Professional Pen Testing Services
A Penetration Test is performed by a Certified Ethical Hacker in order to evaluate the security of your company’s IT infrastructure. By safely attempting to exploit the vulnerabilities of your network, applications, databases, people and more, we find the leaks in your system before a problem occurs. Because these ethical hacking tests are carried out by skilled professionals, we are able to uncover risks that would be impossible to detect with simple scanning software.
A “Pen test” is often performed in many steps, including external pen tests (looking into your network through the eyes of an outside, anonymous internet hacker) and internal pen tests (examining the risk posed by your employees and other individuals with inside access to your network). Blind testing is also an option, in which limited information is given to the team performing the test, or even double blind testing, in which very few people at the organization are aware of the test.
Why Pivot Point
Pivot Point Security is a leader in penetration testing and vulnerability assessment (as well as ISO 27001 consulting, ISMS consulting, and more!). We have been providing the most advanced security testing services since 2001 and have helped thousands of companies validate that they are secure and their business critical information is safe. As an industry leader, we are committed to maintaining the highest levels of training and certifications for all of our security testing experts.
Our Suite of Pen Testing Services
We offer a comprehensive array of penetration testing services to make it simple for you to validate that all avenues of access to your critical data are secured. Tap on the following tabs to explore our menu of offerings.
What is a Network Penetration Test?
Network vulnerability assessments and penetration tests are intended to validate that your external (public) and internal (private) computer systems are secure. It highlights vulnerabilities and/or provides a measure of the probability that the vulnerabilities can be exploited (and if so what the impact would be to your organization).
Benefits of Network Penetration Testing
Pro-actively classifies your system’s weaknesses without actually compromising it, and demonstrates compliance with relevant standards, laws and regulations (HIPAA, PCI DSS, NERC, etc.).
Sample Network Vulnerability Assessment Report
What is Application Penetration Testing?
Verify and validate the security of your company’s critical software and applications with Application Pen Tests. This process simulates a real-life attack on you application’s security controls to gain access to sensitive data.
Application Vulnerability Assessments are typical first steps, and will help determine the risk associated with a given application. For testing less critical or low-risk apps (when hands-on testing is not justified) these assessments may be the only process needed. However, a vulnerability assessment can also be used as an information gathering mechanism to focus the subsequent penetration testing or code reviews.
Benefits of Application Penetration Testing
Application Pen Tests and Vulnerability Assessments will identify hidden risks posed by your applications to your overall system and company. Our hands-on approach provides intelligent and customized responses, avoids false positives, and demonstrates the effects of actual vulnerabilities within an application. These tests are often integrated into certification and accreditation exercises.
Download this free resource:Application Security Webinar
What is Database Penetration Testing?
Database Vulnerability Assessments and Database Penetration Tests focus on the security of the database(s) which store your most sensitive information. These processes provide assurance that the configuration of the database is consistent with your security objectives and effectively manages the risk associated with malicious access by employees, consultants, or hackers.
Why it Matters
Database pen tests and vulnerability assessments proactively and systematically achieve database security by reducing the risk associated with both web and database specific attacks. These processes also support compliance with relevant standards, laws & regulations.
What is Wireless (WLAN) Penetration Testing?
Wireless Network Security Assessments provide assurance that the Wireless Access Point (AP) and host (e.g., laptops) network adapter configurations are optimized to limit key risks associated with wireless networking (e.g., rogue access points, unauthorized access, network bridging, sniffing).
Why it Matters
Providing end users with freedom and mobility associated with WLAN is increasingly viewed as a “need to have” creating an additional network security concern. Because radio waves can travel through ceilings, floors, and walls, transmitted data often reaches unintended recipients on different floors/outside the building.
WLAN Security Testing is included in annual FDIC auditing for the Financial Industry.
What is Physical Penetration Testing?
The most basal form of Information Security is physical security. Our Physical Pen Tests provide assurance that key Physical Security Controls (e.g., access cards, security guards, tailgate sensors, man-locks, and security cameras) are effective at minimizing the risk associated with unauthorized access into portions of the facility that may provide access to sensitive information.
