Penetration Testing

Protect your digital assets: ensure your organisation’s defences are effective in New Zealand.

Partner with us knowing we have performed 1000's of engagements and built our expertise over two decades. Our team is local, accredited and has deep expertise in all pen testing services.


How we can assist:

Infrastructure Security Assessment

External Infrastructure Penetration Test

Internal Infrastructure Penetration Test

Frequently Asked Questions

Infrastructure Security Assessment

Whether it’s hosted in the cloud, internally, or externally, we have multiple scenarios to simulate an attacker who might attempt to breach your network.

Tesserent's infrastructure assessments in New Zealand will assist your organisation in identifying exploitable vulnerabilities that may be found in your network.

Whether you are looking to meet compliance requirements such as PCI or ISO27001 or want to have a better understanding of your current attack surface, Tesserent security experts can assist you to ensure you not only meet those requirements, but will validate that your current defence posture holds up against a cyber-attack.


External Penetration Testing

Threat actors continuously probe systems searching for vulnerabilities they can exploit in order to steal data, compromise the operation of systems or damage your organisation's reputation. The definition of external penetration testing in New Zealand is to employ similar tools, tactics and procedures as malicious parties to search for potential weaknesses.

External penetration tests public-facing systems by simulating a malicious attacker on the internet. Public facing systems include servers that have public IP addresses which can be accessed by users on the internet, such as websites and email servers.

External penetration testing uses tools and methods that can detect issues such as identifying firewall misconfigurations, identification of unpatched vulnerabilities and locating and compromising administrative services and interfaces.

Tesserent External Infrastructure Test Methodology

New Zealand based Tesserent External Infrastructure methodology uses both manual and automated testing of your organisation’s public facing infrastructure (for example websites and email servers) to determine if an external attacker can breach your perimeter.

External penetration testing will allow your organisation to validate how your current security controls hold up against an external attack.

What you gain from External Penetration Testing:

  • Visibility as to how a remote attacker could compromise your public-facing systems.
  • Insight into how to prioritise your security spend, based on actual risks.
  • Understanding as to how an attack might occur, providing an opportunity to formulate an incident response plan that is relative to your likely risks.
  • Uplifting of the security capabilities of your IT team through our recommended remediation.
  • Confidence that you are closer to achieving your business’s compliance and regulation requirements.

Remain compliant with external pen testing

With compliance now a major issue for organisations to manage, external penetration testing in New Zealand carried out by an expert independent party can assist with remaining compliant with established regulations and security standards. For example, the Australian Prudential Regulation Authority (APRA) requires the organisations it oversees to conduct independent external penetration tests annually. Security standards such as NIST and ISO 270001 require penetration testing in order to be compliant.

Tesserent External Infrastructure methodology uses both manual and automated testing of your organisation’s public facing infrastructure (for example websites and email servers) to determine if an external attacker can breach your perimeter.


Internal Penetration Testing

Internal penetration testing in New Zealand simulates an internal attacker such as an employee or contractor who has access to your internal network or external intruders who have breached perimeter defences.

This is done by finding the attack path that a potential internal threat actor could use to gain access to sensitive data from your organisation’s internal network. This includes file servers, workstations, and applications. As well as finding how a malicious party can exploit internal systems and network weaknesses, internal penetration testing can find threats that emanate from accidental errors made by staff that can lead to data exfiltration or other significant issues.

During an internal penetration test, an experienced tester will be given some access to your internal network. This is typically the same sort of access an ordinary employee has. The tester will attempt to escalate the level of privilege that account has with the intent of accessing data or systems that the account ought not be able to access. Or, the tester could use their escalated privilege to compromise network equipment in order to launch a larger and more damaging attack.

Tesserent's approach to internal infrastructure penetration testing

The Tesserent approach to internal infrastructure penetration testing is to simulate an internal attacker, potentially an employee or contractor, who has access to your internal network.

This is done by exploiting vulnerabilities and finding the attack path that a potential internal threat actor could utilise to gain access to sensitive data.

Your organisation’s internal network, (file servers, workstations, etc.), is exposed to threats from:

  • External intruders, after breaching perimeter defences,
  • Malicious insiders attempting to access or damage sensitive information or IT resources and
  • Accidental errors from staff.

Organisations are encouraged to test the internal network at least as frequently as they do the external perimeter.

The Tesserent report generated as the output of this work is designed for both executive/board level and technical staff.

What do you gain from Internal Penetration Testing?

