Pentesten & security audits to test your digital resilience

Have the resilience of your (web) application, website, IT infrastructure, links (APIs) and mobile apps checked by a NFIR penetration test.

Penetration tests and code reviews are necessary to demonstrate the resilience and effective operation of the security. Do you want insight into the level of security of your website, (web) application or internal network? Then have a penetration test (pen test) performed by the ethical hackers of NFIR. We offer tailor-made pen tests, so that what you want to gain insight into is tested.

Types of Pen Testing

Penetration tests can be performed in three different ways to reveal vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps. These ways are a Black Box, a Grey Box and a White Box pen test. They are briefly explained below. In all cases, the pen tests are carried out according to international standards.

Black box pen testing hacker organization applications security information

Black Box pen test

A Black Box audit can be compared to a real attack, like hackers would do. No information has been provided by the client in advance. Our ethical hackers will use open source research (OSINT) to map out your environment. So they can look for vulnerabilities.

Grey box pen testing risk hackers automated network penetration test the netherlands

Grey Box Pen Test

In this pen test, ethical hackers identify vulnerabilities in your (web) application, website, IT infrastructure, API links and mobile apps, both with and without information. The combination of both attack scenarios provides the most complete picture possible of the technical resilience of your digital environment.

white box pentesting ethical hardware vulnerability pentester security audit computer systems

White Box Pen Test

(a.k.a. Crystal box). During a White Box audit, all information is provided in advance in order to specifically search for vulnerabilities. Think of source code, defined scope, roles/rights matrix and functionalities list.

During the intake interview, we determine together with the client the scope of the pen test and advise on how we can carry out the most valuable pen test for your organization.

Penetration test standards

Our OSCP certified ethical hackers carry out the pen tests very carefully for our clients. Various internationally accepted standards and high-quality tooling are applied. The standards give you the guarantee that the pen test is carried out according to the correct standards and is very complete. Among other things, we use the following standards:

  • Open Source Security Testing Methodology Manual (OSSTMM) for the IT infrastructure
  • OWASP Top 10 for (web) applications
  • Mobile Security Testing Guide (MSTG) for mobile applications

Besides following these standards, our ethical hackers also use their common sense and a lot of creativity. It is precisely by carrying out the pen test in a creative manner that we regularly find vulnerabilities, which you can use to make your environments safer and more resilient.

Clear, complete and very useful reports on penetration tests

Finding vulnerabilities is not our only goal. Our ethical hackers report the vulnerabilities found in a clear and especially useful way for your organisation. The pen test report describes exactly which standards have been tested, what has been tested, which tooling has been used, which vulnerabilities have been found and what the advice is for solving these vulnerabilities.

NFIR reports the vulnerabilities using the Common Vulnerability Scoring System (CVSS 3.0). This Scoring System provides a way to identify the most important characteristics of a vulnerability. The next step is to produce a numerical score that reflects its severity. The numerical score is then translated into a qualitative representation (informative, low, average, high and critical). This allows us to properly assess the vulnerabilities and set priorities to resolve them.

Since a pen test is a snapshot and your environments are often subject to change, it is important to have a periodic pen test carried out.U you can download our Use periodic pen test reports to inform your customers about the improvements you have made to increase the technical resilience of your organization and/or service.

Penetration test?

NFIR reports the vulnerabilities of pen testing using the Common Vulnerability Scoring System (CVSS 3.0).

  1. A vulnerability scan provides a general picture of how IT security is organised. A pen test provides a more detailed picture of current IT security.
  2. With an it vulnerablity scan commonly known vulnerabilities are found. In a pen test, attention is paid to all potential weaknesses.
  3. Vulnerability scanning uses automated scans to detect vulnerabilities. A pen test also makes use of automated scans and the researcher actively seeks out vulnerabilities through a dose of creativity.

Penetration test or vulnerability assessment? – Have a pen test carried out – Contact NFIR now

read 7 important questions in a pen test

Our penters have a large amount of experience, a lot of creativity and up-to-date expertise. The NFIR pen testers have followed relevant training courses and obtained certifications such as OSCP. In addition, they have all received chief of police approval and signed confidentiality agreements.

How long a pen test lasts strongly depends on the environment that needs to be tested and the agreements made with the client about the attack scenarios to be used.

A Black Box pen test means that no information about the environment is shared with the pen testers beforehand. With a pen test based on the White Box principle, all information about the environment is shared in advance. If you are having a pen test for the first time and want to get an overall picture of your security, it is useful to have a Black Box pen test performed.

A Black Box pen test is especially suitable when an environment is being pen tested for the first time and you want to get an overall picture of the security. A Grey Box penetration test is an intermediate form of the Black Box and White Box penetration tests, where researchers have limited login details and information available. The Grey Box pen test is generally used to see how safe an environment is from the perspective of an employee or customer.

Make arrangements with each other when the information must be delivered, when the pen test will take place, what the pen test means for the daily operations within your company and when the report will be delivered. The assignment must be clear and the information required in advance must be provided on time, otherwise a pen test cannot start.

The NFIR Pentest: how impenetrable is your network?

With the NFIR Pentest you can get certainty and advice about the safety of your network. NFIR for non-binding advice: 088 – 323 0205

The three main standards used by NFIR (depending on the environment to be tested) are the Penetration Execution Standard (PTES), Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP). By means of the Common Vulnerability Scoring System (version 3) the severity of a vulnerability is determined. Furthermore, NFIR uses input from the client to apply a CIA weighting to the vulnerabilities found.