Pen tests

NFIR holds the CCV quality seal of approval

Pentesting & security audits to test your digital resilience
NFIR beeldmerk kleur
NFIR beeldmerk kleur

Pen tests

NFIR holds the CCV quality seal of approval

Pentesting & security audits to test your digital resilience

Discover and address weaknesses in your digital defenses through a pentest. Our certified ethical hackers identify vulnerabilities and provide insight into the effectiveness of your security measures, as well as potential consequences if misused.

What is the importance of performing pentesting for your organization?

The main reasons to perform a pentest are:

  1. Identify vulnerabilities and risks:
    Get an overview of the vulnerabilities and risks present within your infrastructure and applications.
  2. Building trust:
    Customers, shareholders and other stakeholders expect their information to be secure. A pen test provides insight into your organization’s level of digital security.
  3. Comply with standards and legislation:
    Various standards and legislation such as the AVG, BIO, ENSIA and ISO, require appropriate security measures to be taken. A pentest helps you meet these requirements.
  4. Continuous security improvement:
    The results of the pen test can be used to improve and optimize your information security.
Home

Custom Pentesting

During an intake meeting, the exact scope for the pentest is determined and the environment to be examined is determined. In our intake meeting, we thoroughly go over your specific details, requirements, attack scenario and wishes. This allows us to create a customized proposal.

What we can pentest for you

It is possible to pentest the following environments. Infrastructure, Web Application, API, Mobile Application, Operational OT. If you have a different environment, we will be happy to discuss the possibilities together. It happens regularly that companies or organizations come to NFIR for “special” pen tests.

From pentesting to clear reporting

A pentest can be conducted from different perspectives, with the result depending (in part) on the chosen attack perspective. During an intake meeting, we will jointly determine the scope of the pen test and advise on how we can perform the most valuable pen test for your organization.

After we perform the pentest carefully and according to the applicable methodology and standard, you will receive a comprehensive report from us. In it you will find all the findings and clear solutions are provided to fix the vulnerabilities. Our reports are clear, complete and reproducible for your organization. We describe the standards used, the tests performed, the tooling applied and the measures recommended.

Request a sample pentest report here to gain insight into our method of reporting and the data we include in it.

Step 1: intake

During the intake, we discuss the scope components and attack scenarios of the pen test. An ethical hacker from NFIR is also present during the intake.
The intake is an important starting point because we would like to test all components within the scope of the pen test and identify all vulnerabilities. Based on the intake, we provide an hourly estimate and proposal.

Step 2: Proposal and agreements

After you receive the hour estimate and proposal, we will be happy to discuss your questions.
In consultation, we will find a suitable time to perform the pen test.

Step 3. implementation

During the pen test, we keep you informed about progress and vulnerabilities.
Critical vulnerabilities are reported immediately so that they can be resolved as soon as possible.

Step 4: Results

The vulnerabilities are documented in a clear and complete pen testing report. A standard part of our pentest services is to explain the findings following the delivered pentest report.
This explanation is greatly appreciated by our clients.

Step 5: Perfecting

Thanks to the clear insights, you are going to mitigate the vulnerabilities.
If required, we can arrange for a retest after the vulnerabilities have been mitigated. Based on this retest, you will receive a new pen test report and have confirmation that the vulnerabilities have actually been fixed

Let us assess your risks!

Find out how safe you really are and contact us today.

We offer different attack scenarios

Black box pen testing hacker organization applications security information

Black Box pentest

In a Black Box attack scenario, minimal information is provided in advance by the client. Ethical hackers will operate as "outsiders" without inside information. Pentesters use various techniques, including Open Source Intelligence (OSINT) to discover vulnerabilities.

Grey box pen testing risk hackers automated network penetration test the netherlands

Grey Box Pentest

A Grey Box attack scenario sits between a Black and White box. There is "limited" sharing of information used to investigate an environment. The ethical hackers will use a user account to examine the infrastructure or application.

white box pentesting ethical hardware vulnerability pentester security audit computer systems

White Box Pentest

In a White Box attack scenario (also known as a Crystal box), all information is provided in advance to target vulnerabilities. Consider the information that is also requested in Grey Box pentesting. In addition, source code, log files and server access are used. In addition, the ability to set up your own test environment can be used.

Certified and quality-focused Ethical Hackers

Our skilled and professional ethical hackers have extensive experience, creativity and up-to-date professional knowledge. They have completed relevant training and are certified, such as OSCPOSWPOSWE, OSEP, CPTSCBBH, and eWPT. In addition, NFIR holds a CCV seal of approval for pentesting.

CyberSecurity Event Zwolle

NFIR uses reliable pentesting services, certified with the CCV Pentesting Seal of Approval. We are your Cybersecurity partner if you are looking for a down-to-earth Dutch Cybersecurity company that has years of experience in pentesting. Our certified ethical hackers identify vulnerabilities and provide concrete and actionable insights about the effectiveness of your security measures. Contact us today to put your cybersecurity under the microscope as well.

