Penetration Tests

A penetration test is an authorized simulated cyberattack to identify weaknesses and strengths regarding the security of systems, applications or organizations and to provide the customer with detailed information about the vulnerabilities.

Compass Security is committed to working closely with you by providing competent advice during the initial scoping, throughout the entire project, and up to the final delivery of the report and the individual concluding discussion. We go the extra mile to always deliver the best and most sustainable results.

Continuous research and cooperation with leading universities in Switzerland guarantee that our experts always have a high and up-to-date standard of knowledge. This enables us not only to report on existing and known vulnerabilities, but also to make specific recommendations to improve your security in the long term.



External Penetration Testing

In an external penetration test, we analyze your exposed infrastructure and search for vulnerabilities and possible direct attack vectors by first scanning your system and services and then manually testing each of them. The identified attack vectors will be exploited and proved out, in order to identify and measure risks associated with the exploitation of the target’s attack surface.

Common activities for external penetration tests:

  • Host and service discovery
  • Hostname enumeration
  • Vulnerability assessment
  • Exploitation of discovered vulnerabilities
  • Hop into internal systems from exploited machines (pivoting)


Internal Penetration Testing

Access to your network can also be granted through malware, a malicious employee or by connected partners. In an internal penetration test, we visit you and simulate an attack from an internal perspective. We analyze your internal infrastructure and search for vulnerabilities and possible attack vectors. We exploit the discovered attack vectors to gain additional privileges, compromise critical systems and gain access to sensitive data.


Common activities for internal penetration tests:

  • Vulnerability assessment
  • Exploitation of discovered vulnerabilities
  • Privilege escalation (local computer and within domain)
  • Search for passwords and key materials (files, configuration, software, repositories, corporate wiki)
  • Network segregation verification
  • Identification and exploitation of Active Directory issues (Bloodhoud, Pingcastle, etc.)
  • Windows network attacks (NTLM Relay, Pass-the-Hash, Kerberoasting, Delegation, etc.)



In an application penetration test, we analyze the entire application and search for logical and technical vulnerabilities.

The tests are tailored to the type of application and its technology - including but not limited to OWASP Top 10, ASVS, technology specific and newly discovered vulnerabilities, in order to fully assess the security of the application.

This high standard of application testing is applied to desktop and mobile applications, whether they are based on web technologies or native frameworks.

Type of applications:

  • Web applications, web services and RESTful APIs
  • Mobile apps (Android & iOS)
  • Client/Server application (fat client)


Social Engineering

To verify and improve the security awareness of your employees, we perform social engineering attacks such as phishing campaigns based on custom-tailored or current threats, vishing using phone calls or physical social engineering, where we try to enter your facilities and gain access to your critical zones and systems. For continuous improvement, we offer yearly phishing subscriptions as well as live hacking presentations and awareness training programs to further train your employees to counter social engineering attacks.



Special Requirements

Our specialists cover a wide range of technologies. This allows us to address very specific requirements, whether specialized cloud environments, IoT technology or proprietary hardware devices.


We are glad to give you further information: Your contact person



Cyber Risks - Früherkennung leicht gemacht

Das SwissBoardForum lädt ein zum Spezialevent «Cyber Risks». Ivan Bütler zeigt in seinem Live Hacking, welchen Risiken unsere Infrastruktur gegenüber... Read more

Beer-Talk in Zürich: Bluetooth Low Energy: Protocol, Security & Attacks

Immer mehr Geräte und Gadgets können über Bluetooth Low Energy (BLE) miteinander kommunizieren. Haben Sie sich schon gefragt, was dieses BLE überhaupt... Read more

Security Training: Secure Mobile Apps

In the 2-day course (in German) from Mai 12/13, 2020, you will learn about the most important security problems of mobile apps. Read more



Vulnerability in Abacus

Ville Koch identified a Cross-Site Scripting vulnerability in Abacus. Read more

Rein kommen wir meistens

In einem Interview in der Wirtschaftszeitung «Finanz und Wirtschaft» spricht Walter Sprenger über die Motivationsgründe und Methoden der Hacker. Read more

KMU im Visier von Cyberkriminellen

In der Sendung «Fokus KMU» erzählt ein Betroffener über die Auswirkungen der Cyber Attacke auf sein Unternehmen. Cyrill Brunschwiler von Compass... Read more


Compass Security Blog

New SMBGhost Vulnerability Affects Modern Windows Systems

A new vulnerability (CVE-2020-0796) affecting SMBv3 has been discovered. The community has started to name this vulnerability SMBGhost because everyone knows this vulnerability is present but no... mehr

Domain-Join Computers the Proper Way

When you add a new computer, it must first join the domain. If you use its future main user to do it, they'll become the owner and be able to hijack the computer to become a local administrator in... mehr