Penetration Testing as a Service
We are the providers of external and internal network penetration services, which could help reveal vulnerabilities before “real” hackers do.
Our Certificates
Our services
Why do you need a penetration test?
To effectively protect yourself against hacker attacks, penetration tests can give a clear picture of the system’s security situation. We give six reasons why organizations need regular pentests:
Protection of data and
intellectual property
A penetration test reveals weak points and checks how vulnerable a system is. Together with the customer, security measures are then taken to protect data in the event of an actual attack by malicious hackers.
Protection against Loss
of reputation
A penetration test, conducted by an independent third party, reduces the risk of an attack and thus protects against a possible loss of reputation.
Fulfilling legal obligations
Sensitive data require special protection. In the context of IT governance, numerous legal requirements require the proper operation of an information security management system.
Recommendations for safeguarding measures
Anyone who has a penetration test carried out receives a detailed report that enables your IT management team to understand the risks of the current situation and gives IT specialists recommendations for specific security measures.
Quality management
Many companies set up internal QM systems to ensure the quality of services and products. In addition to code reviews for software products, penetration testing can be used to check and measure the reliability of information technology.
Certifications and Compliance
For certain industries and processes, it is necessary to meet standards. For example, companies that conduct credit card transactions must comply with the PCI data security standard. To achieve compliance, it is necessary to check systems by an independent third party. A security level proven by a penetration test is a clear competitive advantage here.
How it works
How our white hackers work
A penetration test is usually roughly divided into six phases:
Preparation
Scanning phase
Enumeration
Research of all artifacts and resources related to the customer (domain names, IPs, 3d party resources) including from Darknet. Сoordination of test objectives, scope, test methods, and devices.
At this stage, we are looking for open paths to computers and resources. The system is "touched" for the first time. Here we are attempting to obtain information from different sources.
This phase often runs at the same time as stage 2. Its goal is to get real, useful information through the security check. At this stage, we search for suitable exploits, conduct detailed network analysis, hash cracking, and coordinate further attacks.
Exploit phase
Evaluation and
reporting
Post-implementation review
Here we conduct the verification tests (exploitation of vulnerabilities, circumvention of security measures and active intrusion, man-in-the-middle attacks, post-exploitation, etc.)
Then we repeat levels 2 to 4.
To be able to realistically assess the actual security situation, a detailed report is necessary. During the final analysis, we evaluate and document the results, make the summary and presentation, and listing of weak points, and give recommendations for countermeasures.
We will provide specific recommendations for your further actions required and support you in their implementation if needed. We will check all corrections and improvements to make sure that our recommendations work in right way.
Methodologies we use
Why us
Why do you need to choose ESKA
for your pentest?
Still have some hesitations whether cooperation with us is worth the trouble? Check 6 reasons why you should choose us
among other companies!
Experience
We have 8+ years of experience in the Cybersecurity market.
Reliability
ESKA that's not just a contractor it is your partner, that's why we are always ready to help in the future. We are always focused on relationships and on customer success!
Up to date
We always discover the cyber security market and use the most modern technics and tools.
Expertise
We have certified experts who are ready for the most difficult challenges.
Support
We don't provide just a report with an incomprehensible list of issues. We always manual check the vulnerability and explain in what way and how to close it, give road map and recommendations.
Verified
We are trusted by more than 200 companies (including Governments and international corporations).
What we done
Case Studies in Industries
Each month, we usefully close our projects. Here is the list of our recent ones.
INDUSTRY
STARTUPS
INDUSTRY
INSURANCE
Penetration test for the international insurance company
Platform that provides people management solution for the SMB market
The main goal of this penetration test was an examination of the client's infrastructure through the third party for possible issues that could affect the security of the applications, infrastructure and privacy of its users. The assessment also checks and evaluates security configurations that ensure the confidentiality, integrity, and availability of the client's company sensitive data and other resources.
Our customer, a young startup with a strong customer case, asked us to conduct testing and provide an independent report on their vulnerability assessment. The web application was evaluated, and we provided it with a detailed report on its security status.
In the future, that report helped them confirm their level of security and raised the level of trust of their future customers.
INDUSTRY
FINANSIAL INSTITUTIONS
BIG
ENTERPRISES
INDUSTRY
The Logistics company wanted to check mobile application before launch
A financial company decided to improve its security
A dominant Logistic provider finished their new mobile application, developed by 3rd party contractor, and requested to check the security level of this mobile application.
As a result, our customers get the confirmation of the level of protection of the mobile application, recommendations for improving the level of security, and contractors' qualifications.
An international investment services company is constantly working with customers' crucial data and must ensure their security and safety.
In the future, the company was able to significantly increase the level of security and ensure the security of its customers.
HEALTHCARE
INDUSTRY
Health Care medical center request for Wi-Fi penetration test
A medical center that has public Wi-Fi Access Points in places of concentration of visitors needed to check their secure perimeter and network security vulnerabilities. The test was made in two steps: Public internet SSID test and an internal corporate network test. The result provided recommendations and steps for increasing corporate network security.
Full Penetration Test Guide
All that you need to know about pentest before buying
This guide is based on 8 years of deep experience in cybersecurity, including expertise in software development, building cybersecurity systems from scratch and working with different types of companies from startups/SMBs to enterprises.
FAQ
On this block, you will find answers to the most popular questions of our customers. Didn’t find what you need? Just send us a request.
-
What is a penetration test?A week rarely goes by without reports of attacks on sensitive systems. It results in financial damage, and the reputation and trust of customers and partners crumble. To protect yourself against attacks, adequate countermeasures must be taken at different levels. Well-trained employees and processes that also take IT security into account are essential for effective protection. However, above all, the security check through a penetration test by an independent third party is an effective means. So, what is exactly a penetration test? A penetration test is an authorized, planned, and simulated cyber attack on a company or a public sector institution. The aim is to identify and eliminate previously unknown points of attack before hackers can use them to steal intellectual property or other sensitive data or otherwise damage an organization. During the penetration test, trained testers attempt to attack your IT systems using the methods of criminal hackers to determine the vulnerability of systems, after which appropriate protective measures can be taken.
-
White box, gray box, black box: what is the difference?Dealing with the client's security system, we can take different approaches which include color-based assessments. Black Box Black box tests are the most common and preferred by multiple organizations since analysts work at the same level as a typical hacker. The pentester does not know the details of the evaluated system in advance. The Black Box tests determine and detail the vulnerabilities in an exploited system from the outside. At a technical level, this type of testing relies on dynamic analysis of the programs running inside, as well as of the networks. While this kind of testing can be extremely fast, depending on the pentester's ability to find vulnerabilities, as well as implicit network failures, it has a downside. It implies that if the analyst fails to penetrate the perimeter - the failures found inside will remain hidden. White box Contrary to the gray box or black-box tests, white-box tests have full access to the source code of a system, as well as to the architecture, infrastructure, and documentation. In this sense, these kinds of tests are the ones that involve the longest amount of time, since the analysts must sort through an immense amount of information to find what is truly useful for the mission. One of the flaws of this kind of test is that they can generate blindness based on the deep knowledge they have of the system, which can often obviate the actions that a hacker without knowledge can commit. However, this is not a realistic attack, as the cybercriminal may not have all the attack details. Gray box A Gray Box test is a step up from a Black Box test, where the analyst has the same network access as an average system user. The Gray box test starts with incomplete information on the attacked system. This can be some key data, network topology, operating systems, their version, etc. Typically, this information will have a logical balance and can simulate what a cybercriminal would have after studying the system for a while. In this sense, he has more knowledge about the network infrastructure and architecture and has greater privileges, which can help implement a much more focused and efficient analysis. This also helps to generate simulations of persistent threats within a system, to evaluate the response capacity of users. The Gray box methodology allows deeper penetration and more exhaustive testing than the black box, without totally discarding the simulation element.
