Penetration Testing — Frequently Asked Questions

A penetration test, also known as pen test, simulates a cyber attack on a computer system, network, or web application to identify vulnerabilities that hackers could exploit.

Penetration testing helps identify and address security weaknesses before malicious hackers can exploit them. By doing so, it helps protect sensitive data, maintain the integrity of your systems, and safeguard your business from potential disruptions, financial losses, and reputational damage.

It is recommended to conduct a penetration test at least annually or whenever there are significant changes to your systems, applications, or network infrastructure.

The primary difference is the speed at which testing begins.

For an EXPRESS penetration test, we commit to starting the test one day after the order is completed.

For a Standard penetration test, we work with you to agree on the start date once you place your order and technically get ready to start the test. Although the timing largely depends on how quickly you can be ready for the test, it generally takes up to 2 weeks after you place your order.

There is no difference in the execution and reporting aspects between the two tests.

With our expert team, led by industry veterans, you're in the hands of professionals who deliver only the best. Our team brings experience at both executive and operational levels in managing web security on a global scale. We've successfully led penetration testing and vulnerability management processes in complex environments. Having been consumers of penetration testing services for many years, we understand customer needs and expectations firsthand.

The technical team at Payatu, our trusted partner, is a world-class group of passionate researchers and security experts. With over 60 CVEs discovered, they have a proven track record in identifying security vulnerabilities. They also contribute significantly to open-source projects, creating tools widely used in training and research. The team's commitment to quality and security is further demonstrated by ISO 27001, ISO 9001, and ISO 17025 certifications.

We adhere to strict confidentiality and data protection protocols to ensure that your data remains secure throughout the testing process. Any sensitive information discovered during testing is handled with the utmost confidentiality and is securely documented in our final report.

We securely store all your data, including but not limited to test results, using encryption. We also enforce strict access control on your data. Only the people assigned to your test will have access to your data, and that access will be revoked as soon as the project is completed.

Once the project is delivered, only a single point of contact will maintain access to the data as long as you need the data.

Test results are retained for a maximum of 60 days after project completion unless otherwise requested. Retention periods can be tailored to meet individual contractual requirements. After the retention period, data is securely deleted in accordance with industry standards and best practices.

We aim to minimise any disruption to your operations. We use methods designed to avoid a significant impact on your systems. However, security testing inherently involves risks due to the unpredictable behaviour of the application and infrastructure being tested, as well as their reaction to unknown variables and malicious data.

As a precautionary measure, Cubic Consulting strongly recommends performing a complete backup of the network, including applications and databases, before initiating any testing or operation. This ensures immediate recovery in the unlikely event of any potential losses.

Once you complete your order, we can initiate the test the next day. To complete your order, please follow these steps:

• Fill out the scoping form, which includes a few questions to help us prepare your proposal.
• Sign the Order Form in the proposal and send it to us, authorising us to perform the test.
• Complete your payment.
• Ensure technical readiness for the test by providing necessary information such as IP addresses or URLs to be tested.

The timing largely depends on how quickly you can be ready for the test. Once your order is placed and you complete your technical preparation, we'll work with you to agree on a start date. It generally takes up to 2 weeks after you place your order.

Detailed instructions on technical preparations will be provided as soon as your order is confirmed.

Our EXPRESS pen test service includes web applications, mobile applications, and network/infrastructure. If you would like to have other system types tested, please email pentest@cubic-consulting.com with your needs for evaluation.

Core System Types:

• Network/infrastructure
• Web applications
• Mobile applications

Specialised System Types:

• Cloud platforms (Azure, AWS)
• SAP
• Thick clients
• Internet of Things (IoT) devices
• Artificial Intelligence and Machine Learning

Please note that the specialised system types have different pricing rates. Please email pentest@cubic-consulting.com for more information.

The test duration is determined based on the size and complexity of the system to be tested. Once you submit the scoping form, we will estimate the required effort to perform the test, and the duration will be proportional to this effort.

