We carry out penetration tests for companies of different sizes
From small and medium-sized companies to corporations, public administration and critical infrastructure organizations – we carry out tests of all sizes. Up to date, in accordance with standards such as the OWASP Top 10 and based on ISO 27001.
Rely on the expertise of our pentesters, it’s that simple
1. establishing contact & exchanging initial details
Once you have contacted us, we will schedule an initial meeting to discuss your request in more detail. We reserve the desired implementation period subject to reservation and determine the work packages and scope. You will then receive a quote.
2. offer acceptance and kick-off date
Your appointment is reserved as soon as you have accepted the offer. You will receive an order confirmation and all necessary contracts. All necessary information should be available for the kick-off meeting.
3. carrying out the test
We start carrying out the test on the agreed date, which is accompanied by an intensive exchange.
4. dispatch of the report and presentation of the results
We provide you with the report and, if required, we then hold a meeting to present the test results and recommended measures to your technicians and management.
Silas Borgmeier
Account Manager
Distribution
Would you like a personal consultation?
I will be happy to assist you with our expertise.
Our pentest work packages at a glance
Analysis of the external attack surface
External pentest
From the outside, we analyze your attack surface and examine the IP addresses provided or obtained
Web application
We test your web application. You can commission us before going live. Alternatively, you can provide us with a test instance.
Interfaces (API)
Do you provide interfaces for the exchange of information and data? We check these for availability, confidentiality and integrity.
Mobile app
Are you responsible for the operation of an Android, iOS or hybrid application? We check all common formats and implementations.
Password audit
We test your web application. You can commission us before going live. Alternatively, you can provide us with a test instance.
Data leaks
Do you provide interfaces for the exchange of information and data? We check these for availability, confidentiality and integrity.
Darknet research
Are you responsible for the operation of an Android, iOS or hybrid application? We check all common formats and implementations.
Cloud auditing
If you provide customers with a desktop application, we check it for vulnerabilities that are dangerous for you and your customers.
Desktop application
If you provide customers with a desktop application, we check it for vulnerabilities that are dangerous for you and your customers.
Single sign-on
We test your web application. You can commission us before going live. Alternatively, you can provide us with a test instance.
Analysis of the internal attack surface
Internal pentest
We analyze your attack surface from the inside. Experience the potential damage if an attacker has managed to penetrate your infrastructure
Evil Employee
A targeted investigation is carried out to determine what options are available to an employee who could cause an incident through gross negligence.
Stolen Notebook
Find out how great the potential for damage is if a laptop falls into the wrong hands.
WLAN audit
Do you provide wireless connection options? We investigate how securely these are designed.
Configuration audit
We check the implementation of your configuration against best practices, enabling you to determine the level of security.
Code review
The code you provide is evaluated with regard to the level of information and IT security.
Social engineering
AWARE7 analysts make targeted attempts to obtain information and access to rooms.
Physical pentest
The resilience of buildings and access restrictions is analyzed. Subsequently, a targeted attempt is made to penetrate sensitive areas.
Internal attack surface cloud
It examines how vulnerable the client’s cloud network is to attacks from internal services.
Find out more about our completed projects
Success stories
Callback service
Write to us with your request. We will be happy to call you back at a specific time.
Appointment service
Arrange a digital appointment with us so that we can discuss your requirements.
Contact form
Leave a message via our contact form. We will get back to you.
An excerpt from our pentesters
Vincent Reckendrees, BSc
Head of Offensive Security
Vincent Reckendrees has been working on the security of web applications for years. Among other things, he holds the OSWP certificate from OffSEc.
Mario Klawuhn, BSc
Senior Offensive Security Consultant
Mario Klawuhn, OSCP, is a highly qualified pentester at AWARE7 GmbH, who demonstrates his expertise in the detection and elimination of security vulnerabilities.
Tim Barsch, BSc
Offensive Security Consultant
Analyzing internal networks and micro web services is part of Tim Barsch’s day-to-day business. He holds a bachelor’s degree in IT security.
Download the employee profiles of our qualified pentesters free of charge
To ensure quality, we at AWARE7 GmbH make sure that our penetration testers receive regular training and further education. These include industry-renowned certificates and examinations. Would you like to get an impression of the entire team? We are happy to provide you with this information.
IT security made in Germany
Attacking and testing applications is the means to an end. The medium-term goal is always to increase the level of IT security and thus enable the long-term protection of customer and company data. We have been awarded the “IT Security made in Germany” seal by the TeleTrust Bundesverband IT-Sicherheit e.V. (German IT Security Association). The document declaring and authorizing the use of the seal is available for inspection.
Even though we operate worldwide, our headquarters will remain in Germany
AWARE7 GmbH has been based in Germany since its foundation. The location in Germany is valued by our international customers due to the high quality standards.
Products and services are free of hidden accesses
All of the services we provide are carried out in accordance with ethical principles. The removal of all access points after a test is mandatory and firmly integrated into the process.
Research & development takes place exclusively in Germany
New products and collaboration with students and scientific institutes are part of our corporate DNA. We are always at the cutting edge of research and development and are based exclusively in Germany.
