Penetration Testing

We believe that we exist to secure the connected and grant the opportunity of a better online life. Penetration testing helps you achieve that.

We demonstrate this in the way we conduct our Penetration Testing. Just running a bunch of scripts from a Kali installed laptop is not penetration testing. We use experience, skill, research and human intuition to provide the best penetration testing on the market.

Penetration Testing

Penetration Testing with Hedgehog

Penetration Testing is also known as pen testing or ethical hacking. It is the systematic process of discovering security weaknesses and vulnerabilities within people, process and technology.

Penetration testing is about viewing your network, application, device, or physical security through the eyes of an attacker. Penetration testing helps to identify cybersecurity vulnerabilities in people, process and technology. An experienced penetration tester can locate:

    • Where a hacker might target you
    • How they would attack
    • How your defences would fare
    • The possible magnitude of the breach

Penetration testing seeks to identify flaws and weaknesses in people, process and technology. Most commonly, penetration testing identifies security issues in networks, systems and applications. 

Cheap automated penetration testing exists, and these can identify some cybersecurity issues, but proper penetration testing manually considers and confirms all of the automated results. It is the results of real penetration testing that can accurately determine the business’s vulnerability to attack, as well.

In the complex cybersecurity landscape, penetration testing has become a must for most industries. For many organisations and businesses, it is the law to conduct penetration testing at least annually. For instance:

  • Health organisations under the GDPR and DPA
  • Financial institutions test for FCA compliance
  • Businesses accepting or processing payment cards must comply with Payment Card Industry standards
  • Regional and local governments under the CESG rules; and
  • All companies with personal information of individuals under the GDPR and DPA.
 

Even businesses that might think they don’t have any valuable information to protect could be at risk of someone trying to take over the network, install malware, disrupt services, and more. The rise in ransomware attacks and extortion since the COVID outbreak has been incredible. For many of the victims of these attacks, penetration testing would have identified the cybersecurity weaknesses before the attack. With so many bad actors out there, penetration testing keeps up with evolving technology.

During a penetration test, the attackers, played by our penetration testers, act on your behalf to find and test security weaknesses. The weaknesses that criminals or people with malicious intent could exploit. We do this following a methodology. The best way to think of a methodology is to think of it as a recipe book, and it is the guide that is at the centre of everything we do on penetration tests. Our methodology is the Penetration Testing Execution Standard. We further incorporate the penetration testing methodology for Web Applications, the OWASP testing Guidelines v4.

The Hedgehog Testers

Our penetration testing team are all cyber security professionals who spend 25% of their year researching new techniques, understanding the latest attacks and keeping up their professional qualifications. A lot of time is spent going to conferences, speaking at conferences, helping teach youngsters and working within out mentoring project.

Our testers use their skills honed within this time to mimic the methods used by criminals. They do this without causing you damage. All of our penetration testing staff have one thing in common, and that is the level of qualification they must possess prior to conducting any form of penetration testing on clients assets.

At Hedgehog, we recognise the OSCP and the CREST CRT as the minimum level of qualification to carrying out any penetration testing. This means that all staff involved in your penetration test will be very well qualified for the job at hand.

7 Steps of Penetration Testing

There are seven steps to any penetration test in our methodology:

This is one of the most critical steps in ensuring success in your penetration test. The Pre-Engagement part of the penetration test is where we work together to define the scope, and the goal of the test rigorously. We do this through a scoping call, and you can book these at a time and date convenient to you.

During the scoping call for your penetration test, we are looking to identify exactly what needs testing, how complex it is and how much time we will need to use to complete the penetration test to the best of our capability. We will also look to identify the goal of the penetration test. The goal could be as simple as “identify all the exploitable vulnerabilities”. It could be a lot more complex such as “pivot through an exploited host and attack the internal network to gain access to client data.”

Having a well defined scope is the key to the success of your penetration test. This is why we can never answer the question of “how much is a penetration test” until we have had a call to discuss your penetration testing scope.

The second step in a penetration test is Intelligence Gathering, and it is a two step process. The first step is, at Hedgehog anyway, done in the background normally a week before your test start date. The vast majority of the intelligence gather phase is performed by automated scripts. The scripts are typically used within a penetration test too, for more targetted needs. Essentially we are looking to gather as much information about your business and your penetration test scope as we can from available public sources.

During the second part of the intelligence gathering phase, we will review the output from step 1 and any documents or information you have provided us. This is typically done the day prior to your penetration test starting. We will scour the internet, and to an extent, the dark webs, to identify any further information or data that could be beneficial to your test. The typical documentation we are looking for includes system architecture, data flow, infrastructure, concepts, password hashes, names, identities etc.


What is the purpose of this? Well imagine if we were to find the companies internal information in a forgotton bit-bucket somewhere? This could be used in the penetration test to help gain access to systems. Equally, it will help identify any potential client information left exposed. It all goes to helping complete the most comprehensive penetration test available to you and ensure a positive return on your investment.

The reconnaissance phase of every penetration test builds on the Intelligence Gathering stage through the use of active, in-depth technical review of the scoped environment. We will delve into each of the systems/applications in scope to identify the component structure and map all of the points of interaction.

This part of penetration testing is vitally important to the success of the test. We will look to identify every point of interaction that a user can have with a system, application or target. We will identify the technologies used and whether there are any easy wins that can be identified. This is done through port scanning, passive information analysis, mapping and analysis. The goal if this phaseis for our penetration testers to understand the scoped environment in its fully extent.

Vulnerability Analysis is the most time-consuming aspect of every penetration test. Vulnerability Analysis starts with a series of reviews of the scoped environment using various vulnerability scanning tools. We typically use a number of scanners and tools to aid in the rapid analysis of vulnerabilities. Our primary tool for vulnerability analysis is Secure, our in house developed vulnerability scanner. Secure uses a number of internally developed processes as well as commercial scanners including Nessus, OpenVAS and NeXpose.

The output from the vulnerability analysis phase is the identified of known vulnerabilities. Every one of these vulnerabilities is then manually reviewed and validated. Once the automated scans are complete and the vulnerabilities confirmed, the tester then moves on to attempting to find unknown vulnerabilities manually. With Web Application testing, the bulk of the time is spent in manual vulnerability analysis. Unknown vulnerabilities are commonly known as zero days and these can exist in many different areas of the scope. This is why the vulnerability analysis is the most time consuming.

The exploitation phase of the penetration test is where we take all the vulnerabilities we have identified and use them to try and reach the goal set out in the Pre-Engagement step. We review each of the vulnerabilities, identify any exploits available for use and perform exploitation in a safe and controlled manner.

In a Web Application penetration test, this might lead us to bypass authentication controls or use other users accounts. We may be able to access information that would usually be protected by session management and authentication and authorisation controls.

In an Infrastructure pen test, this might result in the tester being able to sniff passwords on the network or gain access to a server. The goal of exploitation is to work towards achieving the objectives of the test incrementally.

Once an exploit is successful, the entire pen test process restarts at Intelligence Gathering within the context of the exploited system or application. Exploitation testing can be extremely time consuming so it must be conducted in a very controlled manner.

During the post-exploitation aspect of the penetration test, your pen tester will be analysing all of the gathered data and the results of individual tests. The analysis includes categorising the detected vulnerabilities and prioritising them per the business and technical context. It is during this step that further testing needs are identified, and the tester will loop back and test or retest specific areas so that complete scope coverage is assured.

The very last stage of the penetration test is the summarisation of the testing and the drawing of a conclusion.

At the end of every engagement is a test report. The report details what was done, what was found, and what should be fixed. These may be:

  • Inadequate or improper configuration settings
  • Known or previously unknown software or hardware flaws
  • Operational gaps within business processes or technical controls.

Hedgehog Security is a CREST approved member company operating in the UK, across Europe, the Middle East and Asia. Hedgehog Security is authorised to conduct Penetration Testing, Vulnerability Assessments and Cyber Security Consulting, as well as carrying out Cyber Essentials assessments through IASME.

Our Approach to Penetration Testing

Our approach to every test follows the Penetration Testing Execution Standard and the OWASP Testing Guidelines in their current form. These methodologies are then wrapped into our CREST approved testing methodology.

Understand the environment, system or application involved in the penetration test. Gather any intelligence from public sources.

Explore and map out the parts of the environment to be tested in the penetration test. Overlay OS INT data gathered in the previous step. Create a picture of the client.

Search for exploitable vulnerabilities that may exist in exposed services, APIs, people, applications or hardware.

Attempt to exploit identified vulnerabilities within the penetration test scope using a combination of public exploits, commercial tools and internally developed tools and exploit code.

Document everything that has been performed, what works and what didn’t and create a risk focused test report that provides the right level of detail. Present the client with the penetration test report.

A penetration test can be performed as black box tests where the tester has zero knowledge of the environment. A grey box penetration test is where the tester has minimal information. A white box test is where the tester has a starting knowledge of the environment. For the ultimate in penetration testing, we can perform a comprehensive Red Team style test.

All tests performed by highly qualified penetration testers. All testers are OSCP, OSWE and CREST CRT qualified. We simulate real world attacker techniques and our testing covers, comprehensively, all necessary aspects to satisfy FCA, PCI-DSS and Government requirements for a penetration test.

Whats does a Pentest cost?

There is what appears to be much secrecy in the cybersecurity and pentesting industry over to the cost of penetration testing. While this is true to an extent, it is mostly because every test is a little different from the number of systems involved in the depth of penetration testing, goals required and technologies. It all varies the cost, some in a small way and others to a great extent.

To help visitors to our site understand the costs involved, we put together the following examples based on our most common tests. These are provided purely as a guide to the cost of penetration testing.

Test Type Scope Possible Price Range
Internal Penetration Testing

Internal penetration testing against all internal systems. This comprises of:

  • 50 Windows workstations (mix of PCs and laptops) on one single Active Directory domain
  • 4 Windows servers (all VM's on one VMWare server)
  • 3 printers
  • VoIP phone system
  • 2 Wireless networks
£4750.00
£6650.00
Mobile App Penetration Testing

Mobile application penetration testing of one android based mobile application. Simple user interface that is used to collect field data from a user on jobs and send that data back to a cloud based server. No local information is stored on the application and all authentication is performed across the mobile networks to the application server.

£1900.00
£3800.00
Web Application Penetration Testing

A web application penetration test against a single PHP application based on the Laravel framework that allows users to subscribe to our service, create news feeds and blog entries and sell their goods on our platform.

  • 50 dynamic pages
  • 100+ static pages
  • 300 points of interaction
  • 3 card payment options for client use
  • 3 user levels. Admin, Shop Staff and Customer

Testing must meet requirement 11.3 of the PCI-DSS due to the card payments.

£3800.00
£6650.00

These are of course just examples. We regularly perform penetration testing engagements for clients from 1 day up to 60 days. It is all dependent on the scope of the test.

Penetration Testing versus [Secure]

[Secure] is our online Attack Surface, Vulnerability Management and Cyber Risk monitoring platform. For all subscribers to [secure] we offer 20% of all Penetration Tests. We do this because, as good as vulnerability scanning is, it is not a penetration test. To put it into the context of the Approach section above, [secure] will only do two sections of the methodology; Reconnaissance and Vulnerability Assessment.

In order to get a full picture of Cyber Risk you must combine the regular use of [secure] with scheduled penetration tests.

Penetration Testing versus Vulnerability Scanning

Vulnerability Scanning is a simple process. It is where a piece of software scans the IP address or URL to identify any known vulnerabilities. To put it into the context of the Approach section above, a vulnerability scan will only do one sections of the methodology; Vulnerability Assessment. It will inform you of a single vulnerability or multiple vulnerabilities that the scanner is aware off. Just like anti-virus products, some are better at detecting some vulnerabilities than others are, so it can often be necessary to run a couple of different scanners.

Common Vulnerability Scanning Tools

There are a number of different vulnerability scanning tools available. Some are commercial with price tags from small to very large and some are open source. Here is a small selection:

All of these have their pros and cons. The one that is slightly different is Secure. Secure combines all of the above scanners into one single view and report with aggregiated results in one single vulnerability report.

Establishing your Cyber Risk through Vulnerability Scanning

In order to get a full picture of your Cyber Risk you must combine the regular use of vulnerability scans on a weekly or monthly cycle with scheduled penetration tests.

Types of Penetration Testing Performed

In the table below, you can see our core areas of penetration testing along with the common objectives and the benefits the testing brings to the business. Along with this, we have included an example price. The example price is based around a typical small engagement for a small business with outsourced IT systems, 2 web applications and 50 staff.

For an accurate price on your pentesting needs, simply call or email us and we will be more than happy to have a scoping call and provide you with an accurate cost and timescale.

Our Test Type Objective Benefit
External Penetration Test
Identify and exploit vulnerabilities on systems, services and applications exposed to the internet.
Understand risks to assets exposed to the internet. Identify each vulnerability and determine the need for fixing.
Internal Penetration Test
Simulate a malicious insider or an attacker that has gained access to an end-user system, including escalating privileges, install custom malware or extracting critical data.
Understand risk to business from a breach. Identify each vulnerability and determine the need for fixing.
Web Application Penetration Testing
Comprehensively assess web or mobile applications for vulnerabilities that can lead to unauthorised access or data exposure.
Understand the security of applications that grant access to critical data. Identify each vulnerability and determine the need for fixing.
Mobile Device Penetration Testing
Comprehensively asses the security of mobile devices and installed applications.
Understand risk introduced through mobile applications. Identify each vulnerability and determine the need for fixing.
Social Engineering / Human Penetration Testing
Assess the security awareness and general security controls with respect to human manipulation, including email, phone, media drops and physical access.
Understand how an organisation reacts to exploitation of human assets.
Wireless Penetration Testing
Assess the security of your deployed wireless solutions, including traditional 802.x networks, Bluetooth, Zigbee, Sub 1Ghz, infrared and satellite networks.
Understand how secure data in transit and systems communication via wireless technology actually are. Identify each vulnerability and determine the need for fixing.
Embedded / IoT Device Penetration Testing
Assess the security of your device(s) by attempting to exploit the embedded firmware, control the device by passing or injecting malicious commands or modify data sent from the device.
Understand the security of devices and the ability to guarantee that the commands issues to and information received from the device are safe.
Industrial Control System Penetration Testing
Combine penetration testing and exploitation experience with ICS expert knowledge to prove the extent an attacker can access, exploit or otherwise interfere with critical ICS/SCADA systems.
Understand the vulnerabilities in an ICS/SCADA environment before an attacker is able to exploit them.
Test your internal and external networks along with your Cardholder Data Environment against requirement 11.3 of the PCI-DSS
Identify areas of your systems that do not meet the requirements of 11.3 of the PCI-DSS and fix them prior to your audit.

Frequently Ask Questions

It is amazing how many different ways we see a penetration test being titled. It really does not matter is you can it a pen test, a pentest, a PEN test or a penetration test. They all mean the same thing and really they are all penetration testing.

A Penetration test should be performed for a variety of reasons. Some of the more common reasons why companies perform a penetration test include:

  1. Most relevant regulatory standards require a penetration test to be performed.
  2. A penetration test can identify vulnerabilities inadvertently introduced during changes to the environment, such as a major upgrade or system reconfiguration.
  3. The penetration test can be integrated into the QA process of the Software Development Life Cycle to prevent security bugs from entering into production systems.
  4. Organizations, especially those acting as data custodians, are being required to have testing performed by their customers, and by law. A penetration test can demonstrate a commitment to security from a customer perspective and provide attestation that their assets or services are being managed securely.
  5. Penetration Testing is required as part of GDPR.
  6. A penetration test is a common requirement for internal due diligence as part of ongoing efforts to manage threats, vulnerabilities, and risks to an organization. Results can be used as input into an on-going Risk Management process.
  7. Penetration testing allows companies to assess the security controls of potential acquisition targets. Most organizations preparing to acquire an organization seek insights into the vulnerabilities they may introduce in doing so and plan for the costs they may be incurring to remediate.
  8. Penetration testing should be conducted to support your annual data protection audit.
  9. To support a breach investigation, penetration testing may tell an organization where the other vulnerabilities may exist in order to have a comprehensive response to the incident.
  10. A regular penetration test allows companies to proactively assess for emerging or newly discovered vulnerabilities that were not known or have not yet been widely published.
  11. Penetration testing serves as an aid to development teams who are writing new web applications. Many development lifecycles include penetration testing at key stages of the process. Correcting flaws are typically less costly the earlier in the development lifecycle that they are discovered. Additional testing prior to go-live on a production-ready build can identify any remaining issues that might require attention before loading users on the application.

Penetration testing duration and costs can vary significantly depending on multiple variables.  

