Penetration Test | Ziwit Consultancy Services

A penetration test allows you to identify the vulnerabilities of a computer system as hackers would do, we will tell you everything about how penetration tests work, why you need to do one and how it is performed.

Request a Pentest

What is a Pentest ?

A pentest is a computer security assessment method that simulates a computer attack to identify vulnerabilities and weaknesses in a computer system,a web application or a network.

It is therefore an in-depth and pragmatic audit of the security of a computer system.

Unlike a traditional security audit, which consists of a static assessment of security controls, the pentest simulates attacks under real conditions and uses advanced techniques to test the resistance of a system. Penetration testing is therefore an effective tool to identify vulnerabilities and weaknesses in your applications, infrastructures and IT systems, so that you can correct them.

For over 10 years, Ziwit has been performing daily penetration tests for all types of companies. Specialized in offensive cybersecurity, we are committed to providing the best technical skills to our customers.

Why make a Pentest ?

Computer attacks are becoming increasingly common and sophisticated, and companies need to be prepared to deal with these threats.

Penetration testing in real conditions allows you to discover security flaws, vulnerabilities, feature abuse and configuration issues in your systems, but above all it allows you to fix these flaws before they are exploited by hackers.

In short : pentesting measures the risk associated with an information system by simulating realistic attack conditions, in order to identify ways to significantly reduce it.

What a pentest allows you to ?

Pragmatically and effectively verify the security of a scope (application, infrastructure, cloud, website, etc.).

Demonstrate the security level of an application to stakeholders (Ziwit CS certificate and certification seal).

Comply with regulatory requirements and security standards (ISO27001, HDS, HIIPA, SOC2, PCI-DSS, etc.).

Raise the skills of internal teams (awareness through concrete cases involving all employees concerned).

Why Pentest by ZIWIT ?

Specialized in offensive cybersecurity and pentests for more than 10 years.

Consultants and pentesters specialized for each field of intervention (OSINT, Pentest web, hardware intrusion test, infrastructure, AD, wifi, etc.).

Recognized as experts by the largest organizations.

An support before (presentation of the pentesters), during (continuous communication) and after the penetration test (advice, support, etc.).

A unique contact allowing to follow your projects from start to finish.

Request a Pentest

Methodology & Penetration test "mode"

The penetration test is applied on a perimeter defined with you. It can be a website, a web application, a mobile application, a range of IP addresses that you expose, your internal infrastructure, etc.

Our consultants define with you the scope on which the security audit will be performed, and also define their technical and organizational methodologies.

Penetration testing can take three approaches :

Black Box Pentest

The auditor has only access to information publicly exposed by the target, no special privileges or rights are granted to simulate an attack on the audited system as carried out by an anonymous hacker outside his organization.

Discover the Black Box Pentest

Grey Box Pentest

Informations and documentations are made available by the auditee in order to increase the audit’s surface and simulate an attack as carried out by a legitimate user of the organization (accounts on the applications, exposed IP access, etc.).

Discover the Grey Box Pentest

White Box Pentest

Penetration testing method where the tester has a high level of access to the systems or applications to be audited. The pentester has therefore an advanced knowledge of the technical details of the target, such as source codes, configurations and architectures. This approach allows for an in-depth analysis of the target's security and can help to identify vulnerabilities that would not be detected by a black box testing method (or "blind penetration test") where the tester has no prior information about the target. However, the White Box pentest may require more time and resources due to the preparation and in-depth knowledge required to conduct the test.

Discover the White Box Pentest

How does a penetration test work ?

4 complementary steps

Overall Penetration Testing Methodology

The Kick-Off

Essential step of the Pentest to formalize the audit procedures with all the stakeholders in anticipation of the penetration test. During this phase, we exchange with you on the scope to be audited and formalize the test procedures, for that we :

Apply the reference documents allowing the pentest to be carried out successfully.
Identify the actors involved in the project on the customer’s side and on Ziwit’s side and we validate the communication channels for smooth information exchange.
Define the modalities of the mission : test strategy, project monitoring and steering,secure electronic document exchange.