• A completed scoping form to estimate the size and complexity of the system to be tested.
• A point of contact for all communications.
• Billing information.
• Technical information such as URLs and IP addresses for test execution.

Yes, you can order a retest either together with the initial test or later. Including the retest upfront saves you time and effort, reducing the need for additional administrative work. On the other hand, if you order the retest later, the effort can be calculated more precisely based on the fixes you've implemented.

Here are the benefits of including the retest upfront, if you plan to remediate the findings:

• Ordering the retest upfront saves time as it eliminates the need to submit a new order form and make a new payment.
• Ordering the retest separately incurs an additional administrative fee of €250 for EXPRESS penetration test, and €175 for Standard penetration test.

Payments can be made by bank transfer. Please see the bank account information below:

Beneficiary Name: Cubic Consulting SARL
IBAN: LU82 0019 7755 7796 4000
BIC/SWIFT Code: BCEELUL
Bank Name: Banque et Caisse d'Épargne de l'État, Luxembourg (BCEE)
Bank Address: 1, Place de Metz, L-1930 Luxembourg

Cubic Consulting is a cybersecurity company based in Luxembourg.

Yes, you can reschedule or cancel the test. However, please note that once your order is confirmed, we immediately allocate resources and commit to third-party costs to ensure the test is delivered as planned. Hence, if any changes to the planned test are necessary, a fee may apply to cover these committed costs.

For EXPRESS Penetration Test:

• 100% of the fees for the originally planned test will be payable in both cases.
• For rescheduling, in addition to the original fees, the full fees for the re-booked test will also be payable.

For Standard Penetration Test:

• Rescheduling: If you need to move the test date within 48 hours of the original start date, no delay charges will apply. If you postpone the test beyond 48 hours, a delay charge of 20% of the total fees will be added, in addition to the full project fees.
• Cancellation: After your order is confirmed, 20% of the total fees will be retained as liquidated damages, and 80% of the payment will be refunded.

We encourage you to carefully consider the test start date to avoid the need for rescheduling or cancellation, ensuring a smooth process and avoiding additional costs.

The high-level steps in the testing process include understanding the system, attacking it, and sharing mitigation strategies. Below are specific activities for representative system types:

For web applications:

• Application walkthrough / information gathering (for grey-box testing)
• Business process and application logic mapping
• Application crawling (automated and manual)
• Test plan document preparation
• Input validation, authentication, authorisation, business logic, session management, configuration management, data encryption, and local cache checks
• Reporting

For mobile applications:

• Mobile application walkthrough (for grey-box testing)
• Business process and application logic mapping
• Application reverse engineering
• Transport layer protection (SSL pinning bypass)
• Local data storage and data leakage checks
• Authentication, authorisation, server-side controls, business logic, session management, data encryption, and local cache checks
• Reporting

For network/infrastructure:

• Passive information gathering (Whois, DNS, Google searches)
• Active information gathering and mapping
• Vulnerability assessment to identify vulnerabilities and evaluate the attack surface
• Exploitation using custom-written exploits
• Post-exploitation to ensure persistent access on the compromised network
• Reporting

We provide updates on any identified issues during our daily briefings. For critical findings, we will discuss the issue with you during the call and follow up with an interim report detailing the specific problem.

If you prefer not to have daily update calls, we will notify you immediately if a significant issue arises and offer a call to explain the details.

We can also discuss and agree on a customised communication approach during the test kick-off call based on your preferences.

After the test, you will receive a detailed report outlining the discovered vulnerabilities, the methods used to exploit them, and recommended remediation steps.

Additionally, we offer an optional report walkthrough session where we explain the findings, and you can ask questions.

We provide the test report as an encrypted PDF file. By default, we send it to you via email. However, if your company uses a secure file-sharing platform, we're happy to upload the report there instead.

Our report includes remediation recommendations, and you can ask questions about the findings during the report walkthrough session. If you need further assistance with remediation, we are happy to analyse your needs and discuss that as a potential additional service.