Contact us for a professional pentest

Contact us to schedule your pentest intake. Request a sample pentest report here to gain insight into how we report and the data we include in it.

Perform pentest?

Strengthen your digital resilience and gain customer trust with our thorough pen testing.

Pentest

A vulnerability scan uses automated scans to discover known vulnerabilities. These vulnerabilities are then reported. It is an important first step in understanding potential weaknesses within a system.
A pentest goes one step further. During a pentest, not only are vulnerabilities identified, but they are actually exploited. This demonstrates what the actual consequence may be to a system or environment when compromised. The ethical hacker will use his experience and creativity to identify all the weaknesses of an environment, giving the organization a more realistic picture of the risks they face.

Penetration test or vulnerability assessment? – Have a Pentest Performed – Contact NFIR Now

Depending on the size of the job, a careful assessment is made as to whether multiple people should be put on a pentest to reduce the length of the job. The duration of a pentest can vary depending on the environment being tested and the complexity of the attack scenarios being used. Generally, a pentest covers a period of 2 to 4 weeks. This period includes not only the execution of the test itself, but also the preparation, analysis and explanation of the final report.

A pentest (penetration test) is necessary because companies are often unaware of vulnerabilities in their network and systems. It is a controlled and authorized attempt to evaluate security through a simulated attack. The main reasons for a pentest include vulnerability identification, risk management, regulatory compliance, evaluation of new applications and changes, protection of customer data, and building trust with customers and stakeholders. Conducting regular pentests is essential to improve security and prepare for potential attacks.

  • For example, a pen test is useful to:
    Assess your current situation for vulnerabilities.
  • Detect vulnerabilities before the release of new applications.
  • Check weaknesses after changes to infrastructure or applications.
  • Comply with corporate policies, standards and/or legislation that require periodic security assessments.
  • Test your Cybersecurity maturity against the detection methods you have implemented.

When performing a pentest, various international standards and methodologies are used to discover and classify vulnerabilities.

Some of the key standards applicable to the assignment include:

By using these standards, a pentest can be performed in a structured and thorough manner, and the results can be reported in a clear and comparable way.

Our pentesters have a large amount of experience, a lot of creativity and up-to-date expertise. The NFIR pentesters have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements.

A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. With a pentest based on the White Box principle, all information about the environment is shared in advance. If you are having a pentest performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.

  • OWASP WSTG

The Web Security Testing Guide (WSTG) project is the premier cybersecurity testing resource for Web application developers and security professionals. The WSTG is a comprehensive guide to testing the security of Web applications and Web services. Created through the combined efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations around the world.

  • OWASP MASTG

The OWASP Mobile Application Security Testing guide is a mobile app security standard and comprehensive testing guide that covers the processes, techniques and tools used during a mobile app security test, as well as a comprehensive set of test cases that allow testers to deliver consistent and complete results.

The Penetration Testing Execution Standard (PTES) consists of several main components. These cover everything about a penetration test, namely:

  1. The initial communication and reasoning behind a pentest;
  2. The information gathering and threat modelling phases, where testers work behind the scenes to gain a better understanding of the tested organisation;
  3. Vulnerability assessment, exploitation and post-exploitation, which addresses the technical security expertise of the testers and combines it with the business insight of the assignment;
  4. Reporting, which captures the entire process in a way that makes sense to the customer and provides them with the most value.

The Common Vulnerability Scoring System (CVSS) standard provides an open framework for disclosing the characteristics and consequences of software and hardware security vulnerabilities. The quantitative model is designed to ensure consistent and accurate measurement while allowing users to see the underlying vulnerability characteristics used to generate the scores.

SECURITY INCIDENT BIJ UW ORGANISATIE?

De volgende 30 minuten zijn van cruciaal belang​!

De eerste 30 minuten na een cyber security incident zijn cruciaal, omdat een snelle en adequate reactie de schade kan beperken. Daarnaast kan verdere verspreiding van de aanval worden voorkomen en kan essentieel bewijsmateriaal veiliggesteld worden voor nader onderzoek.

Ons Computer Emergency Response Team (CERT) staat 24/7 klaar om bedrijven en organisaties te ondersteunen bij IT-beveiligingsincidenten.

Heeft uw bedrijf professionele hulp nodig bij een beveiligingsincident? 

SECURITY INCIDENT AT YOUR ORGANIZATION?

The next 30 minutes are crucial!

The first 30 minutes after a cyber security incident are crucial because a quick and adequate response can limit the damage.
In addition, further spread of the attack can be prevented and essential evidence can be secured for further investigation.

Our Computer Emergency Response Team (CERT) is available 24/7 to support businesses and organizations during IT security incidents.

Does your company need professional help with a security incident?