The security analysis for small and medium-sized enterprises (SMEs)

Broadly analyze the attack surface of your internal and external infrastructure.

Internal and external penetration test scenarios

A comprehensive assessment and investigation of your internal and external attack surface.

Customization to your conditions and requirements

We adapt to your systems and carry out the tests according to your requirements.

From the initial meeting to the implementation of the measures

We accompany you through the entire process, right up to closing the security gaps.

We carry out penetration tests for companies of different sizes

From small and medium-sized companies to corporations, public administration and critical infrastructure organizations – we carry out tests of all sizes. Up to date, in accordance with standards such as the OWASP Top 10 and based on ISO 27001.

Rely on the expertise of our pentesters, it’s that simple

Penetration test procedure for SMEs

1. establishing contact & exchanging initial details
Once you have contacted us, we will schedule an initial meeting to discuss your request in more detail. We reserve the desired implementation period subject to reservation and determine the work packages and scope. You will then receive a quote.

2. offer acceptance and kick-off date
Your appointment is reserved as soon as you have accepted the offer. You will receive an order confirmation and all necessary contracts. All necessary information should be available for the kick-off meeting.

3. carrying out the test
We start carrying out the test on the agreed date, which is accompanied by an intensive exchange.

4. dispatch of the report and presentation of the results
We provide you with the report and, if required, we then hold a meeting to present the test results and recommended measures to your technicians and management.

Silas Borgmeier

Account Manager

Would you like a personal consultation?

I will be happy to assist you with our expertise.

0209 8830 676 – 4

Book an appointment

Our 360° analysis at a glance

Analysis of the external & internal attack surface

External pentest

From the outside, we analyze your attack surface and examine the IP addresses provided or obtained

Internal pentest

We analyze your attack surface from the inside. Experience the potential damage if an attacker has managed to penetrate your infrastructure

Evil Employee

A targeted investigation is carried out to determine what options are available to an employee who could cause an incident through gross negligence.

WLAN audit

Do you provide wireless connection options? We investigate how securely these are designed.

An excerpt from our pentesters


Vincent Reckendrees, BSc

Head of Offensive Security

Vincent Reckendrees has been working on the security of web applications for years. Among other things, he holds the OSWP certificate from OffSEc.


Mario Klawuhn, BSc

Senior Offensive Security Consultant

Mario Klawuhn, OSCP, is a highly qualified pentester, who demonstrates his expertise in the detection and elimination of security vulnerabilities.


Tim Barsch, BSc

Offensive Security Consultant

Analyzing internal networks and micro web services is part of Tim Barsch’s day-to-day business. He holds a bachelor’s degree in IT security.

Callback service

Write to us with your request. We will be happy to call you back at a specific time.

Appointment service

Arrange a digital appointment with us so that we can discuss your requirements.

Contact form

Leave a message via our contact form. We will get back to you.

Find out more about our completed projects

Success stories

Group-wide awareness campaign for Gelsenwasser AG

Together with AWARE7 GmbH, Gelsenwasser AG carried out an extensive, multimedia cyber security awareness campaign for around 1,500 employees.

Remote cybersecurity awareness event for Payback GmbH

PAYBACK GmbH has booked AWARE7 GmbH for a remote live hacking awareness show to prepare and sensitize employees to digital threats.

Emergency deployment in the district of Dachau

At 9:00 am the speaker was canceled, we were called at 10:00 am. At 17:00 we were on time in Dachau to enrich the planned event with a live hacking presentation.

Remote Live Hacking Show at the Security Days at Munich Re

The world’s largest reinsurer has been relying on our expertise for several years. In recent years, we have always been represented at the internal Security Days.

External penetration test for the mobile iOS application of Twinsoft GmbH & Co. KG

We carried out an extensive penetration test of the BioShare Authenticator app and the backend for Twinsoft GmbH & Co.

Take a look at all the success stories
and download them free of charge

We have been carrying out various types of projects. The satisfaction is reflected in the release of a success story. Take a look at all our success stories now.

All success stories

IT security made in Germany

Attacking and testing applications is the means to an end. The medium-term goal is always to increase the level of IT security and thus enable the long-term protection of customer and company data. We have been awarded the “IT Security made in Germany” seal by the TeleTrust Bundesverband IT-Sicherheit e.V. (German IT Security Association). The document declaring and authorizing the use of the seal is available for inspection.

Even though we operate worldwide, our headquarters will remain in Germany

AWARE7 GmbH has been based in Germany since its foundation. The location in Germany is valued by our international customers due to the high quality standards.

Products and services are free of hidden accesses

All of the services we provide are carried out in accordance with ethical principles. The removal of all access points after a test is mandatory and firmly integrated into the process.

Research & development takes place exclusively in Germany

New products and collaboration with students and scientific institutes are part of our corporate DNA. We are always at the cutting edge of research and development and are based exclusively in Germany.

