Configurator

Automated vulnerability scans are often illegitimately sold as full scale penetration tests. Automated programs and scanners are used and their results are sold for high sums.

Pentest Factory uses automated tooling to identify common vulnerabilities efficiently. These vulnerabilities are considered “low hanging fruits” and do not require manual analysis. All results of our automated tools are verified and false positives eliminated.

Afterwards we conduct manual penetration testing, which constitutes more than 70% of the assessment. Using manual techniques we are able to identify vulnerabilities that are not recognized by automated tools. According to a study manual testing methods are able to identify 80 – 96% of high risk vulnerabilities in web applications.

After creating an offer in our configurator, our experts will contact you as soon as possible. In the further communication the earliest testing dates can be coordinated. We gladly reserve a non-binding testing period for you in advance.

Please note that the contract process (including signing) requires the most amount of time. Furthermore it is dependent on your schedule and availability times. Some assessments also require additional time for technical requirements (e.g., firewall exemptions). Usually, penetration test engagements can begin within two weeks of booking.

Our reports are delivered 1-2 weeks after the assessment has finished. Should you require an earlier delivery date, please address this in our kickoff meeting. For time-critical projects we gladly share our results eariler, if possible.

More information and a sample report can be found here.

Most penetration tests can be conducted remotely, as well as on-premise. Should the test target only be accessible via your internal network, the following possibilities for a remote penetration test exist:

• Using a VPN connection for access to your internal network
• Using a Jump-Host, to access the test target (RDP, Citrix, uvm.)
• Using our Intel-NUC micro computer, which is sent to you via mail. After connecting the device with your internal network, the NUC connects back to our Pentest Factory headquarters. This way we are able to access your internal network and the test target. You will receive a detailed setup manual. Postage fees are covered by us.

All sensitive documents or credentials are provided via our encrypted file platform. End-to-end encryption is enabled on the transport layer (TLS), as well as file layer (AES-256). We host our own servers in Germany. Document retrieval is tracked and all documents are automatically deleted after 30 days.

You will receive an e-mail with a secure link for the retrieval of the final report (PDF) and further files (e.g., log files, proof-of-concept exploits).

We offer German and English languages for reports and documents. All our employees have a fluent proficiency level.

The reporting language can be chosen in our configurator. Furthermore, this topic is address in a common kick-off meeting.

Pentest Factory is no certification authority. Therefore we do not issue security certificates after conducting a pentest. Furthermore, penetration tests are only a snapshot of a test target at the time of testing. We thus distance ourselves from making statements about the general security of a test target.

Nevertheless penetration tests can be a part of an ISO-27001 certification of your company.

Identified vulnerabilities undergo a strict risk assessment procedure. Our experts discuss the likelihood and impact of a finding extensively. A retrospective adaption of risk ratings is not common and may only be done in special cases.

As an external contractor we are exclusively offering consulting services. Should you not agree with a risk rating, you may do a re-rating with your internal risk management team. This includes accepting a risk.

If you desire, we will create a separate client notice in addition to our final report. The client notice is stripped of sensitive information (such as IP addresses, usernames or details of the exploitation process). Your customers will only get an insight into the general and overall results of the test – similar to a management summary.

Pentest Factory is specialised in offensive security assessments. However, attacks on the availability of IT-Systems e.g., Denial of Service (DoS) attacks or load testing are not part of our services.

Nevertheless, we gladly advise you regarding this topic and recommend our competent partners.

In some federal states grants for IT security services exist. We gladly support you with the application for grants. Feel free to ask one of our consultants

You will receive a detailed report with all identified vulnerabilities, as well as extensive remediation recommendations. Of course we support you also after a pentest has concluded, e.g., regarding the resolution of vulnerabilities or a re-test for the verification of implemented measures. Our subsidiary, the tacticx Consulting GmbH, can also offer extensive consulting in the fields of information security or data protection.

Are your test targets sensitive applications which process personally identifiable information and require a non-disclosure agreement? We gladly evaluate the agreement and signing is usually no problem. Our Pentesting Frame Contract also includes a general clause that implies the confidentiality of our employees. Our colleagues from the data protection and information security departments gladly advise you regarding the neccessity of additional agreements.

During all penetration tests, you will be informed about the start and end of our tests. Furthermore we will notify you of critical vulnerabilities immediately upon discovery. You will then receive a preliminary memo-report with details regarding the vulnerability.

All sensitive documents or credentials are exchanged via our encrypted file platform. The end-to-end encryption is ensured on the transport layer (TLS), as well as file layer (AES-256). We host our own servers in Germany. Document retrieval is tracked and files are permanently erased after maximally 90 days.