Information gathering

Once the scope and methods have been defined, the consultants take charge to gathering as much information as possible on the scope.

This is the mapping phase, the census of your infrastructure on the defined scope, the analysis and contextualization, this phase allows to fully understand the systems, habits and processes before starting to exploit them to test their resilience.

The analysis / audit

Once the documentation has been recovered and the formalization steps carried out, our auditors specialized in Pentest, carry out the audit on the defined scope. We will then explain the difference between a penetration test with internal methodology and a penetration test with external methodology. The external pentest aims at validating the possibilities of compromise of a hacker acting from outside.The purpose of the internal pentest is to validate the security issues inherent in the company's network, its services, its internal applications, but also the configurations of workstations and equipment.

Delivery of your intrusion test report

To conclude the Pentest, you will receive a complete and synthetic penetration test report that can be understood by all (not only the technical teams but also the rest of the staff). You will find there :

The general listing of the detected vulnerabilities.
A detailed synthesis of each vulnerability.
Countermeasures to implement.
Good practices for your employees to follow.
Support in complying with ISO 27001 & ISO 27002.

The advantages of Ziwit Consultancy Services reports :

A customized structure according to your needs.
Detailed points accessible to all.
Easy to follow good practices.
An oral presentation upon request.

Counter-Audit

In order to validate the remediation of the vulnerabilities identified during the pentest, the client may request a counter-audit.

The counter-audit allows our auditors to check that the corrections have been applied, and that the remediation philosophy has been understood by the teams in charge of the correction. One day is needed to carry out the counter-audit and write the report.

It should be noted that the Ziwit teams remain available between the pentest’s realization and the counter-audit, at no additional cost, in order to advise the client in the remediation’s choice.

Request a quote

Our areas of intervention

Web Pentest

Penetration test on your websites and web applications, to evaluate their robustness and security status (web vulnerabilities, configuration problems, abuse of features, escalation of horizontal and vertical privileges, etc.).

Mobile Application Penetration Test

Audit of your mobile applications (Android and IOS) and their constitution (application layer, configuration, data exchanges and security, webservices and related APIs, etc.). A static audit and a dynamic audit are performed.

Exposed Infrastructure Pentest

Penetration test on the elements of your infrastructure that you expose, to obtain a visibility on the various access points to your infrastructure (applications, file servers, mail servers, VPN access, remote access, exposed network equipment, etc.). This audit is generally performed in “Black Box”.

Infra and Network Pentest

Pentest on your internal infrastructure, allowing to evaluate the possibilities of malicious acts by a hacker with access to the company's internal network (compromise of a workstation, compromise of the exposed and pivotal infrastructure, physical attack, access to the network, etc.).

Reconnaissance Audit and OSINT

The reconnaissance audit provides visibility on the various information available on the targeted company (confidential documents, employee IDs and passwords, IPs, shadow It, databases, etc.). The information is then cross-referenced to define the risks related to them.

A specific OSINT department and tools developed internally (CYBERVIGILANCE By HTTPCS) allow us to be particularly effective on these audits.

Global Security Audit

Audit of all your scopes :

Information exposed on the internet or on malicious forums (OSINT)
Assets and Exposed Infrastructure
Shadow IT
Pentest exposed infrastructure
Focus on sensitive exposed assets
Internal infrastructure pentest-type audit on physical sites

This audit provides general visibility of your security status (external and internal).

IOT Pentest

Penetration test on the different layers (hardware, software, interfaces, links, network, etc.) constituting the connected object. Different auditors are solicited on these missions: hardware and software pentester.

The main purpose of a connected object pentest is to detect the flaws present on the different layers in order to secure the entire environment of the connected object.

