Overview Penetration Test

Diese Seite ist auch auf Deutsch verfügbar.


What is a penetration test?

How secure are your IT systems really? A penetration test shows where attackers would start - before it’s too late

A penetration test (“pentest” for short) is a security analysis of one or more IT systems. An IT security expert (“pentester”) attempts to uncover as many vulnerabilities as possible in the time available. The tools and procedures used are the same as those used by real attackers. The result of a penetration test is a detailed report with the vulnerabilities found, sorted by severity, and recommended measures to eliminate them.

Vuln Scan vs. Pentest vs. Red Team

Why penetration testing?

  1. Every system has unknown vulnerabilities.
  2. Without testing, they remain undiscovered until an attacker exploits them.
  3. Penetration tests find these vulnerabilities
  4. So that they can be fixed before attackers exploit them

Penetration test procedure

Process penetration test

Commercial details

  • Penetration tests are always customized to the tested systems and requirements - there is no standard price.
  • Implementation in a time box: How many vulnerabilities can be found in the time available?

A cyber attack is expensive! Take precautions now and sleep better at night!

Typical price: from €6,000

Specific services

Every IT system is different. A penetration test of the internal IT infrastructure, for example, requires a completely different approach and tools than a penetration test of a web application.

Active Directory Audit

Active Directory Audit – test and audit AD, ransomware defense, second line of defense

Ransomware attacks are on the rise, and the ones with the highest impact take over the whole Active Directory. We must secure these systems to minimize the risk of having our data encrypted and put up for sale on the internet!

Internal IT Infrastructure Penetration Test

Internal penetration test – test internal IT infrastructure, ransomware prevention

What if one of your employees clicks on the wrong email attachment? Will you be able to stop the attack, or will the attackers be able to move laterally from there and take over all your systems? This is why you should conduct an internal infrastructure penetration test. The internal system is just one wrong click away from being “public”.

Cloud Infrastructure Audit

Cloud Infrastructure Audit – Azure, AWS configuration review, IAM, cloud security

Cloud services offer enormous flexibility — but that flexibility comes with risk. Misconfigured storage buckets, overly permissive IAM roles, and exposed management interfaces are among the most common causes of cloud security incidents. A Cloud Infrastructure Audit reviews your cloud environment with a read-only account to identify exactly these issues before attackers do.

Supported platforms: Azure, AWS, and GCP.

Entra ID Audit

EntraID Audit – Azure AD / Microsoft Entra ID configuration review, identity management

EntraID (Microsoft Entra ID) is Microsoft’s central identity and access management (IAM) solution—especially in Microsoft 365 environments—and forms the basis for single sign-on (SSO) and access control. A misconfiguration can lead to unauthorized access to company resources or facilitate social engineering attacks. Therefore, this component must be thoroughly tested.

External IT Infrastructure Penetration Test

External penetration test – test external IT infrastructure and attack surface, OSINT

If your system is exposed to the internet, it could potentially be hacked by anyone. Okay, I exaggerate a bit, but I think you understand. Vulnerabilities in your external infrastructure can lead to very bad press and threaten your customers’ personal information. So, it’s better to check once more.

Web Application Penetration Test

Web Application Penetration Test – test web apps for vulnerabilities, OWASP

Vulnerabilities in web applications can be very problematic. In the worst case, the entire web server is taken over or confidential customer data is stolen. Therefore, it is especially important to thoroughly test these applications.

Typical project compositions

Projects are always scoped to your specific situation — but these are common starting points:

Internal security review An internal IT infrastructure pentest (includes Active Directory testing from an attacker’s perspective) is the core. For a deeper, white-box analysis of AD configuration, an Active Directory Audit is added on top.

Identity-focused (Microsoft stack) An Entra ID Audit combined with a Microsoft 365 Audit covers the full Microsoft identity and productivity environment — the most common combination for organizations running on Microsoft 365.

External exposure check An External IT Infrastructure Penetration Test assesses what’s visible from the internet. Often paired with an internal pentest for a complete picture of the attack surface.

Application security A Web Application Penetration Test focuses on a specific web application or API. This is standalone — a separate engagement from infrastructure testing.

Detection and response validation A Cyber Attack Simulation tests whether your team and tools actually catch an attacker. Typically run after establishing a security baseline through pentests and audits.

Don’t see exactly what you need? All projects are custom-scoped anyway — just get in touch.

New to pentesting or not sure how to scope? The Penetration Testing Buyer’s Guide covers what a pentest actually is, how to choose the right methodology, and how to avoid the most common mistakes.

martin​@​vidrasec.com

+43 670 3081275

+43 670 3081275

Book appointment