Penetration Tests and Red Teaming

: We have long-standing experience in the field of audits and penetration tests. Our consultants regularly attend international hacker conferences and carry out research for vulnerabilities. This allows us to not only examine your IT solutions for potential security risks on a conceptual level, but we can also detect the technical and organizational vulnerabilities that actually exist and evaluate them appropriately.

We know the latest attacking techniques and methods and regularly find unknown vulnerabilities in malware. Depending on your needs, a penetration test can go far beyond a standard scan. This is why we detect vulnerabilities in supposedly secure systems and applications time and time again that other auditors have overlooked.

Thus you can be sure to find your vulnerabilities and close the gaps before an attacker can find and exploit them.

Audit aspects include:

• Security of web applications, web services and portals: Security assessment on the application level for any kind of web application (customer portals, web shops, HR portals, online banking, intranet, etc.). The assessments are carried out on the basis of common standards (like ASVS).
• Source code reviews: In the context of source code reviews, the source code of web applications, mobile apps, fat clients etc. is examined for security flaws.
• Assessments of mobile apps: Security assessments of mobile apps for the iOS and Android operating systems
• Configuration analyses of Azure, AWS and Google cloud environments: Our consultants inspect the configuration of the respective cloud environment and evaluate it with regard to security-relevant settings.
• Assessments of mobile endpoints: Such assessments simulate an attacker with physical access to the endpoint to be assessed (e.g., laptop, smartphone).
• Red team exercises: Simulation of real attacks: How well can employees, infrastructure and physical security measures withstand the attacks? Our red team projects are designed very individually and are also carried out in accordance with requirements such as TIBER upon request.
• Assessments of special devices, embedded systems and customer products: These include assessments of IoT devices, home automation and components in the environment of ICS (industrial control systems).
• Assessments of the system security and hardening of servers and endpoints: These kinds of assessment aim to identify security-relevant misconfigurations or vulnerabilities on the operating system level that enable attacks or make them easier.
• WLAN reviews/audits: Assessment for threats and vulnerabilities of the WLAN infrastructure and the WLAN components involved
• War games (red team vs. blue team): These projects serve as a training for the customer’s SOC. They are aimed at evaluating and improving the detection capabilities and efficiency of the blue team.
• Social engineering: Using different social-engineering techniques, we try to access sensitive company data or IT systems. Various social-engineering scenarios are run through in agreement with the customer.
• Insider analyses: Such assessments simulate an insider (an intern or employee, for instance). They aim to identify the vulnerabilities and risks that exist from the perspective of an insider.
• Structural analyses of DMZ structures and network reviews: Conceptual examination of existing network architectures (e.g., DMZ) ISMS assessments, reviews of processes or guidelines
• Data protection audits in the context of IT security