Pentests:
Protect your company
from hacker attacks

Our security experts use penetration tests, also known as pentests, to simulate cyber attacks on companies’ IT infrastructure. In this way, we show you the practical and realistic ways in which hackers penetrate systems. So that you can close vulnerabilities at an early stage and prevent the worst from happening.

Why pentests?

As an endurance test for the IT infrastructure, pentesting helps to test your own cyber security and discover possible points of attack. Companies receive expert and unbiased feedback on their security processes and thus an important decision-making aid for further optimization.

IT security audits may take time and cost money – but the expense is disproportionate to a real security incident, which usually results in significant costs as well as reputational damage. Simulated hacker attacks pay off: The earlier the damage is known, the smaller the impact. Regular penetration testing also enables companies to meet the requirements of increasingly important security certifications.

Your benefits at a glance

Clarity about your own
IT security situation

Early detection and
closure of vulnerabilities

Decision support
for optimizing the security strategy

Meeting standards
for certifications in the area
of IT security

Professional and realistic implementation thanks to many years of experience

Possible combination with other modules of our Cyber Security Partnerships

Pentests: You should know these 3 types

White Box
Penetration Test

For a White Box penetration test, you provide our IT security experts with all the necessary information about your company’s IT infrastructures in advance. Your employees are proactively informed about the execution of the pentest.

Black Box
Pentesting

Unlike the White Box penetration test, the Black Box pentest is completed without any prior information about the IT systems to be tested. The goal is to simulate the attack method of a hacker as realistically as possible. Our IT security experts try to compile first, on their own, the information that you would normally disclose in a white box penetration test.

Grey Box
Pentests

The Grey Box penetration test combines the two variants above and presents a particularly authentic hacking scenario. Our security experts receive only fragmentary information about the customer’s IT systems and determine the remaining data themselves. Only later do the penetration testers receive detailed information on the IT infrastructure and selected access data. The combined approach proves to be particularly efficient compared to the frequently requested black box variant.

Scope of a security test

From information gathering to verification, a penetration test at the DGC consists of six phases. Before starting, the basic requirements and goals for the IT security test are defined during a kick-off.
Depending on your needs, we simulate different scenarios and procedures. For example, a penetration test can be planned together with your internal team.
An alternative is the so-called “intern scenario”: one of our IT system analysts carries out the penetration test covertly in your company – without employees being informed. This also allows you to check the human component of IT security, known as Social Engineering.

Pentesting – Procedure explained in 6 steps

Phase 1: Information Gathering

In the first phase of a pentest, findable information about the company is gathered – internally and externally. To check the external IT infrastructure, all system components that can be reached from the internet are examined. These include: Domains, IP address ranges, mail servers, firewalls, routers, FTP servers and other services accessible from the network. In the internal IT infrastructure, data traffic is analyzed using “sniffing” software to draw conclusions about available network areas, devices and services.

Phase 2: Active Testing of the Infrastructure

The insights obtained in phase 1 are used to actively test the IT infrastructure. This is done by so-called fingerprinting, also known as footprinting: Using information, data records are correlated to identify – with a high degree of probability – the version and patch levels of network services, operating systems, software applications and databases. The process also allows to draw conclusions about current configurations.

Phase 3: Vulnerability Scanning

Results of the fingerprinting are used specifically to identify vulnerabilities in the systems and applications of the customer. At the DGC, we do this by using our own vulnerability scanner cyberscan.io®. Information from public databases on the internet, in which vulnerabilities are catalogued, is also used.

Phase 4: Exploiting Security Vulnerabilities

The identified vulnerabilities are specifically exploited to gain access to the company’s systems. If the pentester penetrates the system, so-called artifacts will be collected. These serve as a basis for the subsequent presentation and for the IT security report. Naturally, the highly sensitive information is only documented in consultation with the customer and is treated as strictly confidential. Phase 4 is generally only carried out at the customer’s request, as critical systems could be affected under certain circumstances. If agreed, selected or representative systems are systematically attacked (exploit).

Phase 5: Presentation of Vulnerabilities and Solutions

In the course of the previous phases, a detailed overview of all identified systems, including security vulnerabilities as well as possible solutions will be created. If actions were carried out during phase 4, the artifacts will be presented to the customer in a personal meeting. The exploits used will also be explained. Furthermore, the customer will receive a pentest report in which the results and the entire process will be documented and summarized.

Phase 6: Re-Penetration

A single pentest will hardly supply valid long-term statements about the security level of the tested systems. This is because the techniques carried out by potential attackers are evolving rapidly: New vulnerabilities in current applications and IT systems are reported almost daily. In extreme cases, a cyber attack may be possible immediately after the completion of a penetration test – due to a new security vulnerability. Therefore, we recommend retesting after a defined period of time. Our cyberscan.io® software can also be used for continuous testing of the IT infrastructure.

How much does a penetration test cost?

Less than you think!

Remote Pentest

If desired, penetration tests can also be carried out remotely in a cost-effective and sustainable way thanks to our DGCBOX. Please feel free to contact us if you are interested!

FAQ

FAQ Pentests

What does a pentester do?

A pentester is hired by companies to perform security analysis of systems and networks from an attacker’s perspective. To bypass existing security measures, he or she draws on real tactics and techniques used by cyber criminals. The goal is to reveal undiscovered vulnerabilities in the IT infrastructure and show how they can be fixed. The pentester’s approach to such an IT security audit is always carried out in close coordination with the contracting company and in predefined scenarios and phases.

What is a pentest report?

A pentest report summarizes the results of a penetration test. It consists generally of two sections. The main report contains the most relevant results of a pentest – individually categorized and evaluated. In addition to a general overview and risk profile, technical information on found vulnerabilities is summarized in a topic-specific manner and, if useful, enriched with applied tactics. In addition, recommendations for each vulnerability are described. The recommended measures are intended to show how the security problems can be fixed. The second report section lists the overview data, i.e., all systems and vulnerabilities found during the test. The overall overview and detailed descriptions of the vulnerabilities provide companies with well-founded assistance in optimizing their own cyber security.

You want to learn more about penetration testing?

Contact us – we will be happy to advise you

Gender*
Consent*
This field is for validation purposes and should be left unchanged.