How long does a pentest take?
How long a pen test lasts strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used. In order to be able to carry out a pen test properly, NFIR advises to take a minimum of 40 hours. In those 40 hours the environment is tested and the report is written. Would you like appropriate advice for your environment or (web) application? Please contact us for an introductory and intake interview!
What is the difference between a pentest and a vulnerability scan
The biggest difference between a pentest and a vulnerability scan concerns the scope of what is being investigated. A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A vulnerablity scan is used to find commonly known vulnerabilities, detect common configuration errors and make technical risk estimates for each vulnerability. A pen test does the same and much more. A pentest provides a more detailed picture of current IT security, focusing on all potential weaknesses. In a pentest, the ethical hacker also actively seeks out vulnerabilities through a dose of creativity. A pentest therefore gives a more complete picture because a hacker does the same during an attack.
Penetration tests and code reviews are necessary to demonstrate the resilience and effective operation of the security.
Types of Pen Testing
Penetration tests can be performed in three different ways to reveal vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps. These ways are a Black Box, a Grey Box and a White Box pen test. They are briefly explained below. In all cases, the pen tests are carried out according to international standards.
Black Box pentest
A Black Box audit can be compared to a real attack, like hackers would do. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
Grey Box Pentest
In this pentest, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both with and without information. The combination of both attack scenarios provides the most complete picture possible of the technical resilience of your digital environment.
White Box Pentest
(a.k.a. Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.
Why are certified experts needed for a penetration test?
The pentesters of NFIR have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements. Furthermore, our penters have a large amount of experience, a lot of creativity and up-to-date expertise. The most important characteristic of certified experts is to guarantee the safety of your infrastructure.
Black box or white box scenario?
With a pentest based on the White Box principle, all information about the environment is shared in advance. The pen testers can test the environment very specifically, because they know in advance what they are dealing with. This variant leads to a thorough pen test of the client’s environment. A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. Usually a research area (scope) is determined, so that the pen test is limited. The pen testers work like real hackers in this variant. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.
What more does a grey-box pentest offer than a black-box?
A Grey Box Penetration Test is an intermediate form of the Black Box and White Box Penetration Test, in which the researchers have limited login details and information at their disposal. Due to the limited information the pentesters receive, they are better informed that a hacker. A Black Box pentest is especially suitable when an environment is being pen tested for the first time and you want to get an overall picture of the security. The Grey Box pentest is generally used to see how safe an environment is from the perspective of an employee or customer.
Make good arrangements about the pentest
Good appointments ensure that a pen test can run smoothly. It is important that it is clear beforehand what is expected from both parties. The most important thing is clarity about the scope of the assignment in order to have clarity about what is being tested, within which agreed time (and what the costs are). The assignment must be clear and the information required in advance must be provided on time, otherwise a pentest cannot start. Make arrangements with each other when the information should be delivered, when the pentest will take place, what the pen test means for the daily operations within your company and when the report will be delivered.
Which pen testing method to use?
In order to carry out a successful pentest, NFIR uses various methods for testing information security. The three most important standards (depending on the environment to be tested) are the Penetration Execution Standard (PTES), Open Source Security Testing Methodology Manual (OSSTMM), and the Open Web Application Security Project (OWASP). The Common Vulnerability Scoring System version 3.1, abbreviated to the CVSS risk model, is used to determine the severity of a vulnerability. This international model is used by NFIR to classify security breaches.
What is the difference between a pentest and a vulnerability scan
The biggest difference between a pentest and a vulnerability scan concerns the scope of what is being investigated. A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security. A vulnerablity scan is used to find commonly known vulnerabilities, detect common configuration errors and make technical risk estimates for each vulnerability. A pen test does the same and much more. A pentest provides a more detailed picture of current IT security, focusing on all potential weaknesses. In a pentest, the ethical hacker also actively seeks out vulnerabilities through a dose of creativity. A pentest therefore gives a more complete picture because a hacker does the same during an attack.
How long does a pentest take?