Plan your next penetration test now

Our methodology for carrying out penetration tests

Even though each penetration test is an individual service, each implementation is characterized by its systematic and methodical approach. The methodology we use consists of the following components.

  1. Kick-off

    Depending on the complexity of the penetration test, the kick-off takes place one month to one week before the agreed implementation period. The aim is to evaluate roadblocks and agreements for successful implementation. AWARE7 GmbH’s penetration testers and project management team will take part in this meeting. The following stakeholders should take part in the kick-off meeting:
    – All relevant risk or project owners
    – Information security officer
    – Technical personnel with knowledge of the target system

  2. Recon

    Reconnaissance is the work of gathering information before a real attack is carried out. The idea is to gather as much information as possible about the target. To achieve this, many different, publicly accessible sources of information are used. The extracted information often provides a detailed insight into the affected systems.

    In a penetration test of the Active Directory, for example, this means that all systems that are part of the Active Directory are enumerated as a first step. The systems are identified in parallel with the identification of the network services using standard network scanners such as nmap or massscan.

  3. Enumeration and Vulnerability Identification

    In the enumeration phase, there is a transition from a passive collection of information, as in the recon phase, to an active one, thus further enriching the collection of information. In addition, the information from the recon phase is used to identify potential attack vectors. In the enumeration phase, automated scans are started and a vulnerability assessment is carried out against the relevant systems. During the enumeration phase, an examination of the Active Directory configuration, for example, would take place in the context of an Active Directory penetration test. The pentesters would collect information about groups, users, GPOs (Group Policy Object), policies and shares.

  4. Exploitation

    In the exploitation phase, the penetration testers try to actively exploit security vulnerabilities. Exploits are developed, for example, to collect sensitive information or to enable pentesters to compromise a system and manifest themselves on it. For new targets, the reconnaissance and enumeration phases are repeated in order to gather information about these new systems and to exploit them. For example, as part of an Active Directory penetration test, password attacks are carried out on previously collected user accounts in order to take over these accounts. In addition, many other different attacks such as relay attacks are also carried out.

  5. Post Exploitation

    In the post-exploitation phase, the changes to systems, processes and users are reversed in collaboration with the relevant technical contacts and administrators. Since a penetration test cannot rule out the possibility of system configurations being manipulated or exploit scripts being placed, it is important to ensure that these are deleted and reset after the test.

  6. Report

    Documentation is an essential part of every penetration test. During the penetration test, all steps leading to a successful attack are documented in detail. This ensures that everything can be traced in detail after the test. At the end of the penetration test, this documentation serves as the basis for an individual report that makes the test results comprehensible for both the technical administration and the management. Recommendations for action are an important part of the documentation.

FAQ – Frequently asked questions

What is the 360° SME analysis?

The 360° SME analysis is a comprehensive and cost-effective service developed specifically for small and medium-sized enterprises (SMEs). It includes an internal and external scan of the IT infrastructure to identify security gaps and optimization potential.

What does the 360° SME analysis include?

The analysis includes both internal and external vulnerability scans of the entire IT infrastructure. This includes network devices, servers, workstations and web applications. Configuration errors and outdated software are also detected.

Why is the 360° SME analysis important?

The analysis helps SMEs to identify and eliminate security gaps that could otherwise be exploited by cyber criminals. This increases IT security and protects valuable company data.

How long does the 360° SME analysis take?

The duration of the analysis depends on the size and complexity of the IT infrastructure, but it usually takes between one and two weeks and involves up to a maximum of five man-days.

How often should the 360° SME analysis be carried out?

It is recommended that the analysis is carried out at least once a year or after significant changes to the IT infrastructure to ensure that new vulnerabilities are identified and rectified promptly.

What does the 360° SME analysis cost?

The costs vary depending on the size and scope of the IT infrastructure, but are always in the four-digit range. Please contact us for a customized offer tailored to the specific needs of your company.

Are business processes interrupted during the analysis?

Our approach is designed to be minimally invasive to the business process. In most cases, the analysis is carried out without any significant impact on business activities. In the best case, we test against a test system. If this is not possible, there is increased sensitivity.

How are the results of the analysis presented?

The results are summarized in a detailed report that lists all identified weaknesses and potential areas for optimization. Specific recommendations for improving IT security are also provided.

What happens if critical vulnerabilities are found?

If vulnerabilities are found, we provide specific recommendations for remedying these security gaps. If required, we can also support you in implementing the recommended measures. If we find critical weaknesses, we report them immediately.

How can I book the 360° SME analysis for my company?

You can request the analysis via our online booking system on our website or contact us directly to arrange an appointment. We will be happy to advise you and prepare an individual offer.

What do I need to prepare before the analysis?

Before the analysis, it is helpful to provide a list of all systems and networks to be scanned. In addition, access rights and necessary authorizations should be clarified in advance.