Why it Matters
A failure of the physical security controls can immediately result in the theft of a laptop, access to an internal network, access to a wiring closet, or even access to a data center.
What is Social Engineering Penetration Testing?
Social Engineering exercises are intended to assess the likelihood that an organization’s employees can be “tricked” into providing information or access to sensitive information. Common attack models include tailgating (physical access), phishing emails to gather sensitive information, and “vishing” calls (voice phishing) to try to gain information or access via password resets.
Why it Matters
A social pen test will help you gauge the human element of your IT security. Many hackers use social engineering to con employees into circumstances that leave your valuable assets and information at risk. A penetration test with social elements will help you identify and train vulnerable segments of your workforce.
What Our Clients Are Saying
Your consultant has been fantastic and we absolutely could not have done it without him. He is extremely knowledgeable and represents your company very well.
Frequently Asked Questions
Why do we need Penetration Testing?
Your company could use Penetration Testing to:
- Confirm that your environment is as secure as you believe
- Prove to a third party that an environment is secure and trustworthy
- Quickly assess the security of a less mature control environment (in a sense, a technical risk assessment)
- After a major change (e.g., the installation of a high risk system/application) to ensure that the security controls are operating as intended
What is a Penetration Testing tool?
Our testers often carry dozens of tools and will select which tools to use based on the type of test and the specific technologies that you are running. Common Penetration Testing tools include:
- Vulnerability scanners (e.g., Nessus, Qualys, NTO Spider)
- Automated exploit engines (e.g., Metasploit Professional, Canvas)
- Password Crackers (e.g., John the Ripper)
- Sniffers/proxies/tamper tools (e.g., BurpSuite, Cain & Abel)
How does Penetration Testing work?
Generally, pen tests have two distinct phases: In the first “reconnaissance” phase, the tester gathers as much information as possible to achieve the objectives of the engagement. This is often done using a vulnerability assessment tool. This can be helpful in discovering how vulnerable your system is. In the second “exploit” phase, the tester will leverage vulnerabilities identified during the “reconnaissance” phase. This gives you a measure of how likely it is that your vulnerabilities can be exploited and if so, what the impact is to your organization.
How long does Penetration Testing take? Will it shut down our office?
Simple penetration tests in a smaller company may last a day or less. Larger tests for a global enterprise could extend over multiple weeks. When done properly, penetration testing is unlikely to cause serious disruptions in your business. However, it is impossible for any reputable pen testing company to guarantee a test completely free of disruption. We do not use Denial of Service testing, un-tested tools, or un-validated exploit code. In 12 years, less than 5% of our tests have caused minor disruptions, such as a short period of slowed network traffic.
We pride ourselves on keeping your business up and running.
Will Penetration Testing involve our employees?
Pivot Point Security only involves your employees if your objectives include testing incident detection (e.g., we are assessing whether your Security Operation Center is paying attention) or if you want your team to work collaboratively with our test team to learn about Penetration Testing.
What kind of reporting will I receive?
We provide formal reporting on the testing process including a gap analysis, relevant findings, and a mitigation roadmap for addressing vulnerabilities and strengthening your network. Where possible the report will also include:
- Root cause analysis
- Peer-group benchmarking
- Good practice benchmarking
- Executive summaries
- Technical summaries
Penetration Testing Blog Posts
After we perform an initial penetration test, we provide our clients with reports and review the results with them. It’s crucial they understand clearly what they need to fix and why. But often, when we circle back to do the remediation testing certain issues remain...read more
One would think that most CISOs and IT security teams are at least cautiously optimistic about their ability to respond to cyber threats. But if the opinions of professional “white hat” hackers are any indication, the reality is that they are practically defenseless....read more
On a recent network penetration test our password catcher software sniffed out a service account logging in and caught its credentials. The hashed password we retrieved was nine characters long. With our homemade password cracking device (which has “only” four GPUs)...read more