A penetration test is an authorized simulated cyberattack to spot weaknesses and highlight strengths regarding the cyber resilience of computers, applications or organizations and to provide the customer with detailed information about the vulnerabilities.
Compass is committed to working closely with you by providing competent advice during the initial scoping, throughout the entire project, and up to the final delivery of the report and the individual concluding discussion. We go the extra mile to always deliver the best and most sustainable results.
Continuous research and cooperation with leading universities in Switzerland guarantee that our experts always have a high and up-to-date standard of knowledge. This enables us not only to report on existing and known bugs, but also to make specific recommendations to improve your defenses in the long term.
External Penetration Testing
In an external pentest, we analyze your exposed infrastructure and search for vulnerabilities and possible direct attack vectors by first scanning exposed services and then manually testing each of them. The identified attack vectors will be exploited and proved out, in order to identify and measure risks associated with the exploitation of the target’s attack surface.
Common activities for external penetration tests:
- Host and service discovery
- Hostname enumeration
- Vulnerability assessment
- Exploitation of discovered flaws
- Hop into internal systems from exploited machines (pivoting)
Internal Penetration Testing
Access to your network can also be granted through malware, a malicious employee or by connected partners. For such pentest, we may visit you on-site and simulate an attack from within a specific network. We analyze your infrastructure and search for flaws and possible attack vectors. We exploit the discovered problems to gain additional privileges, compromise critical systems and gain access to sensitive data.
Common activities for internal penetration tests:
- Vulnerability assessment
- Exploitation of discovered flaws
- Privilege escalation (local computer and within domain)
- Search for passwords and key materials (files, configuration, software, repositories, corporate wiki)
- Network segregation verification
- Identification and abuse of Active Directory issues (Bloodhoud, Pingcastle, etc.)
Application Pentesting
In an application penetration test, we analyze the entire software and search for logical and technical vulnerabilities.
The tests are tailored to the type of architecture - including but not limited to OWASP Top 10, ASVS, technology specific and newly discovered shortcomings, in order to fully assess the resilience of the target.
This high standard of testing is applied to desktop and mobile apps, whether they are based on web technology or native frameworks.
Types of architecture and technology:
- Web applications, web services and RESTful APIs
- Mobile apps (Android & iOS)
- Client/server architectures (fat clients, e.g., based on Java, C#, or Electron)"
Social Engineering
To verify and improve the awareness of your employees, we perform deception attacks such as phishing campaigns based on custom-tailored or current threats, vishing using phone calls or physical social engineering, where we try to enter your facilities and gain access to your critical zones and systems. For continuous improvement, we offer yearly phishing subscriptions as well as live hacking presentations and awareness training programs to enable your employees to counter trust exploitation.