Plan your next penetration test now
Our methodology for carrying out penetration tests
Even though each penetration test is an individual service, each implementation is characterized by its systematic and methodical approach. The methodology we use consists of the following components.
- Kick-off
Depending on the complexity of the penetration test, the kick-off takes place one month to one week before the agreed implementation period. The aim is to evaluate roadblocks and agreements for successful implementation. AWARE7 GmbH’s penetration testers and project management team will take part in this meeting. The following stakeholders should take part in the kick-off meeting:
– All relevant risk or project owners
– Information security officer
– Technical personnel with knowledge of the target system - Recon
Reconnaissance is the work of gathering information before a real attack is carried out. The idea is to gather as much information as possible about the target. To achieve this, many different, publicly accessible sources of information are used. The extracted information often provides a detailed insight into the affected systems.
In a penetration test of the Active Directory, for example, this means that all systems that are part of the Active Directory are enumerated as a first step. The systems are identified in parallel with the identification of the network services using standard network scanners such as nmap or massscan. - Enumeration and Vulnerability Identification
In the enumeration phase, there is a transition from a passive collection of information, as in the recon phase, to an active one, thus further enriching the collection of information. In addition, the information from the recon phase is used to identify potential attack vectors. In the enumeration phase, automated scans are started and a vulnerability assessment is carried out against the relevant systems. During the enumeration phase, an examination of the Active Directory configuration, for example, would take place in the context of an Active Directory penetration test. The pentesters would collect information about groups, users, GPOs (Group Policy Object), policies and shares.
- Exploitation
In the exploitation phase, the penetration testers try to actively exploit security vulnerabilities. Exploits are developed, for example, to collect sensitive information or to enable pentesters to compromise a system and manifest themselves on it. For new targets, the reconnaissance and enumeration phases are repeated in order to gather information about these new systems and to exploit them. For example, as part of an Active Directory penetration test, password attacks are carried out on previously collected user accounts in order to take over these accounts. In addition, many other different attacks such as relay attacks are also carried out.
- Post Exploitation
In the post-exploitation phase, the changes to systems, processes and users are reversed in collaboration with the relevant technical contacts and administrators. Since a penetration test cannot rule out the possibility of system configurations being manipulated or exploit scripts being placed, it is important to ensure that these are deleted and reset after the test.
- Report
Documentation is an essential part of every penetration test. During the penetration test, all steps leading to a successful attack are documented in detail. This ensures that everything can be traced in detail after the test. At the end of the penetration test, this documentation serves as the basis for an individual report that makes the test results comprehensible for both the technical administration and the management. Recommendations for action are an important part of the documentation.
FAQ – Frequently asked questions
Your IT system is tested by our experts without any knowledge on our part. We only give your company name to our testers and they start with the information research. This attack is closely based on a real attacker, but the initial information research takes a correspondingly long time, depending on the scope of the system, so that an extensive time frame must be selected in order to obtain meaningful results.
In a grey box pentest, the most necessary information about the target system is exchanged. This includes, for example, the URL of the application, user login information or user roles. The greybox test is the most effective method for examining your application. Due to the lack of extensive information research compared to the black box test, more attention can be paid to the discovery and exploitation of security vulnerabilities.
A white box penetration test provides full knowledge of the IT system. The white box penetration test includes a comprehensive code review. This review is carried out with a focus on IT security. Architectural and infrastructure aspects are also examined and then evaluated. Similar to the black box penetration test, the white box penetration test takes a long time to carry out. This is reflected in the cost of a pentest.
For various reasons, virus scanners and firewalls are no longer sufficient to protect your IT infrastructure. Especially with networked applications, the server is the component that needs the best protection and there is usually no virus scanner. These are mainly found on end devices such as laptops or workstations, but not in the server environment. The aim of a penetration test is to bypass the firewall and gain access to the system via a legitimate application. While a firewall is designed to prevent attackers from misusing any services, a pentest ensures that attackers do not gain access to the system through data traffic disguised as legitimate.
Penetration testing is a process, not a one-off project. Your IT infrastructure is subject to constant change, your applications change almost daily, program dependencies can change and become vulnerable to new attacks. Compliance requirements must be considered and fulfilled. It is therefore important to introduce a continuous IT security process. A one-off IT security audit is essential to determine the status quo. In terms of a long-term IT security strategy, you need a continuous process that identifies and analyzes the problems in your system on an annual basis.
If you want to carry out an internal penetration test, there are several options. If you need our ethical hackers directly on site, an on-site test is a good option. In this case, we will travel to you and take a look at the networks and systems on site. If you want to plan the project cost-effectively and have an IT department on site, we can send you our pentest box. You connect this box to the network and we access it remotely. This saves you money and we do not harm the environment.
The pentesters at AWARE7 GmbH have access to a comprehensive toolbox for carrying out a penetration test. These include open source tools as well as paid applications. We would be happy to present a selection of our tools to you in an initial meeting or kick-off meeting. We only access your IT systems from our static IP address. In this way, you can get a concrete picture of the implementation of penetration testing. Results are checked manually and checked for criticality.
