Penetrationtest
The ultimate test for your IT security landscape.
Targeted vulnerability analysis through realistic attack simulations
Individual reports with clear recommendations for action
Lasting optimization of the IT security landscape
One of the most effective methods of assessing an organization's security status is penetration testing – a targeted security audit conducted by experts to uncover potential gaps in IT infrastructures.
Our experts test your company for vulnerabilities – using the same tools, tactics and procedures (TTP) as real attackers, as well as strategic testing and consulting. Based on our many years of experience and expertise in the areas of offensive and defensive security, we offer you targeted recommendations and solutions to identify and minimize your attack surface.
What gaps does your IT infrastructure have?
SECURITY FACTORY | IDENTIFY | PENETRATIONTEST
What can be tested?
Tests of the external environment
Checking the resources accessible from the internet
Website, store, portal, mobile applications, API interfaces
Test of the email attack vector
Test of security measures against malicious emails
Phishing and spear phishing
Provoking a user action
Tests of the internal environment
Assume breach approach (e.g. using ransomware)
Checking internally accessible resources with unprivileged user context
People remain a central component of many security vulnerabilities. As part of penetration tests, we not only examine technical vulnerabilities, but also the security of your employees when dealing with digital threats. Controlled phishing and spear phishing campaigns allow us to simulate real attack scenarios in order to measure and strengthen security awareness in a targeted manner. In this way, we identify weaknesses in processes and communication channels – before a real attacker does.
The human factor
What do you get at the end of the assessment?
Detailed overview of your vulnerabilities (including software, configuration and design)
Tried and tested recommendations for suitable preventive measures
Pentesting procedure
Kick-off meeting
Analysis of the status quo, our team agrees the aim and scope of the pentest with you.
Reconnaissance / Intelligence Gathering
Information gathering; the aim is to obtain a complete overview of the digital attack surface.
Vulnerability Assessment
We carry out scans and check the identified vulnerabilities.
Exploitation
The actual attack on your IT system begins. The previously identified vulnerabilities are actively used to penetrate the system broadly and gain extended rights.
Report & Documentation
The vulnerabilities found are classified according to their risk and a catalog of measures is drawn up to eliminate the security issues.
Different test methods for different requirements
Black-Box
The most realistic simulation of a cyber attack by unknown attackers.
Access level: No access and no internal information is provided.
Grey-Box
A certain degree of internal access and knowledge is provided.
Access level: Background information such as IP ranges or identities are provided in advance.
White-Box
An attack is simulated in which the attacker has access to internal company information.
Access level: Full access to applications and systems.
Benefits of our pentesting reports
Clearly structured and concise scope
Intuitive structure for quick orientation
Concise management summary for decision-makers
No standard reports – created individually and manually
Available in German or English – depending on individual requirements
Segmentation, e.g. by location or business unit
Specific, actionable recommendations for each weak point
Flexibly expandable according to individual requirements
While a pentest aims to uncover overall security vulnerabilities, a red team assessment is often linked to a specific goal. In a pentest, the way in which the security check is carried out is determined in order to test specific areas of a company. With red teaming, the objective is stated and the Possehl Secure Pentesting Team independently evaluates the sequence in which attacks can best lead to the desired result and carries them out autonomously.
It is important to note that red teaming is not suitable as a first step in evaluating the general state of IT security in a company. Rather, it should be seen as an advanced test that builds on penetration tests that have already been carried out. Only once basic security vulnerabilities have been identified and remediated can a red teaming assessment specifically test the effectiveness of existing protective measures and response capabilities – particularly with regard to real attack scenarios and the performance of the blue team.
A specific type of red teaming operation has been defined in the European environment by the European Central Bank and in the national environment by the Deutsche Bundesbank: TIBER-EU and TIBER-DE. Within the frameworks established there, requirements are defined that aim to strengthen the resilience of financial companies against extended attack campaigns specifically in and on the financial sector.
The difference between red teaming and pentesting
Our offensive security team helps you to take a look at your company through the eyes of an attacker and uncovers potential vulnerabilities. We document our approach and the security gaps we uncover in a final report. We support you with solution-oriented countermeasures as concrete recommendations for action. Last but not least, a red teaming operation is also a good opportunity to check whether your security team (blue team) is capable of recognizing and defending against professional attacks.
The result
Die Methoden
One possible scenario for a red teaming operation is, for example, obtaining a specific personnel file or uncovering a corporate confidentiality issue. Our team makes use of all available means and essentially tests your company. As a trusted partner at your side, we naturally do not compromise your company's infrastructure.
The scenario
Exploitation of security vulnerabilities
Infiltration of malware
Phishing
Open Source Intelligence
Spying on access codes
Bypassing access controls and locks
Attempted access to certain premises
Attacks at network level and unauthorized network access
Exploiting the human vulnerability (social engineering)
Unauthorized extension of rights
Use of malware and backdoors
Hardware backdoors
Reverse engineering
Hardware traps
Pentesting is a continuous cycle that follows a company. New vulnerabilities can appear anywhere and at any time. The constant development in the security sector requires a recurring review of the IT system landscape. In addition, the human factor can also represent a major security gap. In addition, you will gain more clarity about the security of your company in the event of an attack. Important requirements from frameworks (e.g. CIS Control 18) and regulations (e.g. NIS2 and DORA) are also addressed.
The pentest makes it possible to obtain a detailed picture of the digital attack surface and thus improve IT security in a targeted manner. The result can serve as a basis for investment decisions, allowing targeted investments to be made based on the results.
Why Pentesting?
Pentesting without pentesters?
In contrast to manual tests, autonomous pentesting runs continuously, automatically and without external pentesters. Security gaps are quickly identified, prioritized and rectified - ideal for bridging the gap between classic pentests. In this way, you constantly minimize your attack surface and are faster than the attacker.