Manual Penetration Testing for the Payment Industry

Yes, one round of retesting is included with our penetration tests. After we provide the initial report and your team addresses the vulnerabilities found, we conduct a retest to ensure that the remediation actions have been successfully implemented. We then provide you with an updated report reflecting the current security status of your systems.

The duration of a penetration test depends on the size and complexity of the project. Typically, reports are delivered within 2-4 weeks.

Our testing methodology adheres to audit procedures and established criteria, ensuring consistency and compliance with industry standards, including the Payment Card Industry (PCI) Data Security Standard requirement 11.3. Our examination follows information system security assessment best practices outlined by the Open Source Security Testing Methodology Manual (“OSSTMM”) and The National Institute of Standards and Technology (“NIST”) Special Publication 800-42, Guideline on Network Security Testing.

Web application penetration tests cover OWASP security threats, including:

• SQL Injection
• Authentication Flaws
• Directory Traversal
• OS Command Injection
• Business Logic Vulnerabilities
• Information Disclosure
• Access Control Vulnerabilities
• Server-Side Request Forgery (SSRF)
• XML External Entity (XXE) Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Cross-Origin Resource Sharing (CORS)
• Clickjacking
• DOM-Based Vulnerabilities
• WebSockets Vulnerabilities
• Insecure Deserialization
• Server-Side Template Injection (SSTI)
• Web Cache Poisoning
• HTTP Host Header Attacks
• HTTP Request Smuggling
• OAuth Authentication

Yes, our penetration tests can be used to help fulfill compliance requirements for many of the major regulatory frameworks and standards, including SOC2, HIPAA, or PCI. Our thorough assessments and comprehensive reports provide the necessary documentation and insights to support your compliance efforts.

All penetration tests come with two primary deliverables:

Penetration Testing Report:

A comprehensive report detailing the findings of the test. This report outlines identified vulnerabilities, their potential impact, and recommendations for remediation. It serves as a valuable resource for your team to address any security gaps.

Attestation Letter:

A letter describing the test and its scope. This attestation letter is perfect for fulfilling client requirements and demonstrating that a professional security assessment has been conducted on your systems.

Our assessments are performed by experienced US-based security professionals who conduct remote investigations, review documentation, and contribute to the presentation of findings in the report.

Our team holds industry-leading credentials, including OSCP+, OSCP, PWPP, and CEH.

The cost of a penetration test varies based on the size and complexity of the project. A penetration test for a simple application or small network generally starts at $4,997. For more complex applications with many user roles or features, or larger networks, we'll provide a fixed-price quote after an initial scoping call to ensure we thoroughly understand your needs and the scope of the testing required.

Of course, you can download a sample report here.

Penetration test scoping is a crucial initial step in our process. We begin by meeting with you to understand your specific needs, the scope of the project, and your overall security objectives. During this meeting, we'll ask a few simple yet important questions to gather necessary information about your systems, applications, and network environment. Using this information, we determine the amount of time needed to conduct a thorough and effective penetration test. Based on our assessment, we then provide a fixed-price quote for our services, ensuring transparency and allowing you to budget effectively for the security assessment.

We offer a variety of penetration testing services to meet different security needs:

Websites and Web Applications:
We test for vulnerabilities in your websites and web applications, ensuring they are secure against common and advanced threats. This includes identifying issues like SQL injection, cross-site scripting (XSS), authentication flaws, and more.

External Networks:
Our external network penetration testing focuses on assessing the security of your network's perimeter. We identify and exploit vulnerabilities that could be accessed by attackers from outside your network, ensuring your defenses are robust.

PCI Compliance Tests:
We conduct penetration testing in accordance with the Payment Card Industry Data Security Standard (PCI DSS) requirements. This includes evaluating the security of your Cardholder Data Environment (CDE) to ensure compliance with PCI DSS and protect sensitive cardholder data.