Cybersecurity: Penetration Testing and Training
For us, cybersecurity means equipping both systems and employees to thwart cyberattacks effectively. Both IT infrastructure and personnel are frequent targets of cybercriminals, making it essential for organizations to not only understand hacker tactics but to proactively test systems for vulnerabilities and continuously update employee awareness on cybersecurity.
We identify critical security gaps and support you in reaching your desired level of security. By adopting the mindset of cybercriminals, our experts conduct penetration tests (pentests) to simulate attacks and attempt to breach your systems. This approach allows us to reveal vulnerabilities before real attackers can exploit them.
In addition, we provide tailored training solutions to make your team a strong line of defense against cyber threats. Through eLearning courses, targeted training sessions, anti-phishing exercises, and comprehensive security awareness campaigns, we help make cybersecurity a shared responsibility across your organization.
Get in touch with us—we’re here to help you strengthen both your systems and your team against cyber threats.
Pentesting Explained
While a cyber attacker seeks to exploit vulnerabilities to disrupt or encrypt your systems, a penetration test (pentest) uses the same techniques to identify potential attack vectors in advance. Pentesting reveals security gaps through various methods. Based on the level of information provided to the tester, pentests are categorized as Black-Box, Grey-Box, or White-Box. They can also be classified as internal (simulating an attack from within the network) or external (simulating an attack from outside the organization using publicly accessible information and services).
Pentests typically begin with automated scans to identify common vulnerabilities. Following this, manual tests are conducted to explore deeper security issues, and, in some cases, testers may proceed to execute exploits—controlled attempts to leverage identified weaknesses, such as gaining access to data or altering system settings. Most pentests conclude after the manual testing phase.
Executing exploits, however, can risk system stability and requires considerable resources. Given the balance between effort and security benefit, exploitation is generally performed only upon explicit request and in close coordination with you and your system administrators.
Scans
- Depth of Testing: Surface-Level
Automated scans detect obvious security gaps and basic system information, such as open ports and known vulnerabilities. - Accuracy: Medium to Low
Scans provide a broad overview but may yield false positives and false negatives, as they may not fully capture context-specific details or the latest threats. - Cost/Resource Requirement: Low
Thanks to a high level of automation, both costs and resource demands remain low.
Manual Testing
- Depth of Testing: Deep
Security experts conduct an in-depth analysis of the system, reviewing scan results and examining specific security elements that automated tools may miss. - Accuracy: High
Manual testing provides a contextual understanding and addresses complex security issues, reducing false positives and uncovering subtler vulnerabilities. - Cost/Resource Requirement: Moderate
Manual tests are tailored to the system under review, balancing thoroughness and efficiency to maximize security benefits with a justified and reasonable resource investment.
Exploitation Phase
- Depth of Testing: Very Deep
This phase involves actively exploiting identified vulnerabilities to gain system access or perform other critical actions. - Accuracy: Very High
Successful exploitation provides direct evidence of a vulnerability's existence and impact, demonstrating how it could be practically leveraged. - Cost/Resource Requirement: Very High
The post-exploitation phase often demands significant time and resources. Depending on the complexity and attack scenario, this can substantially increase the overall cost of the penetration test.
Important: Conducting Pentests with Qualified Experts
Pentests should always be carried out by qualified experts who, ideally, were not involved in the design, development, or operation of the system. This approach minimizes potential conflicts of interest and helps avoid "operational blindness"—a tendency to overlook familiar vulnerabilities.
The German Federal Office for Information Security (BSI) also recommends engaging external auditors, as this is the most effective way to avoid these issues and ensure an unbiased assessment.
Our Penetration Testing Services
We conduct penetration tests across a range of systems and applications to identify security vulnerabilities effectively. Below, you’ll find detailed information on each type of test we offer.
If you have any questions, feel free to reach out to us at any time!
External Network Penetration Testing
Your externally accessible systems are at the highest risk of attack. In our external network pentests, which resemble a classic "hacker attack" in a Black-Box scenario, we examine all outward-facing network services for potential vulnerabilities. This includes a thorough review of your firewall configurations and system hardening settings.
Our tests are based on public recommendations and guidelines from the German Federal Office for Information Security (BSI) and leverage over 15 years of experience in cybersecurity. Each test is meticulously tailored to the specific system being assessed and is enhanced with any necessary, additional checks.
Internal Network Penetration Testing
While external threats are often the focus, an organization’s internal network also faces significant risks. Insider threats—whether from malicious employees, accidental malware introductions, or breaches of the external perimeter—are increasingly common. The emerging "Zero Trust" model even recommends treating internal systems with the same caution as the open internet.
In an internal pentest, with access either on-site or via VPN, we examine all intranet network services for security vulnerabilities and configuration errors. Additionally, we assess existing network access controls (NAC) and the effectiveness of detection and prevention measures against local attacks. Typically conducted as a Grey-Box test, this process can be extended to a White-Box test with detailed network maps and IT infrastructure information.
Penetration Testing for Web Applications and Web APIs
In addition to simple websites, browser-based applications—often called web apps—are increasingly popular among developers and users alike, offering a wide range of functionalities, from online stores and email clients to calendar tools and video consultations.
