Identify security issues ahead of time with our cost effective Penetration Testing


Request a Quote 03333 440 831

Aptive are a UK based penetration testing company, providing cost effective IT security assessment services for infrastructure and applications. We help our clients improve security and remain compliant with regulatory compliance standards such as ISO 27001 and PCI DSS.

OSCP & CREST Certified Cyber Security Consultants

Penetration testing will help your organisation proactively understand and address threats and vulnerabilities reducing the risk of a security breach. All our security assessments are performed manually, using UK industry-approved methodologies (NIST, OWASP, PTES) that meet or exceed the requirements set by regulatory & compliance standards such as PCI DSS 3.2.

Service Overview:

Our experienced OSCP & CREST certified consultants assess your organisation and applications using industry approved methodologies, such as PTES, OWASP and NIST. We strive to meet the challenging report delivery turn around demanded by our clients for regulatory and compliance requirements.

What is Penetration Testing?

A penetration test (pen test) is an authorised attack simulation against an organisations network or applications identifying vulnerabilities and security issues. Discovered vulnerabilities exploited confirming the severity of the issue and compromised machines. Machines compromised during penetration testing are used to gain access into an organisations network, this process is carried out to help identify the level of access potential attacker could obtain.an image of aptive's what is a penetration test

Summary:

  • Authorised attack simulation
  • Identifies vulnerabilities
  • Identified vulnerabilities are exploited
  • Privilege escalation is performed
  • Discovered vulnerabilities are used together to gain a higher level of access
  • Penetrated machines are used to access the network

Penetration testing is typically performed against a companies servers, web applications, external network infrastructure and mobile applications. The assessment process is manual with the use of industry standard commercial and open source tools to assist the process.


Cyber security penetration testing performed by OSCP & CREST certified consultants consultants

Our Services

Below are Aptive’s primary cyber security and penetration testing services, additionally we provide custom and bespoke security assessments for VoIP and IoT devices.

Network
Penetration Testing

Internal or External performed by CREST Certified Testers (CCT).

  • Server
  • VoIP
  • Cloud
  • Manual
  • Infrastructure
  • PCI

Web Application
Penetration Testing

Web Application Penetration Test by CREST Certified Testers (CCT).

  • Server
  • Cloud
  • Manual
  • OWASP based methodology
  • Website assessment
  • PCI compliant
  • Manual security assessments

Mobile App
penetration Testing

Mobile Application Pen Test by CREST Certified Testers (CCT).

  • API pen testing
  • Cloud
  • iOS
  • Android
  • PCI compliant
  • Manual assessment

The process of assessing an organisations network infrastructure externally or internally to identify vulnerabilities and security issues. After discovery, vulnerabilities are safely exploited, confirming if the vulnerability exists. The process is manual, removing false positives typically returned by automated tools and vulnerability scans.

Aptive provide external assessments of an organisations network infrastructure of application, typically performed offsite to simulate the same set of conditions a real-world attacker would have. Working remotely gives our team the flexibility to perform testing out of hours, further reducing impact and risk to the clients organisation.

How does Network Penetration Testing help my Organisation?

A full network security audit is performed, identifying both discovered vulnerabilities and issues that are found to be exploitable, this is sometimes referred to as VAPT (vulnerability assessment and penetration testing). Aptive’s security assessment services help address regulatory and compliance recommendations / requirements such as PCI DSS, ISO27001 & GDPR.

An organisation is assessed externally at the network infrastructure level, typically with a similar set of conditions a real world attacker would have, making it the most realistic form assessment. Depending on client scoping, compromised machines can be used as a means of advancement, allowing a consultant to use the machine as a gateway into the organisations network and accessing machines behind the corporate firewall.

Aptive provide internal assessments either onsite or by deploying an appliance allowing our team to connect remotely. Deploying an appliance onsite gives our team the flexibility to perform work out of hours, reducing impact and risk to a client organisation.

Advantages of Penetration Testing

Identify cyber security issues and risks and providing your organisation with a realistic overview of the current state of your IT security. Help assess your organisations current standing in relation to various compliance standards such as PCI DSS and ISO 27001. Go a step further than a vulnerability assessment and have a certified consultant confirm the existence of the identified security issues.

