Real Pen Tests Done By Real People.

Let us find the weak links in your network perimeter and web applications.

Providing network reconnaissance, enumeration,vulnerability scanning, exploitation attempts, social engineering, and real-time cyber threat analysis, Digital Spotlight Pen Testing 2.0 is a unique blend of theoretical and actual risk identification.

What Is Pen Testing?

penetration test, or pen test, is an authorized simulated cyber attack on one or more computer systems, applications, networks or devices. It is performed to evaluate the security of the system under test. The web server penetration testing is performed to identify security weaknesses (also referred to as vulnerabilities), that can lead to a full breach or damage to Confidentiality, Integrity or Availability (also known as CIA) of the information, application or device.

Digital Spotlight’s website pen testing service can help you identify issues and fix the issues to prevent a major cybersecurity breach.

Vulnerability scanning and penetration testing are terms that are used interchangeably but are ultimately different services. In plain terms, if we imagine that your application or network is a locked door, a vulnerability assessment trying to identify all the possible locks that exist on the door. Penetration testing, on the other hand, is where an ethical hacker takes their big bag of “keys” (these are tools, techniques, and procedures) and attempts to open each one of the locks with every single “key”, hoping to open the door — but with permission.

Digital Spotlight performs the following types of penetration testing:

  • Black box external network testing
  • Web application testing (credentialed)
  • Internal “post-breach” simulation testing
  • Social engineering
  • Mobile application (iOS / Android)
  • Wifi network

Penetration Testing

Also known as Pen Testing, this is an authorized, controlled and simulated cyber attack service that is conducted on one or more computer systems, applications, networks or devices. It is performed to evaluate the security of the system under test.

While Vulnerability Scans look for known security issues, a vulnerability scan does not attempt to exploit them as a Pen Test does. Penetration Testing takes the extra step and uses tools, techniques and procedures that hackers use to attempt to exploit any identified vulnerabilities and any other flaws in the configuration or business logic that may exist.

The goal of a Pen Test is to always try to impact any of the Confidentiality, Integrity or Availability (CIA) of the device, application or service being tested.

Unlike many organizations, Digital Spotlight will not simply identify an issue and move on to the next finding. We will identify the issue, produce evidence that it can be exploited, discuss the issue in plain terms with your team, and we will also recommend ways to fix the issues. Furthermore, all Digital Spotlight Penetration Tests come with a free targeted re-test (contact Digital Spotlight for details).

Pen Test Categories

In general, there are two categories of penetration testing or “pen test” that customers usually want: customer-driven / compliance-driven, OR penetration tests that attempt to exploit people, process or technology with the objective of breaking into the network and gaining access to digital assets  and/or measuring the actual security effectiveness of the organization.

Scenario 1 Pen Testing

Customer-Driven or Compliance-Driven

Example: “We have a new web application and one of our biggest clients / partners needs us to get a 3rd party pen test performed for their risk team or auditor”.

This scenario is quite common with many start-up organizations.  The ultimate goal is to receive a clean bill of health (or report) that can be shared with an external audience that shows rigorous security testing was performed and the target being tested responded very well with some minor issues.

In this type of situation, Digital Spotlight will first work with your team to ensure the proper type of testing is performed so that an auditor or risk team will accept it.  We will test the target with a variety of methods, including vulnerability scanning and manual penetration testing.  Once it is completed, we will deliver a technical report outlining any verified issues as well as how to resolve them.  When the remediation phase is completed and all the important issues and vulnerabilities are fixed (Critical, High, and Medium severity at a minimum), Digital Spotlight will retest the findings and re-issue the report, also including an executive summary that can be shared with a 3rd party audience.

In some cases, regular penetration testing services are required (yearly, bi-annually or quarterly).  Digital Spotlight is happy to work with your team to provide these continuous services so that development can keep on top of issues prior to any new software or service launch.

Scenario 2 Pen Testing

Breach the Network (Red Team Exercise)

Example:  “We are looking to test and improve our overall cybersecurity posture and we need an ethical hacker to try to break into our network.”, OR “We would like to test the detection and response capability of our security controls / security operation center.”

This scenario describes a more traditional penetration test.  This type of pen test (also called a Red Team exercise) simulates an adversarial role and is a far more realistic way to test the security readiness of an organization.  This testing covers exploitation attempts against People, Process, and Technology.

There are two phases to this type of operation.  First, we need to breach the network perimeter and get invited into the network by an insider.  This is usually done using social engineering techniques (e.g. phishing).

Given enough time and effort, social engineering will almost always work.  So, in order to reduce the scope and budget required, Digital Spotlight will often begin testing from an inside position (i.e. as if an insider has clicked the wrong link or opened a malicious attachment).  From that vantage point, your internal security posture can be measured in terms of “did you see us / did you stop us?”.  Or, there can be a specific objective such as retrieving a file from an executive fileshare.

Why Choose Digital Spotlight?

At Digital Spotlight, we believe that every client is unique and each project should be treated as priority #1.  Our team members are highly credentialed penetration testing and cybersecurity professionals (CISSP, OSCP, OSWP, CJIS Level 4, CompTIA Security+, IBM Certified Application Developers, etc.) and are absolutely the best that the industry has to offer.

We guarantee professional, timely, accurate results and ensure that each client is 100% satisfied with the work that is delivered.

1) Requirements Discussion

The initial kick-off typically involves email exchanges, phone call discussions with team members, meetings and possibly a demonstration of the test targets (if required). The objective is to collect enough information to build a Proposal.

2) Service Proposal

Next, Digital Spotlight will deliver a Proposal to the Client. The Proposal will contain a high-level Statement of Work (SoW) and a Quote for the requested services. Once both parties are satisfied with the Proposal contents, Digital Spotlight will send a DocuSign version for electronic signature.

3) The Paperwork

Any legal paperwork that is required by the Client or Digital Spotlight shall be exchanged at this stage. This can include such documents as a Non-Disclosure Agreement (NDA) or a Master Services Agreement (MSA) if there is ongoing work required.

4) Invoicing for Services

Once the paperwork has been exchanged and the testing is ready to begin, a deposit will be required from the Client according to the Terms outlined in the signed agreement.

5) Test Initiation

At this point, the testing shall be scheduled and team members will be assigned to the effort.

6) Initial Technical Report Delivery

After the first round of testing has been completed, an Internal Detailed Findings Report shall be delivered to the Client within 2-3 business days if possible. The Client is welcome to engage the testing team in discussion to review results and question any findings and remediation guidance that they provided.

7) Remediation of Discovered Issues

At this stage, the Client should begin the work to remediate any Critical, High and Medium severity issues identified by Digital Spotlight during the initial penetration testing. Low and Informational severity findings are items that were not exploitable, and should be resolved in the fullness of time.

8) Targeted Retesting

For penetration testing service offerings, Digital Spotlight will retest any issues that were identified during the initial penetration test and have been fixed. It is desirable that this retesting be done within a single test window within 90-120 days following the initial test.

9) Final Report Delivery

Digital Spotlight shall offer the Client the option of two final reports if required:
i) Internal Detailed Report – A technical report showing original findings, and any successfully remediated issues. Suitable for internal use.
ii) External Summary Report – This is a high-level summary of outstanding issues. Technical descriptions of outstanding issues are summarized but not detailed and can be shared with interested 3rd parties requiring evidence of testing.