-
What are the types and models of penetration testing?External network penetration testing. Anything exposed to the Internet needs some form of security testing. If an external host is compromised, it can lead to an attacker digging deeper into your internal environment. External network penetration testing is focused on the perimeter of your network and identifies any deficiencies that exist in the controls that protect against remote attackers targeting the Internet-facing systems in your environment. When performing external penetration testing, our penetration testers mimic real scenarios as best as possible to root out all potential vulnerabilities. Our external network penetration testing techniques include the following: ● Port scans and other network service interactions and queries ● Network sniffing, traffic monitoring, traffic analysis, and host discovery ● Spoofing or deceiving servers via dynamic routing updates (e.g., OSPF, RIP spoofing) ● Attempted logins or other use of systems with any account name/password ● Use of exploit code for leveraging discovered vulnerabilities ● Password cracking via capture and scanning of authentication databases ● Buffer overruns/underruns ● Spoofing or deceiving servers regarding network traffic ● Alteration of running system configuration except where denial of service would result ● Adding user accounts. Internal network penetration testing. Whether it’s disgruntled workers, previously terminated employees, or someone trying to steal trade secrets, there is a high chance of potential internal threats. Even without malicious intent, simple configuration issues or employee mishaps can also result in a network compromise, leading to the majority of attacks originating from within. Our internal network penetration tests target the networked environment that lies behind your public-facing devices. This service is designed to identify and exploit issues that can be discovered by an attacker who has gained access to your internal network: ● Internal subnets ● Domain servers ● File servers ● Printers ● Network devices ● Phones ● Buffer overruns/underruns ● Workstations and laptops Web applications penetration testing. Web applications are unique constructs, mixing various forms of technology and providing an interactive front for others to use. Some web applications are made public, while others might be internal applications existing on an intranet. No matter the location, there are always security variables. How well does your application handle input? Does it work with backend servers in a secure manner? Will your session management scheme hold up to penetration testing? Web application penetration testing tests for the following: ● Application logic flaws ● Forced browsing ● Access and authentication controls ● Session management ● Cookie manipulation ● Horizontal escalation ● Vertical escalation ● Brute-force password guessing ● Poor server configuration ● Information leakage ● Source code disclosure ● Response splitting ● File upload/download attacks ● Parameter tampering ● URL manipulation ● Injection attacks for HTML, SQL, XML, SOAP, XPATH, LDAP, Command ● Cross-site scripting ● Fuzzing
-
How much does a pentest cost, and what influences its price?The price for our service results from the size and complexity of the pentest. The scope of the test objects and networks, the license fees for the scan tools used, and the nature of the tests affect the costs. If the follow-up tests are necessary, it also adds to the overall price. We discuss all the pricing criteria and create your non-binding offer in a personal consultation.
-
How often the pentest should be performed? How long does it take?The penetration testing is recommended conduct at least twice a year, but the optimal quantity is determined after the analysis of the particular business. By default, you will receive our final report within 1-2 weeks of completing the penetration test. If an earlier transmission of the results is required, please let us know in the joint kick-off meeting. For time-critical projects, we will be happy to provide you with our results earlier, if possible.
-
What documentation and reports do I get as a result of the pen test?After completing the pentest, you will receive a final report, which is divided into different sections: Management summary Here you get a non-technical summary of the project and the identified findings for the management level. All critical findings are concisely summarized. The procedure, scope, and tools It is a detailed description of the test methods used, the analyzed test object and scope, as well as the tools and scripts used during the pentest. Findings and Actions An important part of our final report is the detailed, technical description of all identified findings. You will also receive a comprehensive recommendation on how to fix each vulnerability, suitable for technical personnel (such as developers or administrators). Standardized risk assessment To assess our findings, we follow well-known standards such as the OWASP risk assessment method. The risk of a vulnerability is based on the probability of occurrence and its impact. If you are interested in a network penetration test, we would be happy to provide you with a free quote. All you have to do is leave your contact information and data about your company in our contact form, and we will contact you as soon as possible.