How long a pen test lasts strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used. In order to be able to carry out a pen test properly, NFIR advises to take a minimum of 40 hours. In those 40 hours the environment is tested and the report is written. Would you like appropriate advice for your environment or (web) application? Please contact us for an introductory and intake interview!
Penetration tests and code reviews are necessary to demonstrate the resilience and effective operation of the security.
Types of Pen Testing
Penetration tests can be performed in three different ways to reveal vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps. These ways are a Black Box, a Grey Box and a White Box pen test. They are briefly explained below. In all cases, the pen tests are carried out according to international standards.
- Black Box pentest. A Black Box audit can be compared to a real attack as hackers would perform it. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.
- Grey Box pen test. In this pen test, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both without and with information. The combination of both attack scenarios provides the most complete picture possible of the technical resilience of your digital environment.
- White Box pentest (also called Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.
Why are certified experts needed for a penetration test?
The pentesters of NFIR have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements. Furthermore, our penters have a large amount of experience, a lot of creativity and up-to-date expertise. The most important characteristic of certified experts is to guarantee the safety of your infrastructure.
Black box or white box scenario?
With a pentest based on the White Box principle, all information about the environment is shared in advance. The pen testers can test the environment very specifically, because they know in advance what they are dealing with. This variant leads to a thorough pen test of the client’s environment. A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. Usually a research area (scope) is determined, so that the pen test is limited. The pen testers work like real hackers in this variant. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.
What more does a grey-box pentest offer than a black-box?
A Grey Box Penetration Test is an intermediate form of the Black Box and White Box Penetration Test, in which the researchers have limited login details and information at their disposal. Due to the limited information the pentesters receive, they are better informed that a hacker. A Black Box pentest is especially suitable when an environment is being pen tested for the first time and you want to get an overall picture of the security. The Grey Box pentest is generally used to see how safe an environment is from the perspective of an employee or customer.
Make good arrangements about the pentest
Good appointments ensure that a pen test can run smoothly. It is important that it is clear beforehand what is expected from both parties. The most important thing is clarity about the scope of the assignment in order to have clarity about what is being tested, within which agreed time (and what the costs are). The assignment must be clear and the information required in advance must be provided on time, otherwise a pentest cannot start. Make arrangements with each other when the information should be delivered, when the pentest will take place, what the pen test means for the daily operations within your company and when the report will be delivered.
Which pen testing method to use?
In order to carry out a successful pentest, NFIR uses various methods for testing information security. The three most important standards (depending on the environment to be tested) are the Penetration Execution Standard (PTES), Open Source Security Testing Methodology Manual (OSSTMM), and the Open Web Application Security Project (OWASP). The Common Vulnerability Scoring System version 3.1, abbreviated to the CVSS risk model, is used to determine the severity of a vulnerability. This international model is used by NFIR to classify security breaches.
Dennis Slier
Project Lead Incident Response Cyber Security
Schedule an appointment with Dennis right away
Pentest consultation
About NFIR
Our society is increasingly affected by serious cyber security incidents that have major consequences for our digital infrastructure. Cyber security incidents are often focused on an organisation’s critical work processes, endangering the continuity of an organisation. As a result of changes in legislation and regulations, organisations are generally themselves responsible for the damage suffered and for repairing it. Quick and professional intervention is therefore essential and NFIR can help you with that.
Penetration test?
NFIR classifies pen testing vulnerabilities using the Common Vulnerability Scoring System (CVSS 3.1).
Why hire the ethical hackers from NFIR for pen testing?
NFIR is a specialist in the field of cyber security. We help organizations limit the consequential damage of a cyber incident and secure digital forensic evidence to identify the cause of the damage. In addition, our services can help you increase your resilience against cyber incidents and support you in improving your digital vital infrastructure. Our experienced staff, all of whom have received approval from the chief of police, are able to support and advise you in a no-nonsense way with our preventive services (awarenesstrainings, pentesting and security monitoring) and reactive services (incident response and digital forensics).
