Security specialists

ThreatLabs specializes in security assessments providing valuable insights into vulnerabilities and weaknesses as well as actionable advice to increase the security posture of IT assets and environments.

Penetration testing

A penetration test (pentest) is an assessment type that is usually centered around a research question stemming from a specific security concern. Quite often this question is "To what extent can a threat-actor penetrate our organization?".

Various techniques and tactics are deployed in a short timespan to provide a solid answer to this question. Vulnerabilities identified and exploited in the course of this process are outlined in a report that focusses on the (technical) impact to your organization.

Questions or request a quote?

There are several types of pentests, and the term "scope" refers to the specific assets (e.g., applications, internal and/or external network ranges) that need to be tested to achieve the agreed-upon objectives. The differences between the types are mainly related to the (technical) information provided in advance. Unfortunately, the industry lacks clear, standardized definitions. We use the following definitions:

Black box pentest

Black box pentest

Without (provided) credentials and/or technical information (e.g., documentation).

Grey box pentest

Grey box pentest

With credentials for one or more user roles and/or technical information (e.g., documentation).

A scenario-based pen test and the scenario that login credentials are obtained (assumed breach) by a successful social engineering attack (such as phishing), for example, also qualifies as gray box perspective.

White box pentest

White box pentest

With access to configuration and/or source code to support the assessment. Usually combined with credentials for one or more user roles and/or detailed (design) documentation.


Why you should pentest

A pentest provides valuable insights into the security posture, improvement opportunities, technical imperfections and risks. However, the increase in security remains dependent on the follow-up of the results. The gain is usually the highest when there is intrinsic motivation. A mature information security policy includes periodic security testing.

In addition, security testing may be a contractual obligation or mandated by applicable laws and regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) applies to websites that independently process creditcard data. ISO 27001 also requires organizations to periodically identify vulnerabilities, assess risks, and implement appropriate security measures, with security testing forming an important part of maintaining compliance.