What is Penetration Testing?
Penetration Tests are used to determine if an organizations security is sufficiently robust to protect the Confidentiality, Integrity and/or Availability of the data that it accesses, contains, or processes. Penetration Testing is often carried out to satisfy regulatory requirements. For example a PCI Penetration Test would satisfy the requirements outlined by Payment Card Industry Data Security Standard (PCI-DSS), a HIPAA Penetration Test would satisfy the requirements outlined by the Health Insurance Portability and Accountability Act (HIPAA), an FDIC Penetration Test would satisfy the recommendations made by the FDIC and so on. Penetration Testing is also an ideal service for improving overall security.
Penetration Testing Service Levels
We understand that different organizations have different drivers behind their penetration testing needs. To help address this we offer three highly configurable service levels to our customers. The Silver level is our level entry option and provides coverage that is consistent with the industry standard. The Gold and Platinum levels are more advanced and use a research based methodology called Real Time Dynamic Testing™ .
Silver level Network Penetration Testing produces a level of threat consistent with the industry standard. At this level testing begins by running one or more automated vulnerability scanners against the in-scope targets. When the scans are complete the results are reviewed, and any identified vulnerabilities are confirmed through active exploitation. This level of service is ideal for clients looking to receive a low-cost test that will satisfy some security requirements.
Gold level Network Penetration Testing produces a level of threat that is substantially greater than the industry standard. This level of service uses Real Time Dynamic Testing™, an advanced research-based methodology that incorporates over 20 years of 0-day vulnerability research and exploit development experience. The Gold level specifically tests network connected devices such as servers, desktops, web applications, etc. This service aims to test customers at a level of threat that is at least realistic from a technological perspective. The Gold level of service offers a limited set of Threat Augmentation Modules (“TAMS”) such as statistical spear phishing and distributed metastasis (aka pivoting).
Platinum level Network Penetration Tests produce a level of threat specifically designed to match the capabilities of real-world threat actors. That threat can range from basic (script kid) to highly advanced (nation state). At this threat level a wider variety of TAMS are available which include Advanced Social Engineering, Advanced Physical Security Testing, Stealth / Evasive Testing, 0-Day malware (its safe, we made it), the deployment of clone networks, distributed attacks, distributed scanning, covert distributed metastasis, the creation and deployment of weaponized hardware (see our PRION mouse), and much more. This service level also uses Real Time Dynamic Testing™ and can be delivered with or without the use of automated vulnerability scanners. When operating at the Platinum level of service in an unrestricted capacity we maintain a 98.6% success rate at domain compromise from the vantage point of an unauthenticated external threat.
Real Time Dynamic Testing™
Real Time Dynamic Testing™ is an advanced penetration testing methodology that is unique to Netragard. It incorporates key aspects of Netragard’s 20+ years of experience in performing 0-day vulnerability research and exploit development. The methodology is highly extensible and often incorporates components from the OWASP, the OSSTMM, bleeding edge offensive tactics, and more. Real Time Dynamic Testing™ can be delivered entirely without automated vulnerability scanning.