This page is too short to provide a complete description of our methodology. We do provide such description in our proposals submitted to the client before
starting a penetration testing engagement, and we do submit a proposal for every engagement. In the interest of completeness, here is a high-level overview
of the general steps our efforts follow.
- Pre-engagement Interactions
- Intelligence Gathering
- Threat Modeling
- Vulnerability Analysis
- Post Exploitation Forensics
In addition, we take pride in the fact that we do provide the widest spectrum of automated scanning tools coverage
in the industry!
in a typical penetration testing effort we use at least three (3) network penetration testing tools (i.e. Nessus,
GFI Languard, etc), and at least three (3) web application security
assessment tools (AppScan, WebInspect,
Cenzic Hailstorm, Acunetix, N-Stalker,
if the penetration testing effort requires it, we use at least three (3) database security scanning tools (i.e.
AppDetective, McAfee Database
Vulnerability Scanner, Scuba,
PFCLScan, etc). Finally, if the penetration testing project requires it we use at least three (3) source code security
analysis tools (i.e. AppScan Source, Fortify,
Coverity, KlocWork, etc).
To the best of our knowledge, no other penetration testing company provides "full-depth" assessments across all layers (i.e. source code, application, web, and database),
and no other company provides "full-breadth" assessments using all industry standard tools (listed above). Most compliance standards such as PCI, HIPAA,
SOX, FISMA and others require that at least one of the industry standard tools listed above is used in a penetration testing effort in order for the pentest
results to be considered acceptable for compliance purposes. But when you hire us, you get at least three (3) compliance-ready tools across ALL layers! Add to
that 15-20 years of manual hacking expertise and you begin to understand why our client retention rate has always been 100%.