Penetration Testing Services
Malware. Ransomware. Social engineering schemes. Brute force attacks. How confident are you that your protective measures are effective against current and emerging cyberattacks?Contact Cyber Experts
Independent penetration testing is the ultimate gauge of cyber defense effectiveness. Kroll’s CREST-certified experts have unique insights into the cyber risk landscape, including the tactics, techniques and procedures (TTPs) attackers typically deploy to gain access to digital assets.
Using real-world hacker techniques, we simulate attacks on your organization to identify gaps in your security. Common targets include the internet perimeter, internal and external network infrastructure, websites, databases, applications, and even your employees.
Don’t assume a crack is too small to be noticed, or too small to be exploited. If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter.
Our five-phase approach incorporates two powerful sources of insight: the front-line experience of our global team of preeminent cyber investigators and the real-time threats gleaned from sophisticated technology resources, including our patent-protected dark web tools. For organizations whose cyber maturity is advanced, we can also provide red teaming exercises (on a onetime or periodic basis) that focus on specific objectives and scenarios provided by your team.
At the conclusion of our penetration testing, we provide substantive evidence of our findings and can recommend countermeasures to reduce your risk.
Kroll’s Five-phase Penetration Testing Approach
Project InitiationOur experts work with your team to develop goals and objectives with a focus on high-value assets.
Information and Intelligence GatheringUsing reconnaissance techniques, we collect and examine publicly available information about your company and employees to identify potential attack vectors. Our extensive review includes examining public websites, social media, domain registries and dark web data.
Threat Modeling ExerciseKroll experts analyze the reconnaissance information, identify potential attack vectors and develop a plan of attack for testing.
Attack ExecutionWe attempt to access your organization’s environment using methods employed by real-life adversaries. The attack will target your IT infrastructure, websites, applications and employees.
Reporting and ConsultancyOur final report summarizes our actions during testing, details any weaknesses we identified and includes remediation guidance to reduce the risk of compromise by a real-life adversary.
- Named the Best Cyber Security Consultancy by the National Law Journal for the past four years. Kroll has assembled an exceptional team with a proven track record in penetration testing services.
- Senior team members have each spent decades working in cybersecurity, and our award-winning penetration testers are certified to some of the highest global industry standards, including CHECK, CREST (CCT/CRT), and SANS (GIAC).
- Our testers have diverse backgrounds in information technology, application development and cyber investigations. This experience enables them to anticipate evolving and emerging cyber threats for our clients across industries and jurisdictions.
Comprehensive Related Services
- Network Penetration Testing – External and Internal
- Application Penetration Testing – External and Internal
- Web Application Penetration Testing
- IoT Device Penetration Testing
- Dark Web Risk Exposure
- Social Engineering Exercises
- Red/Blue Team Exercises
- Due Diligence Assessments
Pen Testing Case Study
Baseline Assessment Including Pen Testing – Multidivisional Professional Services Company
An international, multidivisional professional services company was looking for a baseline assessment to prepare for ISO27001 certification. Kroll conducted an assessment that included external and internal vulnerability assessments and penetration testing. Kroll was able to present the client with a detailed report that described its level of maturity as assessed against the ISO27001 control objectives, and included recommendations for improvement.
To validate your confidence in your current measures and learn where to focus resources moving forward, contact one of our testing experts today.
Frequently Asked Questions
What is penetration testing?
Penetration testing, also known as pentesting, describes the assessment of computer networks, systems, and applications to identify and address security weaknesses affecting computer networks, systems, applications and websites. Some vulnerabilities can’t be detected by automated software tools. Penetration testing is a form of ethical cyber security assessment which ensures that any weaknesses discovered can be addressed in order to mitigate the risks of an attack. It is recommended that all organizations commission security testing at least once per year, with additional assessments following significant changes to infrastructure, as well as prior to product launches, mergers or acquisitions.
What are the different types of pen testing?
Types of pen test vary in focus, depth and duration. They can include internal/external infrastructure penetration testing, which assesses on-premise and cloud network infrastructure, wireless penetration testing, which targets an organization’s WLAN, as well as wireless protocols. Other types of tests include web application testing, which assesses websites and custom applications delivered over the web, mobile application testing which tests mobile applications on operating systems, including Android and iOS to identify authentication, authorization, data leakage and session handling issues, and build and configuration reviews which review network builds and configurations.
Why is penetration testing important?
Penetration testing is an important part of way of maintaining cyber security and addressing gaps in your organization’s defenses. Penetration testing should be a critical element of all organizations’ security programmes to help them keep up with the fast-evolving threat landscape. With threats constantly evolving, it’s recommended that every organization commissions penetration testing at least once a year, but more frequently when making significant changes to infrastructure, launching new products and services, undergoing a business merger or acquisition or preparing for compliance with security standards.
What steps are involved in penetration testing?
High quality penetration testing services apply a systematic methodology to ensure that all the relevant aspects are covered. In the case of a blackbox external network pentest, once the engagement has been scoped, the pen tester will conduct extensive reconnaissance, scanning and asset mapping in order to identify vulnerabilities for exploitation. Once access to the network has been established, the pen tester will then attempt to move laterally across the network to obtain the higher-level privileges required to compromise additional assets and achieve the objective of the pentesting engagement. The final stage is the provision of a detailed report.
How long does penetration testing take?
The duration of a penetration test will depend on the scope of the test and the nature of the organization. Factors affecting penetration testing duration include network size, whether the test is internal or external facing, whether it involves any physical penetration testing and whether network information and user credentials are shared prior to the penetration testing engagement. Your chosen vendor should discuss your options with you and agree what works best for your organization prior to starting the penetration testing.
How frequently should pentesting be carried out?
All organizations are advised to conduct a penetration test at least once a year, as well as after any significant upgrades or modifications to the company network. Given the rapid rate at which new exploits are discovered, quarterly tests are highly beneficial. Regular penetration tests are often required for compliance with regulations such as PCI DSS.
What happens after penetration testing is completed?
To help facilitate the remediation process, pen testing should be assessed to ensure that it delivers actionable guidance to drive tangible security improvements. After each engagement, the ethical hacker assigned to the test should produce a custom written report, detailing and assessing the risks of any weaknesses identified, and outlining recommended remedial actions. A provider may also offer a comprehensive telephone debrief following submission of the report.
How much does penetration testing cost?
Penetration testing costs vary widely, so it’s essential to ensure that the pen testing you select enables you to achieve the best security outcomes from your budget. Every organization has its own testing requirements and penetration testing pricing varies according to the type of test performed, as well as its overall objectives and duration. Penetration testing costs ultimately depend on the issues and requirements identified during the initial scoping phase.
How is penetration testing conducted?
Penetration testing as a service utilises the tools, techniques and procedures used by genuine criminal hackers. At Kroll, our five-phase approach incorporates two powerful sources of insight: the front-line experience of our global team of leading cyber investigators and the real-time threats gained from sophisticated technology, including our patent-protected dark web tools. For organizations whose cyber maturity is advanced, we can also provide red teaming exercises (on a onetime or periodic basis) that focus on specific objectives and scenarios provided by your team.
Will penetration testing affect business operations?
As penetration testing involves the exploitation of vulnerabilities, a clearly defined scope is needed to ensure that testing won’t impact business operations and fall foul of the law. A good pen testing provider should work closely with you to minimize any potential disruption to your business during the testing process. They should also agree in advance how to maintain the security of your systems and assets throughout the process.
CREST has accredited Kroll as a global Penetration Testing provider.