WHAT IS IT?!

The idea is basically look at your technology, threat landscape, and pretend to be a bad actor and attempt to hack based on goals and intentions whatever we can breach within the "scope" or limits of the test.

If the goal was something like "determine if a hacker could get into your corporate network, what would it take to do so and can we do it in 3 weeks" we would go from whatever we could find outside the network, and attempt to breach the perimeter of the network through this. On the other side, if the goal was to act as an attacker already in the network to show how easy it would be to compromise everything within the network or jump from one network to another more private network, we could send a small computer to plug in to the network you want tested and we'd attempt to pivot from there. 

There are several things discussed before starting any pentest. One of those is "Crown jewels" or the things you really want to avoid hackers having access to at all costs. If we get those, you're basically feeling like that's game over for your company if a real hacker got those. Big goals. There's also a need to discuss things that would be stopping points. Such as, if you're just trying to test perimeter, and we are able to show code execution on a webserver that has access to the internal network, that may be enough to say stop there. 

Common Stories

Maybe it would work better another way, lets talk about this like stories instead.

The first story starts with a company that's had several bad experiences with hackers, cyber criminals, fraudsters, or otherwise bad guys messing with them. Your team has everything covered as far as fixing the issues, but you're still worried that hackers could get back in, your employees could be victims of further fraud, or something else bad could happen. So after some research online you find out that you can test the likeliness of this happening again by doing something that's called a "penetration test" or "security audit". You look for local people to help you with this and call us up to schedule a consultation. On that call we'll discuss your concerns, try to identify what can and can't be tested technically or against your staff (social engineering) in order to see where the outlying issues are. Maybe we find that there's several tests we can do such as an in-person wireless network test, a website penetration test (to ensure your website isn't letting people abuse you or your clients), and an external penetration test with the goal of starting outside the company and getting in. We end the call with ensuring that you receive our email stating the goals, and proceed to write up the required approval paperwork and scoping documentation needed to be signed before we can legally and ethically proceed with any testing. After the testing is completed with provide a report of any issues found and schedule another call to discuss the findings.
 

Compliance

Another similar story, starts another route. Your company hasn't seen any bad-guy activity, but wants to complete compliance requirements or to achieve various regulatory requirements. Many of these are mandated by state or federal laws, especially for companies embarking on multi-national trade, or business with financial/legal/medical/governmental institutions. Sometimes companies don't even know these requirements until it's demanded by customers or lawyers in these areas.

This can be pretty scary at the end of the day for a small business because it means your company could loose enough money to put your out of business. Having worked in small businesses, as my own company, as a person, and really just living in this area, its a common problem where people simply can't respond to these types of things.

Luckily you spent some time talking to your lawyer and they said you'd need your tech team to perform testing. Your technical team comes back saying they're admins and they can show their configurations, but don't really have any clear way to test this for auditors. This is where you call us up. Just like the above situation we get on the phone, maybe through email, and discuss these requirements, we complete by sending an email ensuring we confirm this is what these tests should be. We proceed to write up the documents required and get those sent, once all that's worked out and the start date for testing comes about, we let you know when we're starting, when we're ending, we proceed with the testing and provide reports just as above.

Your technical team probably will be able to provide auditors the logs during these events, but we also provide those services too. Depending on if we discussed this during that initial call, we can take this a step further and work to prepare these documents to answer on your company's behalf during an audit. Any limitations or gaps in monitoring we can also assist with defining and providing as guidance to your IT team. Don't have an IT team, we'll do the administration for you too if you need, but we do take a very "strict" method if this is needed for audits. This may get expensive with all these things though so don't worry, we don't intend to push you for more sales. We just don't want you to have to face this sort of issues alone. We're here to help.

All rights reserved. Feemco Technologies

© 2025

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.