FAQ

We are proud to offer project flexibility options such as cancellations, reporting customisation in addition to pricing structure. 

A penetration test pricing is often calculated around a resource's time towards testing the functions of an asset for e.g. Number of servers, VLANs, hosting environment, physical locations in a company or number of dynamic pages, input fields and privilege levels in an application. Based on the client and environment, further complexities are added into time calculation such as custom features, architecture complexity, positioning in the network, hosting facilities, etc. Therefore, a walkthrough or a knowledge document as a pre-requisite to scoping always adds to accuracy.

Our assessment pricing involves transparency around sub-elements of a project based on the utilisation of resources on man day basis. This is further categorised in phases based on the nature of assessment and objectives agreed. Once we have your requirements, we produce a customised proposal including pricing to help you make an informed decision.

We understand that customers have deadlines to meet. We also understand go lives could be delayed due to penetration tests not scheduled in time.

Penetration testing activities such as planning, preparation and execution need time, therefore we ask all our clients to give us 3-4 weeks lead time. With that said, based on time and requirements we may fulfil urgent project requirements. Please get in touch as soon as you are confident on timelines. 

Duration of an assessment varies based on the size of the asset in scope. For instance, an application with multiple pages with dynamic content and form fields would take longer to assess than a static website with a simple search function. Similarly, networks based assessments include restrictions, size, accessibility factors while determining the timescales.

Unauthorised or authorised exercises differ in timescales due to the lead time required to build a knowledge about the functionality of the asset.

Client servicing underpins everything we do.

Our comprehensive reporting provides both strategic and tactical recommendations. 

• Which assets pose risk by highlighting the vulnerabilities and associated risks
• What is the impact and likelihood of the attacks associated with identified threats
• How our remediation advice (both tactical and strategic levels) is helpful

Post-engagement, we offer a free of charge debrief where we perform walkthroughs of the project, understanding of risks and helping customers to prepare a remediation plan.

Our web and phone support is available to all customers where we promise to answer all queries between 24-48 hours.

We take customer communication as seriously as reporting or assessment execution. We engage with customers throughout a project, and ensure that customer contacts are up to date in the language they understand. Post engagement, a free debrief is conducted to help management as well as technical audiences understand the weaknesses and prepare a mitigation plan.

In a usual asset's lifecycle, a penetration test is conducted at least once a year. 

During any changes such as infrastructure refresh, major upgrades or modifications, a penetration test is advised to be aware of gaps presented by the infrastructure (applications, systems, networks) changes. Some compliance requirements such as PCI DSS, sector based commission technical audits, vendor assurance requirements mandate regular penetration tests.

Defendza adheres to CREST code and conduct ensuring high technical standards of professional security testing. We attempt to identify and tweak our assessments based on the fragility of the assets in scope. Our methodology ensures that all our assessments are designed to perform safe assessments without disrupting everyday business. 

Low level attacks, Denial of Service attacks are explicitly deemed out of scope for all assessments. 

This depends upon on the project requirement. For internal network penetration testing, wireless security penetration testing, internally accessible assets, onsite assessments are performed either at customer premises, data centre or service provider site.

Many a time, penetration testing can be performed remotely. We provide our external IP addresses during every remote assignment so that customer logging and monitoring processes and procedures are aware of this activity. 

Defendza's assessment methodology is reviewed by CREST, and we adhere to CREST's code and conduct to ensure we maintain high technical standards during professional security assessments. 

For penetration tests, our methodology encompasses OWASP, SANS Top 20 Critical Controls and CIS, NIST or other standards are included based on the customer request.

While automated scans are useful to identify low level hanging fruits such as missing patches or common vulnerabilities, they do not cover in-depth reviews of an asset.

During a penetration test, majority of the execution phase involves manual approach however Defendza utilises automated tools for specific activities as port scanners, web proxies as an early step to the engagement. A penetration test uncovers flaws such as business logic issues that are otherwise uncovered during an automated test.

A vulnerability scan is performed with the use of automated tools to identify known weaknesses. No exploitation of weaknesses is involved in this test.

A penetration is in-depth assessment focussed on identifying and exploiting the weaknesses to measure the impact and likelihood of an attack. It combines machine and manual approaches to identify hidden weaknesses.

Defendza's assessment methodology ensures rigorous examination of your assets i.e. networks, web applications, web services and/or mobile applications to identify and exploit a range of security vulnerabilities. These assessments vary in size and scope based on the drivers of the engagement and business decisions. Three different penetration test strategies are black box (without prior knowledge), grey box (with some knowledge) and white box (with all information) assessments.
Learn more about our range of offerings here

A penetration test is an exercise to identify technical risks affecting software and hardware in scope. An accurately scoped penetration can add an assurance that the products and security configurations, controls are configured in line with good practices, and no common or publicly known vulnerabilities affect the assets in scope, at the time of the test.

A penetration test is a form of cyber security assurance provided by demonstrating weaknesses in an asset. The objective of this assessment is to  identify security weaknesses in the target networks, applications and/or systems that could impact negatively on a customer's business or reputation if they led to the compromise or abuse of systems.