current language
Oman available in the following languages:
or select your TÜV Rheinland region / country website:

Penetration test

Penetration test | TÜV Rheinland

Detect security vulnerabilities in time and protect valuable data. Organizations need to find unknown security holes in devices, networks, IT systems, applications and mobile devices to protect them from hackers

The advancing digitalization is noticeable in every industry and in every company size. Whether in the chemical and pharmaceutical industry, automotive industry, finance and insurance industry or in small and medium-sized enterprises (SMEs), the changes are the same: processes are digitized and systems are interconnected, critical business applications are increasingly web and/or mobile-based and more and more applications and data are being moved to the cloud.

This opens up new attack options for cybercriminals. This development is also confirmed by the results of our Cybersecurity Trends 2020. The trends show that smart supply chains, vehicles and access to personal data are popular targets for cyberattacks. Data has become a new and highly valuable asset that needs to be protected.

The digital transformation requires new thinking on the part of corporate management and IT managers in terms of cybersecurity and data protection measure since cyberattacks represent a challenge in everyday business that should not be underestimated.

Facts about the penetration test | TÜV Rheinland

Therefore, identify potential vulnerabilities in your IT infrastructure by means of a penetration test, check the effectiveness of existing protective measures and find out where systems do not meet the security requirements.

Get an objective assessment of your IT security and discover your vulnerabilities before hackers find them.

Detect security vulnerabilities thanks to pentests

General procedure of a penetration test | TÜV Rheinland

With the help of penetration testing, or pentesting, we check your existing IT infrastructure (networks and IT systems) and web applications (e.g. online shops, customer portals, online banking) and mobile applications for potential vulnerabilities that could provide criminals with a target for cyberattacks. In order to uncover vulnerabilities and security gaps and to optimally assess potential risks, our IT experts proceed as follows:

  1. Preliminary discussion and needs analysis:
    Recording of the status quo to determine the goal and scope of the penetration test, according to your situation and risk profile.
  2. Information gathering:
    Gathering all information relevant to the attack and viewing the company from an attacker's perspective.
  3. Identification of vulnerabilities:
    Detection of potential vulnerabilities through targeted automatic and manual tests. In doing so, we apply similar methods that criminal hackers also use.
  4. Exploitation of security vulnerabilities:
    Detection of vulnerabilities by our testers deliberately exploiting security vulnerabilities and attempting to access protected company data, such as customer data.
  5. Reporting
    Summary of the penetration test results and all vulnerabilities found as well as recommendations for action to remedy them.

In the financial sector as well as in the automotive industry, penetration tests are already part of regulatory requirements. It is to be expected that other industries will follow because, regardless of the industry sector and the size of the company, sensitive data must be protected. We therefore recommend that you regularly check the security of your IT assets.

Different variants of a penetration test

Various methods can be used to identify vulnerabilities. Which option is the right one for your company depends on your existing IT infrastructure In a personal conversation, we determine your needs and analyze the existing systems to find the right penetration test method for you. Take a look at our pentesting portfolio.

External penetration test
Internal penetration test
Adversary Simulation (Red Team Campaign)
IoT Penetration Testing
Web Application Testing
Remote penetration test (hack box)
External penetration test
Internal penetration test
Adversary Simulation (Red Team Campaign)
IoT Penetration Testing
Web Application Testing
Remote penetration test (hack box)

The external penetration test symbolizes the "classic" cyber attack from the outside. Here, our IT security expert attempts to penetrate the company's internal network via the systems accessible from the Internet. The focus of the investigation is on the firewall and systems of the Demilitarized Zone (DMZ - a network that acts as a buffer zone and is monitored by the firewall, such as web or mail servers) in order to subsequently uncover the possibilities of data access or theft. Our experts also try - if allowed - to penetrate the internal network from the DMZ.

In an internal penetration test, the starting point is within the corporate network, i.e. the attacker has already gained access to the internal network. This simulates the case where an attacker is already on an employee's device. Thus, the goal of the internal pentest is to determine what damage can occur if corporate access is criminally misused. An attack from within the company can often cause more damage in less time than an external attack, as some protection systems have already been bypassed or overcome.

In this method, our experts simulate a cyber attack using the tactics, techniques, and procedures of real attackers. We determine the focus and objectives of the Red Team campaign together with you in advance. If required, we work with you to identify the most critical attack vectors - in relation to your cyber resilience - before moving on to an attack simulation.

Compared to a penetration test, the goal of a Red Team campaign is not to uncover as many vulnerabilities as possible, but to achieve the defined campaign objective with a targeted exploitation of relevant vulnerabilities. The results provide you with information about the resilience of your company or division with regard to cyber attacks. In addition, the results help your own experts to optimize internal monitoring systems and processes within the company in order to detect attacks earlier. This minimizes the risk of major damage to your company.

Further information about the Adversary Simulation can be found here in our information flyer.

During the IoT penetration test, our experts check your IoT ecosystem from a hacker's perspective and detect vulnerabilities and security issues. For comprehensive protection, we test the entire IoT ecosystem – all connected services and applications. If required, we can also examine individual components and support you with the following individual services:

  • Security analysis of the IoT devices
  • Security analysis of mobile applications
  • Security analysis of the backend
  • Security assessment of the backend

Read detailed information about IoT penetration testing in our related flyer. Learn more .

