Frequently Asked Questions

Introduction

We hope you find answers to your questions in the following faq. In case you don’t please do not hesitate to contact us for any inquiries you may have.

1. What is penetration testing?

Web application penetration testing is a security testing service that focuses on identifying vulnerabilities and weaknesses in systems, such as websites, web services, and networks. Our experienced team uses extensive manual testing techniques, along with automated tools, to thoroughly assess the security of such systems and provide detailed reports with findings and recommendations for remediation.

2. What is the difference between your services?

Our services, such as Web Application Penetration Testing (WAPT) and API Testing, differ in what aspects are tested. WAPT focuses on scanning a given website and all its components, while API testing is focused on an API that is working on the back end and could be serving not only a website but mobile and desktop applications among others. In the case of External Network Penetration Testing, the scope is defined and the efforts are focused on gaining access to your infrastructure remotely. Instead, Red Teaming is an ongoing effort that could have a loosely defined scope, allowing for continuous testing during a defined time frame.

3. How do we know which service we need?

You shouldn’t worry about that, our consultants will explain and propose to you the best course of action and tailored solutions according to your needs.

4. How much do your services cost?

We will charge you based on the time we spend doing the job. The time will depend on the service and the scope provided. We can offer you a discount on large projects that extend on time and for recurring services. In case our services need to be done during off-hours or weekends there will be an extra.

5. Will your testing impact our operation?

We usually ask our clients for a testing or staging environment, so that in case something goes down it will not affect your operation. In case the test has to be done in production, we will define the most critical points to be left out or tested during non-business hours and ask you to perform a backup of your data. However, it should be noted that most of the time there are no issues during testing.

6. How long will it take to test my application?

That depends on the amount of assets that we have to test. Usually, most tests are done between one and three weeks. The reporting is delivered a few days or a week later. Nevertheless, we can arrange with you to provide a daily report.

7. What tools do you use?

Our toolset is standard in the industry. Given that most of our workload is WAPT and API PT we mainly use BurpSuite pro, with several extensions including our own. Other tools used are Nessus, nmap, sqlmap, nuclei, and several in-house grown tools.

8. Do you use any framework or methodology?

Yes, we mostly base our work on the OWASP framework. Some of our consultants did PCI-related related work for many years so some of their guidelines are followed, even though we do not do PCI certification. But mostly we follow our methodology that depends on the work we have to do and is based on many sources that are industry references and previous experience.

9. My team performs security testing, why should we contract you?

That’s excellent to hear, congratulations! Nevertheless, it is a good idea to hire someone external that can provide a fresh eye and who is not involved in the day-to-day development of the product (conflict of interest). Having a dedicated person that does security can be cost expensive, so hiring someone external that does this as a daily job can be beneficial both technically and economically. In case you are not convinced, you can ask us for our low-budget options.

10. Our company has trade secrets and valuable data, and we are concerned about how you handle our information and secrets

We understand that many companies are reluctant to share access to their platforms and provide us with an account or different profiles for testing. We usually ask to be whitelisted on your firewall/waf, different profile accounts for testing and that should be enough. We can discuss how we handle your information and secrets. We use our servers for testing and cipher all our logs. We can communicate through GPG and are very flexible in adapting to your needs. Nevertheless, it should leave enough room for us to be comfortable with testing your assets.

11. We need to do government and policy, could you help us with that?

We have done it during our careers and are familiar with that kind of work but right now our team is more technically focused. Nevertheless, ask us and in any case, we can suggest some trustable colleagues.

12. Do you accept payments in cryptocurrency?

Yes, we do accept payments in BTC and ETH. Talk to us for further information.