The idea is basically look at your technology, pretend to be a bad actor and test each thing within the "scope" or limits of the test. This can be written as a number of names:
- "Defense penetration testing" (this is technically accurate)
- "Pentesting" ( just a shortening for the next one)
- "Penetration testing" (common term)
- "Ethical Hacking" (Pentesting is a portion of ethical hacking)

Then there's "red team" in which functions as a benefit to your security team as trying to test security responses. This really deserves it's own page, but for now, that's a good explanation of these terms.

Common Stories

Maybe it would work better another way, lets talk about this like stories instead.

The first story starts with a company that's had several bad experiences with hackers, cyber criminals, fraudsters, or otherwise bad guys messing with them. Your team has everything covered as far as fixing the issues, but you're still worried that hackers could get back in, your employees could be victims of further fraud, or something else bad could happen. So after some research online you find out that you can test the likeliness of this happening again by doing something that's called a "penetration test" or "security audit". You look for local people to help you with this and call us up to schedule a consultation. On that call we'll discuss your concerns, try to identify what can and can't be tested technically or against your staff (social engineering) in order to see where the outlying issues are. Maybe we find that there's several tests we can do such as an in-person wireless network test, a website penetration test (to ensure your website isn't letting people abuse you or your clients), and an external penetration test with the goal of starting outside the company and getting in. We end the call with ensuring that you receive our email stating the goals, and proceed to write up the required approval paperwork and scoping documentation needed to be signed before we can legally and ethically proceed with any testing. After the testing is completed with provide a report of any issues found and schedule another call to discuss the findings.


Another similar story, starts another route. Your company hasn't seen any bad-guy activity, but wants to complete compliance requirements or to achieve various regulatory requirements. Many of these are mandated by state or federal laws, especially for companies embarking on multi-national trade, or business with financial/legal/medical/governmental institutions. Sometimes companies don't even know these requirements until it's demanded by customers or lawyers in these areas.

This can be pretty scary at the end of the day for a small business because it means your company could loose enough money to put your out of business. Having worked in small businesses, as my own company, as a person, and really just living in this area, its a common problem where people simply can't respond to these types of things.

Luckily you spent some time talking to your lawyer and they said you'd need your tech team to perform testing. Your technical team comes back saying they're admins and they can show their configurations, but don't really have any clear way to test this for auditors. This is where you call us up. Just like the above situation we get on the phone, maybe through email, and discuss these requirements, we complete by sending an email ensuring we confirm this is what these tests should be. We proceed to write up the documents required and get those sent, once all that's worked out and the start date for testing comes about, we let you know when we're starting, when we're ending, we proceed with the testing and provide reports just as above.

Your technical team probably will be able to provide auditors the logs during these events, but we also provide those services too. Depending on if we discussed this during that initial call, we can take this a step further and work to prepare these documents to answer on your company's behalf during an audit. Any limitations or gaps in monitoring we can also assist with defining and providing as guidance to your IT team. Don't have an IT team, we'll do the administration for you too if you need, but we do take a very "strict" method if this is needed for audits. This may get expensive with all these things though so don't worry, we don't intend to push you for more sales. We just don't want you to have to face this sort of issues alone. We're here to help.

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.