  • An understanding of how an internal attacker could compromise your internal network.
  • You gain real insight into the potential damage and business risk an attacker could inflict.
  • A comprehensive report outlining the security exposures of your internal network, including high impact recommendations and root causes.
  • An action plan detailing how to resolve issues.
  • Enhanced protection of your business intelligence, data and IT systems, brand and reputation.

While significant attention is given to detecting and mitigating the risks associated with external attackers, internal penetration testing detects the risks of an internal actor with access to your network.

Internal pen testing gives your organisation an understanding of how an internal attacker could compromise your internal network and provide real insight into the potential damage and business risk an attacker could inflict.

As well as detecting technical issues, a penetration test can detect weaknesses in policies and procedures. This can include giving users unnecessarily escalated privileges, weak processes for assigning access to systems or poorly defined system access roles.

An internal penetration test ensures that your internal security posture is robust and that internal weaknesses are recognised and remediated.

Frequently Asked Questions

What should I look for when choosing a Penetration Tester in New Zealand?

Find a company you trust

Trust is fundamental. You will be allowing this company to access your systems, customer data and sensitive company intelligence. In effect, you’ll be permitting access into the inner workings of your organisation’s operations. Be sure that they can be trusted with your data and they have a proven track record. When was the company established and how many penetration tests they have performed for large security focused organisations? Ask if they have worked with clients in your industry sector and can provide references.

Can they meet my brief, or help me define it?

To get the best value for your IT security investment, you need to know exactly where you need help, why and what you want security tested. As the saying goes, the better the brief the better the job, so clearly define your objectives and outcomes from the start.

Are they able to answer my questions?

Ask questions about the testing methodology. What defined procedures and tools does the company use? How do they protect your business and data during the testing? How do they remove false positives? How many classes of tests are performed? How are complex multi-stage attacks covered?

Is the testing out-sourced, sub-contracted or in-house?

Remember that a company does not conduct a penetration test, people do. No matter which company you go with, it always comes down to the person or the team you have working on your business. Find out who exactly will be conducting the testing, is it outsourced, sub-contracted or in-house? Ask to see their credentials and interview them by phone, Zoom or in person. Finally, ask if you can be provided with interesting findings as they occur throughout the testing.

Can they show you a typical report?

Up front, ask the company exactly what you will receive at the end of the penetration test. Ask to see what a real-world deliverable looks like. A quality report should detail the key findings and provide solid remediation advice, in priority order, to address every issue found. In short, the final report should be a valuable tool with a clearly defined action plan on the best ways to remediate vulnerabilities. Quality reports also detail how to re-test each vulnerability once the identified flaws have been fixed.

Where are your pen tester’s based?

Almost all our assurance team is based in Australia and New Zealand. We do have some staff that work internationally, often because they have relocated for personal reasons but want to keep working with us. All our staff have gone through rigorous security checks.

Are you CREST certified?

Yes, we are proudly CREST ANZ certified.

How do we scope and price a Penetration Test in New Zealand?

Each engagement is unique and tailored to your environment, and the agreed scope of work for testing in New Zealand. A penetration test is largely priced based on the estimated number of days required to complete the engagement.

We have conducted tens of thousands of penetration tests over the last two decades. We start by listening.

What’s your methodology for Penetration Testing (external)?

Tesserent has extensive experience with complex architecture designs gained through years of experience working with clients of all sizes, industries and structures. As we are watching threat activity on a daily basis, we’re constantly learning about the latest attack techniques, exploits, and security flaws. Our methodology covers:

    • Reconnaissance – we’ll perform information gathering before any simulated attacks are actioned.
    • Vulnerability Detection – Tesserent will perform vulnerability detection to discover flaws in systems, networks and applications which can then be leveraged by the consultant.
    • Exploitation – we’ll try to actively exploit security weaknesses identified in the vulnerability detection phase. To achieve this Tesserent may use publicly available, in-house developed or commercially available exploit kits.
    • Privilege Escalation – After a target has been successfully compromised, Tesserent will try to gain a further foothold within the organisation, this may involve gaining higher privileges in the system or potentially gaining access to other systems on the internal network. The end goal is to gain complete control of the network.
    • Data Exfiltration – Based on the scope of the project, Tesserent may be required to perform data extraction. To achieve this the consultant will use a set of tools and techniques in order to extract specific data from the organisation’s network.
    • Reporting and Delivery – We’ll document, in priority order, the issues identified, along with recommendations for every issue identified. These are presented in a clear and meaningful way for both a technical and a business audience.
Contact us

Speak with a Tesserent
Security Specialist

Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.

Let's Talk
Tess head 7 min