Regular penetration testing is a fundamental part of meeting your organisation’s cybersecurity and compliance goals
Regular penetration testing ensures that weaknesses in company systems are identified so they can be addressed, protecting against cyber-attack
Regular penetration testing provides assurance to stakeholders that your systems and applications are secure
Blackfoot’s comprehensive range of penetration testing services make finding and fixing security weaknesses in your networks and systems simple, no matter how complex your environment might be.
Powered by Blackfoot’s industry-leading penetration test platform, results are easily and quickly shared for quick resolution.
Manual penetration testing is an essential component of a robust cybersecurity strategy.
While automated tools are valuable for identifying known vulnerabilities efficiently, manual testing offers the depth, creativity and nuanced analysis necessary to uncover more complex security weaknesses and provide actionable insights to improve an organisation’s security defences.
Blackfoot’s manual penetration testing, or exploit testing, builds on vulnerability assessment results to simulate real-world attack methods.
Unlike automated vulnerability scanning, our manual penetration testing is delivered by our highly skilled testers who actively seek to progress vulnerabilities through the cyber kill-chain. They will assess the security of your environment by employing a combination of tools, techniques and, most importantly, creativity. As a CREST-certified organisation, Blackfoot penetration tests follow an approved, structured methodology.
A Blackfoot penetration test starts with a well-defined scope that dictates the targets to be tested in a five-stage approach:
Information gathering
During this phase, our testers use open source intelligence (OSINT) to gather and collate publicly known information about the organisation to facilitate a cyber-attack.
Network mapping and target enumeration
This stage maps the application and local and adjacent network environments, to determine routes to business-critical systems and the enumeration of services presented by in-scope systems including service versions.
Target and vulnerability analysis
Once all services have been mapped and identified, analysis of the identified services will be performed to identify known vulnerabilities and common weakness and misconfiguration.
Controlled exploitation attempts of all identified vulnerabilities
Exploitation attempts are performed using known, verified methods. Common vulnerabilities such as injection-based attacks may require manual exploitation and generation of custom payloads created by the Blackfoot internal research team.
Access review and privilege escalation
Often, initial exploitation can result in unprivileged access to a system. Post-exploitation testing can be performed to elevate a threat actor’s privilege or allow lateral movement. These actions feed back into stage one and the process is repeated until the test objectives are achieved.
Blackfoot’s range of penetration and vulnerability testing services not only assess the security of your systems, but come with a host of value add services to give you actionable, insightful intelligence to keep your systems and data secure.
Protect your organisation’s perimeter with Blackfoot’s external network penetration testing
Improve your internal network cybersecurity with Blackfoot’s internal network penetration testing
Ensure your web applications are secure with Blackfoot’s web application penetration testing
Ensure your mobile applications are secure with Blackfoot’s mobile application penetration testing
Protect your application connections and APIs with Blackfoot’s API penetration testing
Ensure your wireless networks are secure with Blackfoot’s Wi-Fi security testing
Validate your PCI DSS network segmentation for scope reduction with Blackfoot’s PCI DSS network segmentation testing
Call us on +44 (0) 203 393 7795
Q: What is penetration testing?
A: Penetration testing, often referred to as pen testing, is a structured security assessment in which qualified professionals simulate real-world attacks against your systems, applications or infrastructure. The objective is to identify and exploit security vulnerabilities before a malicious actor does, providing evidence of your actual security weaknesses and practical recommendations for remediation.
Q: What is CREST accreditation and why does it matter for pen testing?
A: CREST is an internationally recognised not-for-profit accreditation body for the technical security industry. CREST-accredited penetration testing organisations and testers have demonstrated their competence through rigorous technical examinations and are subject to a professional code of conduct. Choosing a CREST-accredited provider such as Blackfoot gives you confidence that your testing is conducted to a recognised professional standard, and satisfies the requirements of many compliance frameworks and client due diligence processes.
Q: How often should penetration testing be carried out?
A: Most organisations conduct penetration tests at least annually, and additionally following significant changes to systems, applications or infrastructure. Compliance frameworks such as PCI DSS prescribe specific testing frequencies and scopes. In practice, the right frequency depends on your risk profile, the rate of change in your environment, and the assurance requirements of your clients or regulators. Blackfoot can help you design a testing programme that matches your specific needs.
Q: What is the difference between a penetration test and a vulnerability scan?
A: A vulnerability scan uses automated tools to identify known vulnerabilities in systems and configurations. It produces a list of potential weaknesses but does not verify whether they are actually exploitable. A penetration test goes further: a qualified tester uses a combination of automated tools and manual techniques to attempt to exploit identified vulnerabilities, chain findings together and understand the real-world impact of a successful attack.
Penetration testing provides significantly deeper assurance than vulnerability scanning alone.
Q: What deliverables will we receive following a penetration test?
A: Following a penetration test, you will receive a detailed report covering the scope and methodology of the assessment, a description of all findings with their severity rating and evidence, the potential business impact of each vulnerability, and clear remediation recommendations. Blackfoot reports are structured to be useful for both technical teams who will action the findings and senior leadership who need to understand the overall risk picture.
Q: What is PCI DSS network segmentation testing?
A: PCI DSS requires that organisations using network segmentation to reduce the scope of their cardholder data environment must periodically test the effectiveness of that segmentation. Segmentation testing verifies that systems outside the defined cardholder data environment cannot communicate with systems inside it in a way that would expand the scope of compliance. Blackfoot provides PCI DSS network segmentation testing as part of our PCI testing and audit services.
Call us on +44 (0) 203 393 7795
*Fill in the fields below
We’ll keep you informed about potential risks and vulnerabilities that could impact your digital assets.