Penetration Testing Sydney

Find a company you trust

Trust is fundamental. You will be allowing this company to access your systems, customer data and sensitive company intelligence. In effect, you’ll be permitting access into the inner workings of your organisation’s operations. Be sure that they can be trusted with your data and they have a proven track record. When was the company established and how many penetration tests they have performed for large security focused organisations? Ask if they have worked with clients in your industry sector and can provide references.

Can they meet my brief, or help me define it?

To get the best value for your IT security investment, you need to know exactly where you need help, why and what you want security tested. As the saying goes, the better the brief the better the job, so clearly define your objectives and outcomes from the start.

Are they able to answer my questions?

Ask questions about the testing methodology. What defined procedures and tools does the company use? How do they protect your business and data during the testing? How do they remove false positives? How many classes of testings are performed? How are complex multi-stage attacks covered?

Is the testing out-sourced, sub-contracted or in-house?

Remember that a company does not conduct a penetration test, people do. No matter which company you go with, it always comes down to the person or the team you have working on your business. Find out who exactly will be conducting the testing, is it outsourced, sub-contracted or in-house? Ask to see their credentials and interview them by phone, Zoom or in person. Finally, ask if you can be provided with interesting findings as they occur throughout the testing.

Can they show you a typical report?

Up front, ask the company exactly what you will receive at the end of the penetration test. Ask to see what a real-world deliverable looks like. A quality report should detail the key findings and provide solid remediation advice, in priority order, to address every issue found. In short, the final report should be a valuable tool with a clearly defined action plan on the best ways to remediate vulnerabilities. Quality reports also detail how to re-test each vulnerability once the identified flaws have been fixed.

Yes, we are proudly CREST ANZ certified.

Each engagement is unique and tailored to your environment, and the agreed scope of works for testing. A penetration test is largely priced based on the estimated number of days required to complete the engagement.

We have conducted tens of thousands of penetration tests over the last two decades. We start by listening.

Tesserent has extensive experience with complex architecture designs gained through years of experience working with clients of all sizes, industries and structures. As we are watching threat activity on a daily basis, we’re is constantly learning about the latest attack techniques, exploits and security flaws. Our methodology covers:

• Reconnaissance – we’ll perform information gathering before any simulated attacks are actioned.
• Vulnerability Detection – Tesserent will perform vulnerability detection to discover flaws in systems, networks and applications which can then be leveraged by the consultant.
• Exploitation – we’ll try to actively exploit security weaknesses identified in the vulnerability detection phase. To achieve this Tesserent may use publicly available, in-house developed or commercially available exploit kits.
• Privilege Escalation – After a target has been successfully compromised, Tesserent will try to gain a further foothold within the organisation, this may involve gaining higher privileges in the system or potentially gaining access to other systems on the internal network. The end goal is to gain complete control of the network.
• Data Exfiltration – Based on the scope of the project, Tesserent may be required to perform data extraction. To achieve this the consultant will use a set of tools and techniques in order to extract specific data from the organisation’s network.
• Reporting and Delivery – We’ll document, in priority order, the issues identified, along with recommendations for every issue identified. These are presented in a clear and meaningful way for both a technical and a business audience.