top of page

Penetration Testing

An authorized simulated attack exercise conducted manually by our qualified security expert who attempts to find and exploit vulnerabilities in a computer system

What is Penetration Testing?

Exploiting Vulnerabilities within a time constraint

PT Page_Icon_1.png

Ethical Hacking

PT Page_Icon_3.png

Find out vulnerabilities which cannot be discovered by an automatic scanner

PT Page_Icon_6.png

Pentest using manual effort requires skilled and experienced experts

PT Page_Icon_2.png

Assess the effectiveness of their existing suite of security controls more proactively

PT Page_Icon_4.png

Client consent to a carefully designed project scope and rules of engagement

PT Page_Icon_5.png

Recommends appropriate defences to strengthen the security posture

Desktop - 1.png

Why
Pentest?

Planet.png

To ensure compliance and regulatory requirements

ISO27001

HKMA TM-E-1 Risk Management of E-banking v.3 Oct 2019
HKMA Cyber Resilience Assessment Framework
PCI DSS /GDPR Compliance
SFC Guideline on Cybersecurity for licensed corporations, eff. Jul 2018
Insurance Authority Guideline on Cybersecurity, eff. Jan 2020
HKSARG Security Risk Assessment and Audit

Planet.png

To test a new system or an application before production

Planet.png

To measure the effectiveness of the controls and prove to the management

Scope of Penetration Testing

PT Page_Icon _7.png

Web/Mobile
Application

PT Page_Icon _10.png

Wi-Fi
Network

PT Page_Icon _8.png

External/Internal
Network

PT Page_Icon _11.png

Active
Directory

PT Page_Icon _9.png

API

PT Page_Icon _12.png

Cloud
Security

Desktop - 1.png
PT Page_Icon_13.png

US NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment

PT Page_Icon_14.png

Open Web Application Security Project

OWASP Top 10
OWASP Mobile Top 10
OWASP MASVS-L1 or L2 or +R requirements
OWASP API Security Top 10

Standards we reference to

Certification Image.png

Consultant Certifications

CISSP---Square.png
cisa_logo.png
Screenshot 2023-07-13 at 8.00.57 AM.png
Screenshot 2023-07-13 at 8.32.19 AM.png
Screenshot 2023-07-13 at 8.33.42 AM.png
ISO-IEC-27001-Auditor.png
oscp-acclaim.png
oswp-acclaim.png
eCPTX_logo.png
grem-gold.png
Picture 1.png
AWS image.png
Alibaba Cloud Cert_Logo.png
Desktop - 1.png

Our Penetration Testing
Methodology

Our Four–stage Penetration Testing is based on
NIST SP 800-115 guidance

Group 204.png
PT Page_Arrow_3.png
PT Page_Arrow_2.png
PT Page_Arrow_4.png

Additional Discovery

PT Page_Icon_Method_2.png

Discovery

Black box or Grey box Approach.
Information gathering and Automatic Scanning to identify known vulnerability

PT Page_Icon_Method_3.png

Attack

Exploit vulnerabilities and perform additional discovery upon new access

PT Page_Icon_Method_4.png
PT Page_Icon_Method_1.png

Planning

Testing goals and rules of engagement are set

Reporting

Document all found vulnerabilities and exploits, failed attempts, and recommend safeguards to mitigate the risk. Verification of remediations performed by clients

PT Page_Deliverables_Icon_1.png

A report includes executive summary, scope, findings, evidence and recommendations

PT Page_Deliverables_Icon_2.png

A presentation to summarize the key findings

A sample can be available upon request

Our Penetration Testing
Deliverables

PT Page_Deliverables Image.png
Desktop - 1.png

Frequently Asked Questions

Planet.png

What’s the key difference between Pentest and Vulnerability Scanning?

Pentest applies manual effort to exploit the identified vulnerabilities and discover any unknown vulnerabilities.

Vulnerability scanning uses automatic tools to discover known vulnerabilities

Planet.png

What is the key factor to influence the number of findings for a Pentest?

Besides the pentester’s skill set, time is also a key factor.

Time-limited engagements do not allow for a full evaluation of all security controls.
Prioritizing the assessment would be required to identify the potential weakest security controls an attacker would exploit within a time constraint

Planet.png

What are the risks of a Pentest?

The potential risks may include data disclosure, system outage, traffic slowdown etc.

However, with the
rules of engagement, the pentest could be conducted in a more controllable manner to keep the risk at a minimal

bottom of page