports are generally delivered within 1-2 weeks after the penetration test has ended. Should you require an earlier transmission of test results, please address this topic in our common kick off meeting. For time-critical projects we gladly share our results earlier, if possible.

More information, as well as a sample report can be found here.

All sensitive documents or credentials are provided via our encrypted file exchange platform. The end-to-end encryption takes place on the transport layer (TLS), as well as the file layer (AES-256). We host our own platform independently on German servers. The document retrieval is accountable and automatically deactivated after 30 days with a subsequent full data erasure.

Via this exchange platform you will receive an e-mail with a secure link for the retrieval of our final report (PDF). Furthermore, you will receive optional log data or proof-of-concept exploits in a ZIP folder.

Pentest Factory GmbH is no recognized certification authority. This is why we do not issue security certificates after our pentests are finished. Furthermore, penetration tests serve only as a momentary snapshot of the security of a test target. We thus refrain from making a general statement about the security of a test target.

Nevertheless penetration tests can be used for the ISO-27001 certification of your organisation.

Identified vulnerabilities undergo a strict risk rating process. Our experts discuss the likelihood and impact of a vulnerability extensively. The retrospective adaptation of a risk rating is thus not common and merely possible on a case-by-case basis.

As an external contractor, we only act consultative. Should you disagree with a risk rating, you can task your internal risk management team with a re-rating. This includes the acceptance of certain risks.

By request, we also create a separate customer note besides our detailed report. We then remove all sensitive information such as IP addresses, user names or details of our exploitation process. Your customers will receive only an insight into the overall results of the test – similar to a Management Summary.

Pentest Factory is specialised on offensive security assessments. Attacks that limit the availability of IT systems (such as Denial of Service attacks) are not part of our services.

Nevertheless we gladly consult you in regards to this topic and can refer you to our competent partners.

In some federate states grants will be given for IT security services, such as penetration tests. We gladly advise when applying for grants. Please talk to one of our consultants.

You receive a detailed final report with all identified vulnerabilities including extensive remediation recommendations. Of course we support you after a penetration test e.g., with the remediation of vulnerabilities or a re-test for the verification of implemented measures. Our affiliate, the tacticx Consulting GmbH, can also provide you with extensive assistance in the field of IT security or data protection.

In case your test objects are sensitive applications or use sensitive data, we gladly arrange a separate NDA. A signature is generally not a problem. Nevertheless, our pentesting contract already contains a general clause regarding the obligation of secrecy for our employees.

During all pentests you will be informed about start and end times via e-mail. Furthermore, we immediatly notifiy you of vulnerabilities with a high or critical risk, should they occur during the pentest. You will then receive a memo report with details regarding the vulnerability.

All sensitive documents or credentials are provided via our encrypted file exchange platform. The end-to-end encryption is done on the transport layer (TLS), as well as the file layer (AES-256). We host our own platform independently on German servers. The document retrieval is accountable and automatically deactivated after 30 days following a full data erasure.

Automated vulnerability scans are oftentimes wrongfully sold as full-featured penetration tests. Behind the scenes, just a few automated tools are used and the results are sold for a high price.

Pentest Factory uses automated scanning to identify basic vulnerabilities or misconfigurations. These vulnerabilities are often considered “low hanging fruits” and do not require manual analysis. All scanning results are evaluted by our testers and verfied against false positives.

Afterwards we conduct a manual security assessment, which accounts for about 70% of the penetration test. By using manual testing, we are able to identify vulnerabilities that automated tools miss. According to a study manual testing methods are able to identify high risk vulnerabilities with a probability of 80 to 96 percent.