How to scope your Penetration Test?

shape shape

Targets and Technologies


  • Applications (Web, Mobile, Thick Client, API)
  • Cloud (Hybrid, AWS, GCP, Azure)
  • Network Infra (Internal, External)
shape shape

Types of Testing




  • Black Box
  • Grey Box
  • WhiteBox
shape shape

Frequency




  • Manual (Once)
  • Manual (Annual)
  • Manual + Periodic
shape shape

Application of Standards




  • Best Practices
  • OWASP ASVS
  • CIS

Penetration Testing Process

XPentest follows a phased approach to all security assessments. First, the preparation of the assessment takes place, then information about the target systems, components or applications is collected, then the assessment is carried out and finally the report is written.

Phase 1: Preparation and Information Gathering

Good preparation is essential and ensures a time-efficient execution of the assignment.


The activities in this phase are:

  • Determining a complete overview of the target systems in scope (e.g. IP addresses and URLs).
  • Drafting and verifying indemnity statements (especially if third parties are involved).
  • Designating and establishing technical and operational contact persons
  • Defining scan frequency and timing (in consultation with the client).
  • Validate that login details required for the assessment have been delivered (if applicable)

By collecting as much information as possible (e.g. by using data from publicly available sources) we get a complete picture of the systems in the scope. The information that can be collected includes:

  • Systems within the scope.
  • TCP and UDP ports with active services.
  • Known vulnerabilities in underlying services.
  • Application or frameworks used.
  • (Sub)domains
  • Functionality (authenticated) of user roles (if relevant).
  • Accessible web services and/or APIs.
  • (possible) External links
  • Any other relevant scope details: physical, people, process etc.
about
shape

Phase 2: Test and Analysis

In this phase, Xpentest assesses which vulnerabilities can be identified by conducting an investigation by a team of experienced security specialists. The strength of the assessment is the way in which we use our technical knowledge and logic to find vulnerabilities. In order to work as efficiently as possible, we also use tools and scripts developed partly by Xpentest itself. The research results in raw data and potential vulnerabilities that are then manually checked for ‘false positives ’.

about
shape

Phase 3: Report and Explanation

This phase consists of writing and reviewing the report If you wish, we will be happy to discuss the report with you and review the findings together.

about
shape

Phase 4: Optional Retest or Periodic Follow-up Scans and Delta Reports

Retests or periodic vulnerability scans are a necessary complement for organisations working with ever-expanding IT infrastructures and ongoing application development processes with very regular updates. In these situations it is almost impossible (and also very cost-inefficient) to always have a (thorough) manual security assessment performed. That is why Xpentest can perform automated vulnerability scans periodically after a manual penetration test (either applicative or infrastructural, or both), whereby the frequency and timing are tailored to the customer's development methodology. This gives you the best of the unique expertise of a Xpentest security expert and frequent scanning to optimally mitigate security risks.

about
shape
dots
video

Why Us

Our strength lies in understanding out client's business processes, culture, vision and goals across the industry segments and offering reliable client-oriented solutions. We commenced our operations in 2018 to provide cyber security consulting services to clients globally as partners and conceptualize, realize and lead technology driven business transformation initiative to completion.

500+

Pentest Delivered

80+

Trainings Delivered

20+

Continuous Vulnerability Monitoring