blog

The Truth About PCI Compliance. What They Don’t Want You To Know

By |2020-03-31T10:26:23-04:00January 20th, 2014|

All of the recent news about Target, Neiman Marcus, and other businesses being hacked might be a surprise to many but it’s no surprise to us. Truth is that practice of security has devolved into a political image focused designed satisfy technically inept regulatory requirements that [...]

Comments Off on The Truth About PCI Compliance. What They Don’t Want You To Know

How to Price a Penetration Test

By |2020-09-15T23:47:48-04:00October 8th, 2013|

This video provides and overview of the two most common methodologies for pricing a penetration test. How Much Should You Spend On Penetration Testing Services The most common question asked is "how much will it cost for you to deliver a penetration test to us?". Rather [...]

Comments Off on How to Price a Penetration Test

Whistleblower Series – The real problem with China isn’t China, its you.

By |2020-03-31T10:27:14-04:00June 10th, 2013|

Terms like China, APT and Zero-Day are synonymous with Fear, Uncertainty and Doubt (FUD).  The trouble is that, in our opinion anyway, these terms and respective news articles detract from the actual problem.  For example, in 2011 only 0.12% of compromises were attributed to zero-day exploitation [...]

Comments Off on Whistleblower Series – The real problem with China isn’t China, its you.

Whistleblower Series – Don’t be naive, take the time to read and understand the proposal.

By |2020-03-31T10:27:22-04:00May 16th, 2013|

In our last whistleblower article, we showed that the vast majority of Penetration Testing vendors don't actually sell Penetration Tests. We did this by deconstructing pricing methodologies and combining the results with common sense. We're about to do the same thing to the industry average Penetration [...]

Comments Off on Whistleblower Series – Don’t be naive, take the time to read and understand the proposal.

How to find a genuine Penetration Testing firm

By |2020-03-31T10:27:31-04:00May 3rd, 2013|

There's been a theme of dishonesty and thievery in the Penetration Testing industry for as long as we can remember.  Much in the same way that merchants sold "snake-oil" as a cure-all for what ails you, Penetration Testing vendors sell one type of service and brand [...]

Comments Off on How to find a genuine Penetration Testing firm

The 3 ways we owned you in 2012

By |2020-03-31T10:27:38-04:00February 12th, 2013|

Here are the top 3 risks that we leveraged to penetrate into our customers' networks in 2012. Each of these has been used to affect an irrecoverable infrastructure compromise during multiple engagements across a range of different customers. We flag a compromise "irrecoverable" when we've successfully taken administrative control [...]

Comments Off on The 3 ways we owned you in 2012

83% of businesses have no established security plan (but they’ve got Kool-Aid)

By |2020-03-31T10:27:51-04:00October 18th, 2012|

I (Adriel) read an article published by Charles Cooper of c|net regarding small businesses and their apparent near total lack of awareness with regards to security.  The article claims that 77% of small- and medium-sized businesses think that they are secure yet 83% of those businesses have [...]

Comments Off on 83% of businesses have no established security plan (but they’ve got Kool-Aid)

Selling zero-day’s doesn’t increase your risk, here’s why.

By |2020-03-31T10:28:00-04:00August 13th, 2012|

The zero-day exploit market is secretive. People as a whole tend to fear what they don’t understand and substitute fact with speculation.  While very few facts about the zero-day exploit market are publicly available, there are many facts about zero-days that are available.  When those facts [...]

Comments Off on Selling zero-day’s doesn’t increase your risk, here’s why.

Netragard on Exploit Brokering

By |2020-03-31T10:28:08-04:00April 12th, 2012|

Historically ethical researchers would provide their findings free of charge to software vendors for little more than a mention.  In some cases vendors would react and threaten legal action citing violations of poorly written copyright laws that include but are not limited to the DMCA.  To [...]

Comments Off on Netragard on Exploit Brokering

Hacking the Sonexis ConferenceManager

By |2020-04-02T13:44:17-04:00February 13th, 2012|

Netragard's Penetration Testing services use a research based methodology called Real Time Dynamic Testing™. Research based methodologies are different in that they focus on identifying both new and known vulnerabilities whereas standard methodologies usually, if not always identify known vulnerabilities. Sometimes when performing research based penetration testing we [...]

Comments Off on Hacking the Sonexis ConferenceManager