Methodology

Our approach emphasizes mapping the attack surfaces of environments to determine a baseline of risk to your organization. All of our services provide detailed and actionable recommendations to strengthen the overall security posture of your environments and ultimately, your organization.

Penetration Testing Methodology

How we approach Penetration Tests and Vulnerability Assessments can be summarized as:

• Intelligence Gathering
  • Passive reconnaissance of an environment
• Discovery and Probing
  • Active reconnaissance
  • Probing ports, protocols, services
• Vulnerability Analysis
  • Testing services for vulnerabilities
  • Automated vulnerability scanning
• Exploitation
  • Exploiting vulnerable services
  • Verifies automated scanning
• Post-Exploitation
  • Showing impact through exploitation analysis, attack chaining, etc.

Adversary Emulation Methodology

Purple and Red Team Assessments are approached somewhat differently and revolve around scenarios and actionable objectives to show impact and effect of specific risks. They allow defenders and incident responders to practice breach response procedures and plans in realistic scenarios to prepare them for a real breach.

• Initial Access
  • Reconnaissance
  • Social Engineering
  • Exploitation
  • Evasion
  • Command and Control
  • Persistence
• Propagation
  • Discovery
  • Privilege Escalation
  • Lateral Movement
• Objectives
  • Collection
  • Exfiltration
  • Manipulation

Frameworks & Standards

Our vulnerability severity scoring follows NIST¹ CVSS² v3.1 and where applicable we adhere to OWASP³ guidelines, specifically the OWASP Top Ten and OWASP Application Security Verification Standard (ASVS). To calculate risk, we combine the CVSS severity score with our own criteria, based heavily on context specific to the system(s) and organization being assessed. Any TTPs⁴ we use are mapped to MITRE ATT&CK⁵, where possible.