However, this versatility also brings a heightened risk of coding errors, which can lead to critical security vulnerabilities. These vulnerabilities can affect not only the web apps themselves but also the underlying server and infrastructure. Our pentests examine web applications for known security flaws (such as the "OWASP Top 10") and logical errors, especially in access control and permissions.
Often paired with modern web apps, or sometimes as standalone services, we also test the underlying application programming interfaces (APIs) and web services for security gaps, taking into account their specific architecture and protocols.
Penetration Testing for Smartphone Apps (iOS and Android)
Both iOS and Android apps are susceptible to misconfigured security settings or insufficient data protection, which could allow attackers unauthorized access to sensitive information on the device or backend system, or enable malicious actions.
In our pentests, we assess iOS and Android apps at both the permissions and configuration levels as well as for code-related security vulnerabilities. We also thoroughly examine the app’s connection to its backend system, as this is often a critical component of mobile app security. Our testing is guided by industry standards, including the "OWASP Mobile Security Testing Guide."
Active-Directory-Audit
Active Directory (AD) enables the structuring of a network to align with an organization’s framework, allowing for the management of various network objects—such as computers, services, servers, devices (e.g., printers), as well as users and groups. To ensure network security and protect against unauthorized access, regular audits of the directory service are recommended.
Reach out to us directly to discuss how an AD audit can support your security goals!
Regular Security Scans
Our regular security scans offer you an efficient way to monitor externally accessible systems for security issues on an ongoing basis. While not a replacement for a full penetration test, these scans help quickly identify and correct configuration errors and other vulnerabilities. This service saves you the expense of costly scanning tools and eases the burden on your IT team.
Scan results are provided in a clear, user-friendly report available through our management system, DSN port—a web-based platform that requires no additional licenses. By default, scans are conducted every three months, though shorter intervals can be arranged as needed.
Learn more
Employee Training: Raising Awareness of Cyber Attack Methods
In cybersecurity, secure systems are essential, but equally important are vigilant employees. Cybercriminals frequently target staff as entry points into an organization. Common tactics include spreading ransomware through malicious email links or using phishing and social engineering techniques to steal sensitive data or passwords. These methods aim to extract either money or valuable information.
Our training and eLearning programs educate your employees on the various attack methods used in cyberattacks, helping to raise awareness and prepare them to recognize and respond to threats in the workplace. It’s not a question of whether your organization will be targeted, but when—and how well-prepared you’ll be.
Our Qualifications as Pentesters
- Established Standards: We follow recognized standards, including BSI IS-Pentest, BSI IS-Webcheck, OWASP, and more.
- Experienced, Certified Experts: Our qualified penetration testers bring years of hands-on experience to each project.
- Customized Testing: Each test is tailored to the specific requirements and context of the target environment.
- Smart Meter Gateway Expertise: Extensive project experience in the Smart Meter Gateway field, compliant with BSI TR-03109-1.
- Transparent Processes: We ensure clarity and simplicity throughout the engagement.
- Client-Focused Security Enhancement: Our priority is enhancing the IT security of our clients.
Additionally, our team holds the following certifications:
- Offensive Security Certified Professional (OSCP)
- Certified Ethical Hacker (CEH)
- Offensive Security Wireless Professional (OSWP)
Your Contact for Professional Penetration Testing
Looking for a qualified partner to conduct a pentest? Our experienced specialists are here to assist you. Contact us by phone or email—we look forward to your inquiry!
Cihan Parlar, LL.M. (Tilburg), Lawyer
Managing Director
Email: cparlar@re-move-this.first-privacy.com
Phone: +31 20 211 7116
FIRST PRIVACY B.V.
Peter Suhren, Lawyer
Managing Director
Email: psuhren@re-move-this.first-privacy.com
Phone: +49 421 69 66 32-822
FIRST PRIVACY GmbH
If your inquiry concerns an organization based in Germany, these contacts will help you
Michael Cyl, M.Sc.
Head of Information Security | Penetration Testing
Email: mcyl@re-move-this.datenschutz-nord.de
Phone: +49 421 69 66 32-319
datenschutz nord GmbH, Bremen
All Services
Learn more about our range of cybersecurity services.
Explore each service to understand how we can strengthen your organization’s security posture.
FAQ on Penetration Testing and Cybersecurity
Black-Box, Grey-Box, or White-Box Pentest: What Are the Differences?
Pentests vary not only by target (e.g., network, app, API) but also by the initial level of information provided—known as the starting scenario. Here’s a breakdown of the differences between Black-Box, Grey-Box, and White-Box penetration tests:
- Black-Box Pentest: In a Black-Box pentest, the tester begins with minimal information, closely mimicking a real-world attack. This type of test typically requires only basic details, such as an IP address, URL, or domain name, to initiate the assessment.
- White-Box Pentest: For White-Box testing, the tester has access to extensive information about the system, including network diagrams, security policies, configurations, and even source code. This allows for targeted testing of critical systems and functions. However, the tester’s objectivity might be affected by this comprehensive knowledge.
- Grey-Box Pentest: A Grey-Box test combines elements of both Black-Box and White-Box approaches. It may start as a Black-Box test, with additional details provided as needed for a more thorough evaluation. For instance, supplying login credentials or certain technical information upfront classifies the test as Grey-Box, enhancing efficiency while maintaining an external attacker’s perspective.
Each approach has its advantages, and the choice depends on the goals, resources, and security needs of your organization.