The web application testing is a penetration test based on the Open Web Application Security Project (OWASP) Testing Guide. The identification of the OWASP Top 10 vulnerabilities are the focus of the investigation. However, our experts also look for less common application-specific vulnerabilities in order to achieve the best possible level of protection for your web application. Afterwards, we summarize the results of the analysis as well as recommendations for remedying the vulnerabilities in a report.

You can find more information in our flyer Security for your web application .

The hack box enables our experts to perform penetration tests remotely. The remote solution is particularly advantageous when the presence of our colleagues is challenging for various reasons (for example home office workplaces, or large geographical distances). The hack box is a specially configured and protected computer that is delivered by mail. The installation of the hack box into the internal network is designed for simplicity and does not require any special prior knowledge, which makes the collaboration between us and the users easy.

You can find out all the details about the process and handling of the hack box here.

Trust our expertise in the field of penetration testing

Our penetration testing services are applicable to many areas of IT infrastructure. These include applications, networks and infrastructures, embedded systems, online stores, the intranet, IoT devices, and self-programmed software. Because we take a holistic view of IT security in your organization, we also offer testing that focuses on organizational, process, and human vulnerabilities rather than just technology. Tests with a focus that is not exclusively technical include phishing attacks, Red Team campaigns or technical security assessments.

The IT security of your company is what we care about. Therefore, with our cybersecurity testing services, we identify any kind of vulnerabilities and security vulnerabilities before others exploit them. In this way, we provide you with an objective overview of your deficiencies and subsequently support you with the appropriate recommendations for remediation. When it comes to cybersecurity audits, you can rely on our specialist and industry expertise, because testing is in our auditors' blood. We replace insecurity with security and help you protect your assets and the trust of your customers. TÜV Rheinland - tested with certainty.

FAQ - Learn more about penetration testing

Would you like to learn more about penetration testing? Our experts have answered the most important questions for you.

Display all Hide all

What testing methods are used in a penetration test?

Our methods for a penetration test are tailored to the maturity level of your IT security.

For companies with a low level of IT security maturity, our recommendation is to perform a vulnerability assessment, which will automatically reveal most of the known and automatically exploitable vulnerabilities in your systems.

If your company has an average IT security maturity level, our recommendation is to perform a penetration test on your systems. The penetration test uses manual and automated tests to identify and exploit vulnerabilities and security vulnerabilities. This gives our IT security experts a deeper insight into the vulnerability of your systems and networks.

If the maturity level of your IT security is appropriately high due to high-quality security systems and processes, our IT security experts conduct an Adversary Simulation (Red Team Campaign), which simulates a real targeted attack on your company. The results provide you with insights into your company's resilience against a cyber attack and provide answers to the following questions, among others:

  • Is my company capable of detecting a targeted attack?
  • Is my company able to respond appropriately to a cyber attack?
  • Is an attacker able to steal my important assets undetected?

Irrespective of the test methods mentioned, we recommend that a security assessment be carried out by our IT security experts. A security assessment uses structured interviews to identify vulnerabilities and security issues that cannot usually be uncovered using the classic methods of a penetration test.

What is tested during a penetration test?

A penetration test can be applied flexibly. The entire company network (internal and external) can be part of the test, but also only partial areas such as your online shop. Furthermore, (I)IoT devices, embedded systems and/or control units in automobiles can also be the focus of a penetration test.

We help you choose the right approach for your purpose. Contact us for an individual needs analysis.

Are web applications tested according to OWASP?

For a penetration test for a web application, e.g. your online shop, we proceed according to the OWASP (Open Web Application Security Project) Testing Guide and thus also cover the OWASP Top 10. The OWASP Top 10 provides information about the most frequently identified vulnerabilities in web applications.

Are CVSSv3 scores used?

While we generally use our own simplified Risk Rating, on request we can use the Common Vulnerability Scoring System (CVSS), which derives a criticality measure from the essential properties of a vulnerability. Of course, we can also provide the so-called CVSS vector in addition to the CVSSv3 score.

As a small/medium or large business, do I need protection from cyber-attacks and network attacks?

Yes, every company offers a worthwhile target for attackers. Particularly in the case of small and medium-sized businesses, hackers assume that there are fewer security and protection measures in place and therefore prefer to attack them.

Is a one-time penetration test sufficient?

A penetration test is always a snapshot. Both the attacks and the tested infrastructure or application evolve, so that the results of a test become less meaningful over time. Therefore, such tests should be performed regularly. It is not always necessary to test all aspects equally, but you can focus on the changes during a regular test. As a rule, however, a complete retest should be carried out after two years at the latest.

Client applications: a ticking time bomb?

Autonomous driving: Cybersecurity important basis for broad acceptance

This might also interest you

Advanced Persistent Threat

Active hacker protection with threat management

Effective threat management to protect against cyber crime.

more

Business Continuity Management System (BCMS)

Business continuity management systems | TÜV Rheinland

Safeguarding productivity with BCM, IT emergency management and crisis management.

more

ISMS According to ISO/IEC 27001

ISMS According to ISO/IEC 27001

Improve systematic control over your company’s information security.

more

Managed Security Services for your IT Safety

Managed security services – TÜV Rheinland

Place your IT security in good hands with our managed security services.

more

Managed Threat Detection Services

Advanced threat detection and response services | TÜV Rheinland

Risk-based managed threat detection solution for effective security monitoring.

more

Contact

Get in contact with us!

Get in contact with us!

Last Visited Service Pages