Red Team

The RedTeam audit simulates attacks targeting the company, and allows multiple scenarios. Where a pentest targets a particular scope, we will use several methodologies (phishing, social engineering, pentest, physical intrusions, use of data available on open sources, etc.) allowing us to validate the sources of risks and to test the internal teams (often considered as defenses in Blue Team).

Discover the Red Team by Ziwit

Differences between external pentest and internal pentest

The external Pentest

External penetration testing targets assets exposed by the company that are visible on the internet. This could include your applications, websites, file servers, messaging, exposed network assets, VPNs, etc.). The primary objective of an external pentest is to identify and exploit vulnerabilities in an organization's external infrastructure.

Learn more about External Pentest

External Pentest Versus Internal Pentest

The Internal Pentest

The internal penetration test starts from the assumption of a presence within your network : exploitation of an external vulnerability on one of your IT equipment or applications, purchase of identifiers on the darknet allowing to connect to your infrastructure, compromise of a workstation, VPN access… but also collaborators.

Learn more about Internal Pentest

What to do after a Pentest ?

Performing a pentest allows to validate concretely the vulnerabilities and security issues that can compromise or abuse your computer systems. It is a pragmatic and effective audit to ensure a state of security at a given time.

Fixes

Following a pentest, it is obviously necessary to correct the vulnerabilities identified, or to propose workaround solutions. The report helps guide remediation and the necessary actions/charges, but Ziwit cybersecurity experts are also at your disposal even after the restitution defense to help you or guide you!

Validation

Our experts check the correct application of the patches in order to issue the Ziwit Consultancy Services certification valid for 1 year. This certification is a guarantee of confidence that you can demonstrate to your partners, investors, regulatory authorities or any other stakeholder. It certifies the integrity, security and reliability of your IS.

Continuous improvement

Pentesting allows you to improve security at any given point in the life of your infrastructure. You must therefore use it as a reference, but also implement continuous improvement of your security using various specialized tools such as a vulnerability scanner. Our saying: Security is a process, never a state!

Pentest an application, what to do next ?

In order to ensure that there are no more new vulnerabilities or configuration problems that could cause IT security concerns, you can set up a vulnerability scanner between two pentests. We offer a proactive solution to detect vulnerabilities automatically.

The vulnerability scanner provides daily visibility into vulnerabilities and configuration issues in your applications. This will ensure that in case of development, modification, or the arrival of new vulnerabilities, your application will not be vulnerable !

Discover our Pentest as a Service

How much does a Pentest cost?

Pentest Type

The choice of penetration testing methodology plays a major role in determining its cost. There are mainly four approaches:

White Box Pentest

This scenario provides complete transparency to the pentester regarding the internal workings of the system. This completeness translates into a higher cost, which can reach several tens of thousands of euros for complex systems.

Grey Box Pentest

During the Grey Box Pentest, the pentester has partial knowledge of the system, which results in a price generally between €5,000 and €20,000.

Black Box Pentest

The pentester positions himself as a novice attacker, having no preliminary information about the system. This approach generally results in a lower cost, oscillating between €3,000 and €10,000.

Red Team

This type of test simulates a sophisticated attack carried out by experienced hackers. Its high price, which can exceed €20,000, reflects the complexity of the scenario and the level of expertise required.

Number of systems

As the number of systems to be tested increases, the cost of pentesting increases proportionally. It is therefore essential to precisely target critical systems that require in-depth analysis.

Complexity of systems

A complex system, such as a banking infrastructure or an online sales network, requires a greater investment in time and expertise for an exhaustive pentest. This inevitably results in a higher cost.

Concrete examples to illustrate costs

Scenario 1: A startup wants to carry out a white box pentest of its web application. The approximate cost will be between €1,500 and €5,000.
Scenario 2: A media company wishes to carry out an external intrusion test in black box mode of its web application. The budget to be expected will vary between €4,000 and €10,000.
Scenario 3: A large company decides to conduct a complete pentest of its complex IT infrastructure. The cost of this service can exceed €20,000 due to the scale and criticality of the system.