  • Gain an insight to the current state of security – Assessment will identify a risk and severity ordered list of discovered security issues for your organisation
  • Address compliance requirements – many regulatory and compliance standards such as the GDPR, ISO 27001 and PCI DSS recommend or require a penetration test
  • Protect your companies brand and reputation – by identifying security issues you’re taking a step to help prevent a data breach (the GDPR states all data breaches must be reported no later than 72 hours)
  • Manage resources – using the severity ordered remediation plan, accurately assign your organisations resources to remediate high severity issues first
  • Justify budget – using Aptive’s report you can reach out to non-technical budget controllers or stake holder and justify additional budgets for resources / hardware to improve your organisations cyber security
  • Test existing controls – many organisations spend large amounts of their budgets implementing security protection devices such as firewalls, web application firewalls and vulnerability management. Assessment will help identify if controls are configured correctly and are working as expected

Why use Aptive

Certified Security Testers

Performed by OSCP certified and CREST registered testers.

Free Retesting

Free retesting on discovered security issues.

Proven Methodology

Aptive performs security assessments based on the OWASP testing methodology.

Easy to Understand Reports

Discovered security issues in severity order with remediation instructions.

Fixed Price Proposals

Transparent costs and fixed price proposals, giving you peace of mind.

Custom Security Testing

Custom Testing tailored to your business requirements.

cyber security breach cost why penetration tests are required
  1. Scoping

    Working with you to identify all systems / applications that require security testing.

  2. Testing

    Security testing is completed by our CREST accredited team, following our internal testing methodology.

  3. Reporting

    Delivering clear easy to understand severity ordered reports, detailing identified issues and providing concise remediation steps.

  4. Debrief

    Further explanation and demonstrations of vulnerabilities / exploits.

  5. Retesting

    Security issues identified within the report are retested for free.

46% of UK businesses overall identified cyber security breaches or attacks in the last 12 months

Cyber Security Breaches Survey 2017 – GOV.UK

45% of breaches were micro/small businesses

Cyber Security Breaches Survey 2017 – GOV.UK

66% were medium to large businesses

Cyber Security Breaches Survey 2017 – GOV.UK

74% of UK businesses where directors or senior management say cyber security is a high priority

Cyber Security Breaches Survey 2017 – GOV.UK

How often should you perform a Penetration Test?

Penetration testing should be performed on a regular basis to ensure newly discovered threats and vulnerabilities are discovered and remediated before any potential attacker detects and exploits them in the wild. In addition to regular security assessments demanded by regulatory and compliance standards, network security audits should also be completed when:

  • New changes to network infrastructure
  • External servers or applications are deployed (including cloud / external servers)
  • Significant upgrades or modifications to infrastructure or applications
  • At new office locations
  • After the company acquires other companies (including mergers)
  • After security patching to ensure applications and infrastructure are no longer vulnerable

Below is an overview of Aptive’s penetration testing methodology is typically used for external infrastructure (network) testing, our web and mobile application security assessments have their own specific methodologies based from the OWASP testing framework. The page below serves as an overview only, you can contact us to request our detailed testing methodology.

Discovery / Reconnaissance

Discovery takes place before any testing is conducted, the process involves collecting as much information about the company or application as possible. The information gathered at the discovery stage of testing is used to help identify weaknesses directly or provide information that can help with later stages of testing. Typically all publicly available information is enumerated such as:

  • WHOIS
  • Github
  • Pastebin
  • DNS
  • Web forums
  • Email addresses
  • Search engine recon

Network Mapping / Enumeration

In scope addresses are manually enumerated for useful information such as services and versions.

Service Enumeration

As much information as possible is gathered / enumerated from each exposed service.

Vulnerability Assessment

After enumeration of the server(s) / network a Vulnerability assessment is completed, helping identify known public vulnerabilities. This process helps identify information that can be manually assessed in the next step.

Password Testing

Depending on client requirements, discovered forms or password hashes are tested using the latest password recovery techniques, helping identify if current password policies are sufficient.

Vulnerability Research

Services revealed at the enumeration and vulnerability assessment stage are researched for public exploits and or known exploit methods.

Manual Penetration Testing

Discovered services are manually and safely tested or exploited to confirm if they are vulnerable.

Exfiltration

Successfully compromised machines are locally enumerated for valuable data, if possible (scope permitting) user privileges are escalated to admin root. Screenshots of account privilege level or discovered data are taken for evidence.

Pivoting

Compromised machines are used to route traffic, allowing the pen testing consultant to access the internal network or other machines / network subnet. This demonstrates the risk of a potential breach and how far an attacker may get within the target companies network.

Reporting

All discovered security findings are documented in severity ordered report with clear concise remediation instructions and their associated risk and impact.

Retesting

All our security testing services come with free retesting on reported findings.

Data source for breach statistics: