A penetration test simulates real-world attacks on IT systems to uncover vulnerabilities before attackers can exploit them. It offers you:

Increased security: The results summarised in our test report are easy for your IT teams to interpret. You receive a list of vulnerabilities ranked by severity, as well as an analysis of the underlying issues, enabling you to derive measures at both a technical and conceptual level. This makes it easier for your IT team to set priorities and implement both specific and structural improvements.

Strengthening the trust of customers, partners and suppliers: Many applications are customer-facing, so improving their security has a direct positive impact on data protection and, consequently, on customer trust. Furthermore, you demonstrate to your partners and suppliers that you take your IT security seriously and are taking steps to safeguard your business operations.

Compliance with legal requirements: Many industries and data protection laws require independent verification of security measures. By conducting penetration tests and security audits, you not only improve your security but also take an important step towards compliance with regulations such as the European Union’s General Data Protection Regulation.

Threat modelling and penetration testing complement one another and together form a comprehensive security strategy. Whilst threat modelling systematically identifies and prioritises potential threats, attack surfaces and critical assets, a penetration test practically verifies whether and how these vulnerabilities can actually be exploited.
Threat modelling often serves as the basis for a targeted penetration test: it helps to focus the tests on particularly high-risk areas and make them more efficient. Conversely, the results of a penetration test provide valuable insights for continuously refining threat modelling and making it more realistic.

Companies with high compliance requirements (healthcare, finance), technology-oriented companies (software, e-commerce) and organisations with critical infrastructure benefit particularly from security audits.
Furthermore, all companies that handle sensitive data or information from customers, suppliers or other third parties should carry out penetration tests regularly.

The frequency and optimal timing of a penetration test depend on the complexity of your systems, as well as your individual risk factors. In general, the recommendations can be summarised as follows:

• Regular intervals: We recommend carrying out a penetration test at least once a year. As the cybersecurity landscape is constantly evolving, regular assessments ensure that your systems are up to date and protected against current threats. In high-risk sectors or where specific compliance requirements apply, it may be necessary to carry out tests at shorter intervals.
• Strategic timing: Ideally, a penetration test should take place as early as possible in the development process. This proactive approach allows vulnerabilities to be identified before they lead to costly fixes at a later stage.
• Event-driven testing: Regardless of the regular schedule, a test should always be carried out whenever significant changes are made to your IT landscape. Key factors here are:
• The frequency of major code changes
• The integration and nature of new features
• The deployment of new infrastructure components or major system updates

In summary, the ideal schedule depends on the type of product, its development cycle and regulatory requirements. We would be happy to assist you in determining the most suitable schedule for your specific project.

Yes, professional attacks often go undetected for a long time. A penetration test acts as a preventative measure – it uncovers vulnerabilities before they are exploited, thereby strengthening the trust of customers, partners and suppliers in your digital infrastructure.

We carry out targeted black-box and grey-box penetration tests. In doing so, we simulate realistic attack scenarios with varying levels of knowledge, ranging from external attackers with no prior knowledge to internal actors with restricted access. Our tests combine automated procedures with manual, in-depth analyses to identify both known and complex, business-critical vulnerabilities.

We simulate both external attacks via the internet and internal attack scenarios within corporate networks (e.g. originating from compromised endpoints or user accounts).

We currently cover the following target systems:

• Web applications
• Servers (Linux and Windows)
• APIs (REST, GraphQL)
• Mobile applications (Android)

We are working on the development of dedicated penetration tests for AI systems and chatbots.

A subsequent extension of the test scope is generally possible and will be defined within the framework of an additional agreement.

The process of our penetration tests is based on the internationally recognised Penetration Testing Execution Standard (PTES) and comprises the definition of the test scope (Pre-engagement Interactions), the collection of information about the application or test targets (Intelligence Gathering), the identification and exploitation of vulnerabilities (Vulnerability Analysis & Exploitation), and the documentation of results including a final debriefing (Reporting).  If necessary, a retest is carried out to validate the corrections.

Depending on the type of penetration test, further standards and guidelines are used for the identification and exploitation of vulnerabilities. These include:

• The BSI’s IT Security Penetration Testing Guidelines
• Various OWASP Top 10 standards (Web, API)
• The OWASP Web Security Testing Guide (WSTG)

The duration of a penetration test depends on the scope of the application and the systems to be tested, the desired level of testing depth, and the regulatory context. It can range from a few days to several weeks. Verifying fixes (“retest”), on the other hand, is significantly quicker.

Yes, upon request and where possible, we also carry out tests outside of regular business hours so as not to disrupt business operations.

We provide you with a checklist. In advance, we simply require points of contact, test accounts and access to the target systems. During the test, your technicians do not need to be actively involved, but should be available for any queries or to discuss critical findings.

We carry out all tests under controlled conditions and with appropriate security measures in place. Through our focus on grey-box scenarios and the deliberate avoidance of destructive interventions, we significantly minimise the risk of system disruption.

Security starts with us. We work according to the principle of least privilege and use only encrypted communication channels. Confidentiality can also be guaranteed through strict NDAs (Non-Disclosure Agreements) and DPAs (Data Processing Agreements). Our experts strictly adhere to the boundaries agreed in the scoping document.

Although we rely on methods that are as non-invasive as possible, we define emergency contacts on both sides in advance. In the event of an irregularity, we stop the test immediately, inform you straight away and support your team in analysing the cause.

The costs depend on the scope, the complexity of the application(s) and the desired level of testing. Following a brief scoping discussion, we will provide you with a transparent fixed-price quote.

You will receive a detailed test report. This includes a management summary, as well as a technical analysis of all vulnerabilities, including evidence and a classification based on security standards and best practices.

Yes. A final meeting to prioritise the measures is an integral part of our process. Once the vulnerabilities have been rectified, we also offer an optional retest to ensure that the gaps have been successfully and permanently closed.