An authorized simulated attack exercise conducted manually by our qualified security expert who attempts to find and exploit vulnerabilities in a computer system
What is Penetration Testing?
Exploiting Vulnerabilities within a time constraint
Find out vulnerabilities which cannot be discovered by an automatic scanner
Pentest using manual effort requires skilled and experienced experts
Assess the effectiveness of their existing suite of security controls more proactively
Client consent to a carefully designed project scope and rules of engagement
Recommends appropriate defences to strengthen the security posture
To ensure compliance and regulatory requirements
HKMA TM-E-1 Risk Management of E-banking v.3 Oct 2019
HKMA Cyber Resilience Assessment Framework
PCI DSS /GDPR Compliance
SFC Guideline on Cybersecurity for licensed corporations, eff. Jul 2018
Insurance Authority Guideline on Cybersecurity, eff. Jan 2020
HKSARG Security Risk Assessment and Audit
To test a new system or an application before production
To measure the effectiveness of the controls and prove to the management
Scope of Penetration Testing
US NIST Special Publication 800-115 Technical Guide to Information Security Testing and Assessment
Open Web Application Security Project
OWASP Top 10
OWASP Mobile Top 10
OWASP MASVS-L1 or L2 or +R requirements
OWASP API Security Top 10
Standards we reference to
Our Penetration Testing
Our Four–stage Penetration Testing is based on
NIST SP 800-115 guidance
Black box or Grey box Approach.
Information gathering and Automatic Scanning to identify known vulnerability
Exploit vulnerabilities and perform additional discovery upon new access
Testing goals and rules of engagement are set
Document all found vulnerabilities and exploits, failed attempts, and recommend safeguards to mitigate the risk. Verification of remediations performed by clients
A report includes executive summary, scope, findings, evidence and recommendations
A presentation to summarize the key findings
A sample can be available upon request
Our Penetration Testing
Frequently Asked Questions
What’s the key difference between Pentest and Vulnerability Scanning?
Pentest applies manual effort to exploit the identified vulnerabilities and discover any unknown vulnerabilities.
Vulnerability scanning uses automatic tools to discover known vulnerabilities
What is the key factor to influence the number of findings for a Pentest?
Besides the pentester’s skill set, time is also a key factor.
Time-limited engagements do not allow for a full evaluation of all security controls. Prioritizing the assessment would be required to identify the potential weakest security controls an attacker would exploit within a time constraint
What are the risks of a Pentest?
The potential risks may include data disclosure, system outage, traffic slowdown etc.
However, with the rules of engagement, the pentest could be conducted in a more controllable manner to keep the risk at a minimal