Scoping details such as network IP addresses, complexity (and number) of applications, and employees for social engineering are key factors to determining project size.  Accounting for these variables, our team works diligently to match the scope details with the security needs of your organization.

With that said, there are trends and ranges for projects we tend to see.  Penetration testing generally start around the £8,000 range, but can grow into six figures for large, in-depth projects.  

We also offer discounts for multiple-year contracts, ensuring your organization both has a consistent pentesting partner and can stretch security budgets further.

Similar to the above question on pricing, the length of penetration tests depend on multiple variables. Penetration testing is a hands-on assessment not suited for short, quick sprints. At Hedgehog we tend to see projects starting at about one week, but most projects go multiple weeks or even months. Some tests can take much longer than others, depending on the number of vulnerabilities identified and whether or not those vulnerabilities are exploitable.

Both penetration tests and automated vulnerability scans are useful tools for identify and locating vulnerabilities and then enabling the successful management of those vulnerabilities. While these are penetration testing and vulnerability scanning are different, it is impossible to perform a penetration test without performing any form of vulnerability scanning. They are also complementary and while a penetration test should be performed at least yearly, it not every 6 months, a vulnerability scan should be performed monthly.

A vulnerability scan is an automated, low-cost method for testing common network and server vulnerabilities. This is sometimes referred to as an automated pen test. Many automated tools are available and most are easily configured by the end user to scan for published vulnerabilities on a scheduled basis. While an automated vulnerability scan is very efficient and cost-effective in identifying common vulnerabilities such as missing patches, service misconfigurations, and other known weaknesses, they are not as accurate in validating the accuracy of vulnerabilities nor do they fully determine the impact through exploitation. Automated scanners are more prone to reporting false positives (incorrectly reporting weaknesses) and false negatives (failing to identify vulnerabilities, especially those impacting web applications). Automated Vulnerability Scanning is mandated by the Payment Card Industry Data Security Standard (PCI DSS) as noted in requirement 11.2.

A penetration test focuses on the environment as a whole. In many ways, it picks up where the scanners leave off to provide a comprehensive analysis of the overall security posture. While scripts and tools are leveraged by a penetration tester, their use is largely limited to reconnaissance activities. The bulk of a penetration test is manual by nature. A penetration test identifies vulnerabilities scanners cannot, such as wireless flaws, web application vulnerabilities, and vulnerabilities not yet published. Further, pen testing includes attempts to safely exploit vulnerabilities, escalate privileges, and ultimately demonstrate how an attacker could gain access to sensitive information assets. Penetration testing frequently applies “test scenarios” specific to an organization as well. For example, a university may grant access to student workers, a hospital may leverage third party service providers, or a consultancy may have unique access rights for their engineers. Each of these scenarios would require different positioning of the penetration tester within the environment and requires adjustments to the methodology. Penetration testing is also mandated by the PCI DSS as noted in requirement 11.3.

Penetration testing and automated vulnerability scans both serve a purpose and both types of testing belong in a comprehensive vulnerability assessment program. Automated vulnerability scanning should be scheduled to run on a frequent basis, ideally at least weekly, with network penetration tests scheduled quarterly or when significant changes are planned to an environment.

If the pen test is not properly planned and coordinated, it can be disruptive. This is why it is imperative that the planning is done properly, and comprehensively, to identify potential risks for disruption and adjust the approach accordingly. This planning should be conducted well in advance of any testing start date in order to ensure adequate time for communication to project stakeholders. The communication and monitoring should continue throughout the pen testing schedule.

We understand that clients often have hard deadlines that they’re trying to meet.


Whether you’re trying to meet client requirements which rely on pentest results or have an annual requirement, we do best to accommodate your timelines. Unfortunately, manual penetration testing takes some planning & preparation for our assessment team and our schedule can be filled as much as 2-6 weeks out.

With that said, if you have an urgent project feel free to contact us about timelines.  Depending on needs and timelines, we may have the ability to pull resources off of a research project & get started immediately.  

A question not enough people ask is how much of the testing is automated vs. manual. While automated tools are a brief step early in our process, a large majority of our testing is manual. The amount of manual work varies project-to-project, but around 95% of the pentest is hands-on.

This isn’t to say automated vulnerability scanners don’t have a place; Vulnerability scans are quick and simple tools that should be used on a regular basis to identify missing patches or outdated software in larger unknown environments.

