Do you need help?
Check out the frequently asked questions section
The purpose of testing is to detect possible vulnerabilities and drawbacks that can lead to the breach of the integrity, security, or accessibility of the information, cause system failure or result in the denial of service. Testing helps to foresee possible financial losses and economic risks.
It often happens that even the optimal set of security tools can have incorrect configuration settings, which leads to vulnerabilities and increases the likelihood of threats materializing.
The field of information technology is very dynamic: software and hardware are being constantly updated, remote services are being connected, new employees are joining, and the whole company structure is changing. The results of the penetration tests become outdated soon afterward, so they have to be performed again.
Most industry standards specify a minimum frequency for performing pentests. For example, PCI DSS requires their conduction every six months. In addition to periodic checks, penetration tests will be repeated after any significant changes in the IT infrastructure. Has the network mapping changed? Have you made the switch to the equipment of another vendor? Have you changed an OS? Or maybe you have enabled cloud services? All of these are new potential threats, and therefore, a reason to perform testing again.
A specific stage of penetration testing is monitoring the level of awareness of employees about threats in the field of information security. They receive phishing emails, visit infected sites, or install programs with Trojans on an office computer. Sometimes attackers don't have to directly hack the administrator's account to gain control of the network. The entry point can be a secretary's computer or a staff network share. Therefore, the renewal of the personnel structure is also a reason for pentest repetition.
Each new incident in the field of information security is a cause to conduct an out-of-sequence pentest, but it is better to make such a decision after a thorough analysis of the situation. It's one thing to actually have a new attack vector, but quite another is when your employee was negligent and ignored internal regulations. In the first case, a new expert assessment of the security level is needed, and in the second, administrative measures should be taken.
The timeframe of the penetration test depends on the features of the information system to be tested. Hence, it may vary on AVERAGE from 2 weeks to 3 months.
The cost of work is calculated individually for each information system and depends both on its complexity and on the particularities of its interaction with public networks. Also, the cost of a security audit should be commensurate with the potential risks. Calculate how much it will cost to restore the functionality of your site; what steps will be taken in case of a leakage of the database with confidential and business information. Think about what you should do in the event of a virus/Trojan infection of the site, or what damage your company's business reputation will get. The cost of the audit can be up to 50% of the cost of the above.
A typical report on the results of a pentest is a list of the detected vulnerabilities, their description and classification, potential exploitation of vulnerabilities, and recommendations for their elimination (as an option, we can make some PDF files to see how it will all look, so the client can download it).
First, ask yourself what exactly your company is afraid of? Maybe it is hacker attacks. Have you already been hacked? So, now you need to identify how the breach was made and how to eliminate the vulnerabilities. Are you afraid of dishonest employees or are you interested in a basic checking of a website or blog for vulnerabilities? Our manager will consult you on the main issues. On the basis of this, technical specialists will give detailed and clear recommendations on what methodology to choose.
We use the most popular forms of payment which are convenient for both individuals and businesses. The financial aspects are discussed individually with each client.
We do not recommend this option because automated systems are not able to recognize a number of possible attack vectors, so they serve only as an auxiliary tool for a cybersecurity specialist.