Infrastructure Pentesting

Pentests are crucial for risk management, regulatory compliance and data protection.
NFIR beeldmerk kleur
NFIR beeldmerk kleur

Infrastructure Pentesting

Pentests are crucial for risk management, regulatory compliance and data protection.

Infrastructure pen testing is performed for companies that want to check the functionality, security and safety of their IT infrastructure. We provide an honest and realistic status overview of your environment. The scope of our pen tests is always determined together with the client. That means we can perform our services in any environment: internal, external or in the cloud!

Scope examples

The following environments can be included during an infrastructure pen test: External, Internal or Cloud IT infrastructures. We can also test laptops, PCs, smartphones or test the available Wi-Fi on site.

Would you like insight into the security of any of the above environments? Then get in touch!

What attack scenarios are possible for infrastructure pen testing?

The most common attack scenario for an IT infrastructure is a combination of Black and Grey Box. An illustrative example is provided below for both attack scenarios. During an intake the wishes will be mapped out in order to choose a suitable scenario.

Black box pen testing hacker organization applications security information

Black Box of the external IT infrastructure

With minimal information, a picture will be formed of vulnerabilities in the publicly available IT infrastructure. By means of open source research (OSINT) as much information as possible will be collected to discover vulnerabilities.

Grey box pen testing risk hackers automated network penetration test the netherlands

Grey Box of internal IT infrastructure

Testing the internal infrastructure is at least as important as the external environment. This scenario simulates what a malicious hacker or malware might do if it gains access to the internal network through, for example, a phishing or social engineering attack. Which vulnerabilities are present and is it possible to increase the privileges to administrator rights?

Pentestbox during internal infrastructure pentesting

A large proportion of attacks on businesses start with hacked computers or employee accounts that are in the familiar office environment. Sometimes an employee accidentally installs something or his or her account is compromised. In addition, servers may be attacked on-site. To test what might happen if this scenario occurs, it is necessary to place a computer within the network. Previously, NFIR’s ethical hackers would physically come to your office location for this; today, this is done remotely with a pen test box.

Learn more about the pentest box->

Infrastructure pentest methodology

NFIR uses the Penetration Testing Execution Standard (PTES) for pen testing IT infrastructures. This methodology gives you the assurance that the pen test is performed to the correct standards and completely. We find it important to be as transparent as possible about the execution of the pen test. For this reason, we offer a checklist for various pen testing standards which is added to the report. This allows you to see which checks have been carried out, which could not be carried out and which, if any, were not applicable.

Sample infrastructure pen testing report

A sample report (NL/EN) of a black box infrastructure pen test is available.
In this report, a pen test was performed on a fictitious environment, whereby vulnerabilities were made transparent.


Which systems can you have tested by NFIR's experts?

Which systems can you have tested by NFIR’s experts? Our ethical hackers check the technical resilience of (web) applications, websites, IT and OT infrastructures, API links and mobile apps. If you have a different environment that you would like to have controlled, we will be happy to discuss it with you.

A vulnerability scan uses automated scans to discover known vulnerabilities. These vulnerabilities are then reported. It is an important first step in understanding potential weaknesses within a system.
A pen test goes one step further. During a pen test, not only are vulnerabilities identified, but they are actually exploited. This demonstrates what the actual consequence may be to a system or environment when compromised. The ethical hacker will use his experience and creativity to identify all the weaknesses of an environment, giving the organization a more realistic picture of the risks they face.

Penetration test or vulnerability assessment? – Have a Pentest Performed – Contact NFIR Now

Depending on the size of the job, a careful assessment is made as to whether multiple people should be put on a pen test to reduce the length of the job. The duration of a pen test can vary depending on the environment being tested and the complexity of the attack scenarios being used. Generally, a pen test covers a period of 2 to 4 weeks. This period includes not only the execution of the test itself, but also the preparation, analysis and explanation of the final report.

A pen test (penetration test) is necessary because companies are often unaware of vulnerabilities in their network and systems. It is a controlled and authorized attempt to evaluate security through a simulated attack. The main reasons for a pen test include vulnerability identification, risk management, regulatory compliance, evaluation of new applications and changes, protection of customer data, and building trust with customers and stakeholders. Conducting regular pen tests is essential to improve security and prepare for potential attacks.

  • For example, a pen test is useful to:
    Assessing your current situation for vulnerabilities.
  • Detect vulnerabilities before the release of new applications.
  • Check weaknesses after changes to infrastructure or applications.
  • Comply with corporate policies, standards and/or legislation that require periodic security assessments.
  • Test your Cybersecurity maturity against the detection methods you have implemented.

When performing a pen test, various international standards and methodologies are used to discover and classify vulnerabilities.

Some of the key standards applicable to the assignment include:

By using these standards, a pen test can be performed in a structured and thorough manner, and the results can be reported in a clear and comparable way.

Our pen testers have a large amount of experience, a lot of creativity and up-to-date expertise. The NFIR pen testers have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements.

A Black Box pentest means that no information about the environment is shared with the pen testers beforehand. With a pentest based on the White Box principle, all information about the environment is shared in advance. If you are having a pen test performed for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.


The Web Security Testing Guide (WSTG) project is the premier cybersecurity testing resource for Web application developers and security professionals. The WSTG is a comprehensive guide to testing the security of Web applications and Web services. Created through the combined efforts of cybersecurity professionals and dedicated volunteers, the WSTG provides a framework of best practices used by penetration testers and organizations around the world.


The OWASP Mobile Application Security Testing guide is a mobile app security standard and comprehensive testing guide that covers the processes, techniques and tools used during a mobile app security test, as well as a comprehensive set of test cases that allow testers to deliver consistent and complete results.

The Penetration Testing Execution Standard (PTES) consists of several main components. These cover everything about a penetration test, namely:

  1. The initial communication and reasoning behind a pen test;
  2. The information gathering and threat modelling phases, where testers work behind the scenes to gain a better understanding of the tested organisation;
  3. Vulnerability assessment, exploitation and post-exploitation, which addresses the technical security expertise of the testers and combines it with the business acumen of the assignment;
  4. Reporting, which captures the entire process in a way that makes sense to the customer and provides them with the most value.

The Common Vulnerability Scoring System (CVSS) standard provides an open framework for disclosing the characteristics and consequences of software and hardware security vulnerabilities. The quantitative model is designed to ensure consistent and accurate measurement while allowing users to see the underlying vulnerability characteristics used to generate the scores.

CyberSecurity Event Zwolle

NFIR uses reliable pentesting services, certified with the CCV Pentesting Seal of Approval. We are your Cybersecurity partner if you are looking for a down-to-earth Dutch Cybersecurity company that has years of experience in pentesting. Our certified ethical hackers identify vulnerabilities and provide concrete and actionable insights about the effectiveness of your security measures. Contact us today to put your cybersecurity under the microscope as well.