Our Pentesting Process

After you have created an offer with our configurator, our experts will contact you promptly. We will then share and coordinate our next available dates with you. We gladly schedule your desired date nonbinding in advance.

Please note that the organizational contract process including signing often takes the most time. Furthermore, this step depends on your time-wise availability. Depending on the parameters of a penetration test, you may require additional time for the creation of test accounts or the application of firewall exceptions.

Our reports are generally delivered within 1-2 weeks after the penetration test has ended. Should you require an earlier transmission of test results, please address this topic in our common kick off meeting. For time-critical projects we gladly share our results earlier, if possible.

More information, as well as a sample report can be found here.

All sensitive documents or credentials are provided via our encrypted file exchange platform. The end-to-end encryption takes place on the transport layer (TLS), as well as the file layer (AES-256). We host our own platform independently on German servers. The document retrieval is accountable and automatically deactivated after 30 days with a subsequent full data erasure.

Via this exchange platform you will receive an e-mail with a secure link for the retrieval of our final report (PDF). Furthermore, you will receive optional log data or proof-of-concept exploits in a ZIP folder.

Pentest Factory GmbH is no recognized certification authority. This is why we do not issue security certificates after our pentests are finished. Furthermore, penetration tests serve only as a momentary snapshot of the security of a test target. We thus refrain from making a general statement about the security of a test target.

Nevertheless penetration tests can be used for the ISO-27001 certification of your organisation.

Identified vulnerabilities undergo a strict risk rating process. Our experts discuss the likelihood and impact of a vulnerability extensively. The retrospective adaptation of a risk rating is thus not common and merely possible on a case-by-case basis.

As an external contractor, we only act consultative. Should you disagree with a risk rating, you can task your internal risk management team with a re-rating. This includes the acceptance of certain risks.

By request, we also create a separate customer note besides our detailed report. We then remove all sensitive information such as IP addresses, user names or details of our exploitation process. Your customers will receive only an insight into the overall results of the test – similar to a Management Summary.

Pentest Factory is specialised on offensive security assessments. Attacks that limit the availability of IT systems (such as Denial of Service attacks) are not part of our services.

Nevertheless we gladly consult you in regards to this topic and can refer you to our competent partners.

In some federate states grants will be given for IT security services, such as penetration tests. We gladly advise when applying for grants. Please talk to one of our consultants.

You receive a detailed final report with all identified vulnerabilities including extensive remediation recommendations. Of course we support you after a penetration test e.g., with the remediation of vulnerabilities or a re-test for the verification of implemented measures. Our affiliate, the tacticx Consulting GmbH, can also provide you with extensive assistance in the field of IT security or data protection.

In case your test objects are sensitive applications or use sensitive data, we gladly arrange a separate NDA. A signature is generally not a problem. Nevertheless, our pentesting contract already contains a general clause regarding the obligation of secrecy for our employees.

During all pentests you will be informed about start and end times via e-mail. Furthermore, we immediatly notifiy you of vulnerabilities with a high or critical risk, should they occur during the pentest. You will then receive a memo report with details regarding the vulnerability.

All sensitive documents or credentials are provided via our encrypted file exchange platform. The end-to-end encryption is done on the transport layer (TLS), as well as the file layer (AES-256). We host our own platform independently on German servers. The document retrieval is accountable and automatically deactivated after 30 days following a full data erasure.

Automated vulnerability scans are oftentimes wrongfully sold as full-featured penetration tests. Behind the scenes, just a few automated tools are used and the results are sold for a high price.

Pentest Factory uses automated scanning to identify basic vulnerabilities or misconfigurations. These vulnerabilities are often considered “low hanging fruits” and do not require manual analysis. All scanning results are evaluted by our testers and verfied against false positives.

Afterwards we conduct a manual security assessment, which accounts for about 70% of the penetration test. By using manual testing, we are able to identify vulnerabilities that automated tools miss. According to a study manual testing methods are able to identify high risk vulnerabilities with a probability of 80 to 96 percent.