Early in the process we try to familiarize ourselves with your company & the scope of work so that we’re able to create an accurate proposal. We intentionally gather this information so that we never come back requesting for more testing time (and additional costs.) The more information you’re willing to share, the better assessment we can provide.

With that said, some clients may be seeking a blackbox approach where little information is provided, simulating a real world attack and response. In this case scenario, we still need to grasp the size/complexity needed for testing and therefore have some basic questions to scope.

A question we hear often is can we meet compliance requirements. While this certainly requires a deeper discussion, our testing is in compliance with multiple pentesting compliance standards including PCI, HIPAA, SOC2, and others.  That said, each compliance standard is different and should be discussed before moving forward. Contact us for more details.

Download our Brochure

Being/Becoming a Penetration Tester

We get a lot of people arriving on this page who are looking to understand what it takes to become a penetration tester. We got our CEO, Peter Bassill, who has spoken a lot at conferences on this, to put down his top 5 tips for aspiring penetration testers. While we dont guarentee this will get you a job, it may help you stand out from the crowd.

 

1

DO NOT BE A RECRUITERS DRONE

What I mean is, listen to your recruiter (if you are using one) but remember that penetration testing is a technical art form. The chances are the person reading your CV is a penetration tester, so appeal to the same technical creativeness. There is no point in writing a CV that is beautifully formatted in the standard word fonts at 10 or 11pt, fully justified with no graphics unless you want to be pen testing at PwC, Acenture, Deloitte or KPMG.

This brings me nicely to point 2.

2

KNOW YOUR AUDIENCE

I treat everyone as family and we all have quirks. So Hedgehog is a great place for those of us who like the fringe. Tattoos are not a problem. Facial piercings are fine in the office. (OK, you might need to remove them if you are onsite with a client). Listen to metal? Fine. The point is, our firms culture is the polar opposite of many.  There is nothing wrong with having different versions of your CV and letters too.

3

GOT A HANDLE? BE OPEN ABOUT IT

Made our interview shortlist? OK, great. So we will raise an internal job for our testing team to run an OS INT gathering session on you. What I am say is, don’t hide your handle. It is fine. We will discover it anyway. Pretty much everyone in the pen testing has a handle.

4

ACE THE SHORTLIST

It was at B-Sides Manchester a few years ago I said that when you apply for a penetration testing role, you should include examples of your work. You know how many applicants I have had that have done that so far? Zero.  I have heard from three other pen testing firms though and every candidate that including an example report as their CV and “covering letter” got an interview and were overall successful in securing the job.  Penetration Testing is a technical art form. I have said that many times. Do excellent artists have a CV? No, they have a portfolio of work. Why don’t pen testers? I would rather a one page covering CV listing your skills and qualifications and then a couple of example reports from, say, hackthebox or offsecs labs, than a 3 page CV and a boring covering letter.

5

BE YOU

Don’t hide the you. The real you is the best you. If your every day wear is a bomber jacket and jeans with a battered laptop bag and bullet belt then great. Read point 2 again. Turn up at Hedgehog for an interview, we probably would not notice. Turn up at PwC, you will probably get turned away. Point is, penetration testers are an odd bunch. Pretty much every pen tester I know lives within a fringe society model. So, research where you are interview and get a feel for their culture. And be the best you.

Penetration Testing News

The Spartacus Connection Attack

One of the cool things about my job is that I get to blue-sky think some crazy ideas. Today started like nothing out of the ordinary. I was working on an engagement for a client, with the express goal of joining their company.

Read More »

Installing OpenVAS

Lets get down and dirty installing OpenVAS. OpenVAS is a free to use vulnerability scanner that was originally forked from the opensource Nessus project. One of the most common complaints I receive from my students is that OpenVAS is next to impossible to install.

Read More »

Installing Metasploit

Lets get down and dirty installing Metasploit. One of the most common complaints I receive from my students is that they can not get Metasploit to install so revert to Windows. If you have been following along in my Pentest Workstation series you will have built your Ubuntu workstation.

Read More »

Building a Pentest Server

In this 5 part series, I will be running through how to go about building a pentest server. This is one of the modules I cover with students and interns and I often find myself surprised at how uneasy people feel when they have no GUI.

Read More »