banner image

Penetration Testing

There’s always a way in

A Penetration Test (or Pen Test) is an essential requirement for connecting any system to a public network. It gives an attacker's-eye view of the vulnerabilities of any network-connected system, allowing you to find and close these vulnerabilities before the attackers find you. Most security regulations, security standards, third party contracts, or cyber insurance policies now require a Pen Test, so the only question is when and how you do it, not if.

Use Cases:

Pre-launch testing

Test it before it goes live so you know it'll survive.

Site updates

Test it whenever you update, so you don't open holes in a secure site.

Scheduled testing

Test it regularly, new vulnerabilities are discovered every week.

Compliance testing

Get an independent test to demonstrate your security to clients / regulators.

Penetration Testing is the PT in the common acronym 'VAPT'. The VA refers to Vulnerability Assessment.

VA is almost entirely automated: it's fast and cost-effective. PT adds the skill of an expert tester who can combine and exploit weaknesses that VA can't see: it's more thorough. Contact us to discuss the best way to combine VA & PT for your systems.

Pragma's Penetration Testing team is certified by CREST, the leading standard for professionalism in security testing, so you can have confidence in the quality of our tests.

When you sign up for a Penetration Test, you give our team a target and a deadline and we will spend time studying the target and identifying the ways an attacker can break in. We'll give you:

A detailed list of findings, following standard methodologies such as the OWASP Top 10
Clear risk ratings so you know which are the show-stoppers and which fixes can be safely deferred
Detailed advice on how to close each vulnerability
A debrief session for your development team with our CREST-certified Testers to walk through the issues and answer any questions they have: security education is one of the best ways to improve future security.

A free retest once you've fixed the issues so you know you're good to go, and can demonstrate an up-to-date clean report.

Common systems that should be tested:

Web Applications

The number one target for attackers.

Exposed APIs

An emerging focus for attackers, as API breaches can give a larger.

Mobile Applications

Internet of Things (IoT) devices

Often the weakest link in any security chain.

Payment Gateways / Transaction Services

Any system that can move money has a huge potential for loss if attacked, and regulators invariably require Pen Tests.

Sites accepting credit card transactions or storing Personally Identifiable Information (PII)

Credit card regulations such as PCI DSS and most privacy legislation such as GDPR or DPA either explicitly or implicitly require Pen Tests.

Cloud Tenancies

Infrastructure-as-a-Service (IaaS) platforms have great advantages, but also introduce a new channel of attack.

Custom systems

Contact us to discuss specific or specialist requirements. We've tested everything from signboards to National Critical Infrastructure