Pentest

Active Directory Security Audit

Active Directory Audit, test and audit AD, ransomware defense, second line of defense

An Active Directory Audit is a white-box security assessment of your on-premises Active Directory that identifies misconfigurations, dangerous permissions, and attack paths leading to domain takeover, before an attacker or ransomware can exploit them.

Ransomware attacks are on the rise, and the ones with the highest impact take over the whole Active Directory. We must secure these systems to minimize the risk of having our data encrypted and put up for sale on the internet!

Internal IT Infrastructure Penetration Test

Internal penetration test, test internal IT infrastructure, ransomware prevention

An Internal IT Infrastructure Penetration Test simulates an attacker who already has a foothold inside your network (for example after a phishing click) and tests whether they can move laterally and reach Domain Admin.

What if one of your employees clicks on the wrong email attachment? Will you be able to stop the attack, or will the attackers be able to move laterally from there and take over all your systems? This is why you should conduct an internal infrastructure penetration test. The internal system is just one wrong click away from being “public”.

How Much Does a Penetration Test Cost?

How penetration test pricing works: day rate, timebox, and what decides the final cost

“What does a pentest cost?” is the question I get asked the most, and the honest answer is always “it depends.” That’s not a dodge. A pentest is billed by effort, not sold as a fixed product, so the real question underneath it is what decides how much effort a given project actually needs. This post explains exactly that.

Pentest Provider Checklist for DACH SMBs

Checklist for choosing a penetration testing provider as a small or mid-sized company in the DACH region

Choosing a penetration testing provider is hard when you are not a security specialist yourself, which is the situation most SMBs are in. The market is full of confident sales pitches, and the difference between a genuinely useful test and an expensive compliance checkbox is not obvious from a brochure. This checklist gives you the specific questions to ask and what good answers sound like.

What a NIS2-Ready Pentest Looks Like for a 50 to 500 Person Company

What a NIS2-ready penetration test looks like for a mid-sized 50 to 500 person company in the DACH region

NIS2 has pulled thousands of mid-sized companies into a compliance regime they never had to think about before. If you run IT at a 50 to 500 person company in the DACH region, you have probably been told you need to “do something about NIS2,” and that a penetration test is part of it. This article explains, plainly, what a NIS2-ready pentest actually looks like and what auditors expect to see.

Boutique Single-Operator Pentest vs. Large Firm vs. PTaaS: How to Choose

Comparison of a boutique single-operator pentest, a large security firm, and a PTaaS platform for choosing a penetration testing provider

You need a penetration test, and the market offers three very different shapes of provider: the boutique single operator, the large security firm, and the PTaaS platform. They are priced differently, they deliver differently, and they are not interchangeable. This guide compares them on the factors that actually change the outcome.

The Penetration Testing Buyer's Guide: Scope Right, Spend Smart

Penetration testing buyer's guide, scoping, blackbox vs greybox, choosing the right provider

You’ve decided you need a penetration test. Good call. But before you sign a proposal, there’s a lot that can go wrong: wrong scope, wrong methodology, wrong expectations. The result is a report that collects dust and a budget that got wasted.

This guide is written for the people buying pentests, not the people running them. It covers what a pentest actually is, when to do one, what to expect, and how to avoid the most common and expensive mistakes.

Cloud Infrastructure Security Audit

Cloud Infrastructure Audit, Azure, AWS configuration review, IAM, cloud security

A Cloud Infrastructure Audit is a read-only, white-box review of your Azure, AWS, or GCP environment that finds misconfigurations, over-privileged IAM roles, and exposed services before attackers do.

Cloud services offer enormous flexibility, but that flexibility comes with risk. Misconfigured storage buckets, overly permissive IAM roles, and exposed management interfaces are among the most common causes of cloud security incidents. A Cloud Infrastructure Audit reviews your cloud environment with a read-only account to identify exactly these issues before attackers do.

Supported platforms: Azure, AWS, and GCP. For Azure environments, cloud IAM misconfigurations are frequently intertwined with Entra ID role assignments and Conditional Access, both are often reviewed together.

Entra ID Security Audit

EntraID Audit, Azure AD / Microsoft Entra ID configuration review, identity management

An Entra ID Audit (formerly Azure AD) is a white-box review of your Microsoft Entra ID tenant that uncovers identity and access misconfigurations, weak Conditional Access policies, and privilege escalation paths.

EntraID (Microsoft Entra ID) is Microsoft’s central identity and access management (IAM) solution, especially in Microsoft 365 environments, and forms the basis for single sign-on (SSO) and access control. A misconfiguration can lead to unauthorized access to company resources or facilitate social engineering attacks. Therefore, this component must be thoroughly tested.

External IT Infrastructure Penetration Test

External penetration test, test external IT infrastructure and attack surface

An External IT Infrastructure Penetration Test assesses your internet-facing systems (servers, VPNs, mail, remote access) for exploitable vulnerabilities and exposure that an attacker could use to gain a foothold.

If your system is exposed to the internet, it could potentially be hacked by anyone. Okay, I exaggerate a bit, but I think you understand. Vulnerabilities in your external infrastructure can lead to very bad press and threaten your customers’ personal information. Regular external infrastructure penetration testing keeps that attack surface in check.

Web Application Penetration Test

Web Application Penetration Test, test web apps for vulnerabilities, OWASP

A Web Application Penetration Test is a manual security assessment of a web application and its APIs, focused on the OWASP Top 10: broken access control, injection, authentication flaws, and business logic vulnerabilities.

Vulnerabilities in web applications can be very problematic. In the worst case, the entire web server is taken over or confidential customer data is stolen. Therefore, it is especially important to thoroughly test these applications.