Vulnerability Scanning & Pentesting Services

We perform vulnerability scans and penetration tests. Vulnerability scans are a highly automated process in which the target objects – e.g. IT infrastructure components, servers or applications – are examined for known security vulnerabilities. In a penetration test, an attempt is made to exploit identified vulnerabilities. The penetration test involves considerably more “manual work”. 

In principle, we conduct IT security investigations for all types of systems – with a strong focus on web and mobile applications. We also examine IT infrastructures based on Microsoft Windows – whether on premises or in the cloud. Only traditional fat client applications and hardware-related scenarios are not examined as part of our service portfolio. 

The focus of a vulnerability scan is on identifying known vulnerabilities, whereas a penetration test attempts to exploit existing vulnerabilities. 

In the vast majority of cases, we conduct the investigations as a grey box assessment. In this case, selected details about the target object(s) are shared with us in order to keep the effort and thus the costs as low as possible. We also distinguish between so-called black box and white box tests. 

Software contains bugs. Bad programming practices can result in serious security vulnerabilities in software. If these are exploited by attackers, there is a risk of data theft, for example – and all the other threat scenarios associated with this (e.g. blackmail or the impairment of availability). Responsible companies carry out penetration tests proactively and regularly to detect even such errors – and thus protect their organisation from negative effects. 

Usually not. Occasional malfunctions of the examined target objects may occur, but no permanent damage is caused. 

Software is updated regularly. With every update, there is the possibility that vulnerabilities are introduced by the new software version. In order to detect and close these promptly, regular vulnerability scans should be carried out. 

As part of the preparations, we first talk to each client in a free initial meeting about the specific objectives of what the organisation in question wants to achieve with the security investigation. Then we jointly conduct a walkthrough through the target object(s) to get a picture of the respective object of investigation. In doing so, we usually ask for some framework parameters such as the technology components used, deployment scenarios, databases used and more. In the case of applications, we also discuss the essential workflows and the functionalities related to user management. Based on the information gathered, we plan the investigation and carry it out. 

In isolated cases, there are temporary malfunctions or display errors in the examined objects. We recommend preventing uncertainty within the staff of an organisation by proactively communicating the investigation. 

We use all the information we gain access to during an investigation exclusively within the scope of our mandate. We document successful attacks using exemplary data as part of our reports. All data and information are deleted again after the investigation is completed and are not passed on to anyone. 

In Germany, there are various regulations, including the so-called “Hacker Paragraph” §202c StGB (German Penal Code), which set the framework for IT security investigations. However, the well-intentioned handling of corresponding software and the associated actions do not fall under this paragraph. All activities that we carry out in the context of IT security investigations are fully legitimate and not illegal. 

Yes, our managed SIEM solution Watchdog by TEN IM, which is based on the open source IT security platform Wazuh, includes a corresponding function. The vulnerability management built into it continuously scans the examined systems and allows an insight into the IT security situation virtually in real time. Depending on the application, we decide together with the customer which vulnerability management solution represents the most cost-effective variant for vulnerability management. 

Depending on the target object(s), we consult the relevant industry standards. In the area of web applications, for example, these are the relevant publications of the Open Web Application Security Project – OWASP. The best known are the OWASP Top 10 Security Risks in Web Applications. Corresponding frameworks also exist for mobile applications. 

Unless there are sector-specific regulatory requirements, the rule of thumb is “after every major change”. What is considered a “major change” always depends on the context. As a general rule, we recommend that every major release of web and mobile applications be tested. If nothing is specified, a testing frequency of 6 months can serve as a guideline for vulnerability scans and for penetration tests of self-created applications – depending on the specific risk profile, also more frequently or less frequently. 

Absolutely! Vulnerability scanning is fundamentally different from penetration testing. Unfortunately, there are always providers on the market who do not take the difference very seriously. The automated detection of vulnerabilities (vulnerability scanning) does not replace a penetration test. 

In short: nothing. Penetration tests are an activity that can only be partially automated and always involves a minimum of “manual work”. The experience of the experts involved is crucial for success. Unfortunately, there are always providers on the market who do not take the difference between vulnerability scans and penetration tests very seriously. They like to equate the terms vulnerability scanning and penetration test – and thus present an automated vulnerability management as a penetration test. 

In principle, we carry out IT security investigations as a fixed-price project. Our many years of experience enable us to make precise estimates based on a joint walkthrough of the target object(s). In terms of costs, vulnerability scans start at around 3,000 euros, penetration tests at around 5,000 euros – depending on the target object(s) and their functional scope, complexity and desired depth of testing. 

Depending on the target object(s) to be examined and their functional scope, complexity and desired depth of testing, an investigation takes between a few working days and several weeks. Depending on the investigation, a little more time may pass between the start of the investigation and the delivery of the report, as all our reports undergo extensive quality assurance before they are issued to the principal. 

We usually prepare a detailed audit report on the results, which describes the findings. According to our clients, this is also the main difference between us and our market competitors: our reports are designed in such a way that even non-IT security experts can understand them. We meet this requirement by including extensive screenshots in the reports in order to achieve the best possible comprehensibility. 

Usually, the documentation of the results in the report is done in English. This takes into account the fact that the vast majority of terms can only be translated into German with some difficulty. Upon request, we can also prepare reports in German.

All our specialists have relevant qualifications such as CEH (Certified Ethical Hacker), CCSP (Certified Cloud Security Professional), CISA (Certified Information Systems Auditor) and others. We see ourselves in the role of the white hat hacker, proactively helping to increase the security of the target objects. 

You should definitely have a penetration test of your applications carried out regularly and, depending on the cloud scenario, also a vulnerability scan. Cloud providers secure the part of the service delivery for which they are responsible. The application operator itself is responsible for the security of the operated applications. Read more about this in our blog. 

Depending on the content, we may come into contact with personal data. Of course, you will receive a DSGVO-compliant data processing agreement drawn up by a specialist lawyer for such cases. 

With our IT security investigations, you can implement various measures from Annex A of ISO 27001:2022. For example, the standard lists penetration tests as part of the measure “Managing information security in the ICT supply chain” (measure 5.21). In the “Management of technical vulnerabilities” (Measure 8.8), penetration tests and vulnerability scans are specifically mentioned as activities to be carried out regularly to identify vulnerabilities. The item “Monitoring Activities” (Measure 8.16) mentions penetration tests and vulnerability scans as a supplement to an organisation’s monitoring activities. The Secure Development Lifecycle (Action 8.25) refers to penetration testing as an essential component of a secure development cycle. Finally, the item “Security testing in development and acceptance” (Action 8.29) recommends performing both penetration tests and vulnerability scans in the context of performing security tests during development and maintenance of systems.

Provided we have been commissioned to do so as part of a penetration test: yes. If we succeed in doing so, we always handle the findings responsibly. In particular, we never exploit the opportunity to cause damage. 

Basically no, because we are convinced that our customers know their applications and infrastructures best themselves. However, on a case-by-case basis, we are happy to discuss selective support services.

No, incident response services are not part of our service portfolio. 

No, digital forensics is not part of our service portfolio.

Our services are open to all industries and we understand the diversity of our clients as an incentive and opportunity to constantly acquire new and deeper insights into different industries. We have a specific focus on retail, payment (PCI DSS) and health apps in accordance with the German DIGA/DIPA regulations.