Pentest / Penetration test

Penetration tests reveal vulnerabilities in your IT systems by simulating a real attack—without causing any actual damage, of course. On the contrary: we protect you from financial losses and potential operational downtime.

A pentest(short for penetration test or penetration testing/pentesting) is acomprehensive security testof individual computers or networks of any size using the means and methods that an attacker would use.With the help of penetration testing, we can check your IT infrastructure for errors and gaps. Our goal is to simulate a realistic attack on your company—for example, by putting ourselves in the shoes of a criminal hacker or insider.

With our pentest, we check whether we can discover security-critical points in your systems that could be exploited by these actors to steal data or gain access to your IT infrastructure.

Types of pentests differ in terms of target, aggressiveness and scope, among other things. If you're not sure which pentest is right for you or your company, it's worth taking a look at our magazine article.

IT security

What type of pentest do I need?

A pentest must be carried out with the right objectives and the right scenarios if it is to be profitable.

Then simply get in touch with our experts.

Nikolas Rösener

Security Expert

The 6 advantages of the pentest

Pentest: Identify

Our team conducts penetration tests in various scenarios, taking into account threats from external and internal actors, and thus reliably identifies the gateways for botnets & ransomware.

Using a methodical approach in accordance with our ethical hacking code and recognized tools, our certified penetration testers will find vulnerabilities in your company before others exploit them. We then help you to stay one step ahead of the hackers through regular reviews or your own vulnerability management!

Depending on the customer, industry and other criteria, we create a plan that suits your company - we coordinate our approach with you in detail.

Our approach to penetration testing

Highly customized pentests for every customer and every industry

Our approach allows us to offer each customerhighly customized options to make the pentest as effective as possible. Everything is possible, from a purely passive approachto a purevulnerability analysis to the active exploitation of security gaps. Any security gaps found are documented in detail and evaluated individually depending on the industry and company. In addition, we provide you with specific recommendations on how to remedy the identified security gaps.
We take a modular approach in order to be able to test industry-specific characteristics more thoroughly. While a complete system penetration test is highly recommended for a bank, this is not always the case for a 3-person software startup – at the same time, anOSINT analysisis recommended in both cases. Together, we can develop a structure for your penetration test that will help you in the long term and, in addition to optimal coverage of relevant and industry-specific security mechanisms, also guarantees customer-specific solutions and realistic implementation proposals.
It is important to us that our pentest solution istailored toyou, your company, andyour industryandcan be implemented realistically.

IT security to the highest standards

Our certified experts in IT security and penetration testing work in accordance with the highest aerospace standards and the standards of the German Federal Office for Information Security (BSI).

Over the years, we have adapted our procedure to be customer-friendly and transparent. You have full control over what we are allowed to test, at what times and with what aggressiveness.

This enables us to ensure that you can carry out your work without any problems and that our tests run smoothly.

What comes after the penetration test?

A pentest is a snapshot in time. The constant advance of digitalization in all industries is always susceptible to security vulnerabilities. Hardware ages, systems need to be updated and people need regular training.

That's why we offer regular staff training, both actively in the form of workshops and passively throughphishing simulations. These simulations are particularly well suited for documenting current knowledge levels and progress. We send realistic phishing emails with typical characteristics that a trained eye would recognize. This approach is called social engineering and is usually the first step taken by an active attacker who aims to penetrate a system.Social engineeringallows attackers to obtain information such as passwords and other sensitive data – and statistics show that they do just that!The number of phishing attempts has been rising sharply for years. This issue is more relevant than ever, especially since the coronavirus pandemic and the rise of working from home.

Awareness is therefore one of the major issues of our time. It is no longer enough to have a firewall, a spam filter, or a security officer.Employees must be actively trained, and at the same time, their knowledge must be regularly tested to ensure that they do not pose a security risk. The pressure to act has increased enormously in this area.

Regular penetration tests, reviews of defensive measures, and awareness workshops are as essential as vehicle inspections for anyone who wants to stay safe on the road.
IT pioneer Nikolas Rösener - Security Expert at OHB Digital Services

FAQ: Pentest

Is it possible to automate a pentest (pentest tool)?

In our opinion, no automated pentest tool can currently replace a qualified penetration tester: So-called "Dynamic Application Security Testing" (DAST tools for short) or vulnerability scanners are often touted and advertised as a cost-effective alternative to professional pentesting. Due to the wide range of programming languages and technologies, the increasing complexity of application logic, the large number of application areas and the lack of standardization in the dialog processes between client and server, you should not rely exclusively on pentest tools or vulnerability scanners these days.

DAST tools can certainly be used as a supplement for certain vulnerabilities or in build environments. However, these tools are unsuitable as a panacea and should therefore primarily be used as support.

Are pentests required by law?

There are no laws in Germany that directly oblige a company or public authority to carry out a penetration test.There are only regulationson (1) the security and availability of data relevant to tax and commercial law, (2) the handling of personal data, and (3) the establishment and design of an internal control system. Companies are obliged to take measures to ensure the availability, confidentiality, and integrity of the relevant data. The measures taken are reviewed at regular intervals to ensure that the systems comply with legal requirements. Penetration tests are used for this purpose, among other things.

Does a pentest disrupt normal business operations?

A pentest is designed to identify any existing vulnerabilities and exploit them securely. As the client, you must expect that your IT systems may be impaired or that irregularities in business operations may occur. Under certain circumstances, this can be avoided / minimized by using development or integration environments. We therefore plan the necessary measures before the pentest in order to keep potential disruptions to a minimum. For example, it may be useful for you to provide an employee to monitor the penetration test and inform us if we need to stop the pentest. We may also make (additional) data backups and draw up a contingency plan if this is not already in place. If the so-called white box approach is chosen for the pentest, additional information or a contact person for the pentester must be provided. You can find out more about the types of pentest and the white-box approach here .