500+ customers place their trust in us – from startups to large companies
Application area
Acceptance test prior to the go-live of a critical application (self-developed or purchased) or prior to the rollout of an IT system (e.g. client or server template).
Objectives
Are there relevant vulnerabilities in the application or in the configuration of the systems under test? Is the security level state-of-the-art?
Result
A meaningful assessment of the security level of the app or system with a detailed report on relevant vulnerabilities, including recommendations for action.
Penetration tests
What is the security level of a particular IT asset or IT group.
A penetration test always aims to identify all security-relevant vulnerabilities and improvement potentials of a specific asset in order to assess the security level.
We often identify generic flaws already in automated tests by using state-of-the-art tools. In addition, critical functions are always examined manually by experienced penetration testers. In this way, we also find logical errors and avoid false positives.
As a result, you receive a detailed test report that describes all identified vulnerabilities, assesses their risk, provides meaningful recommendations and summarizes them in a management summary.
Pentest characteristics
Pentest of web applications
In a web application pentest, we analyze a reference implementation of the software under test in several stages. We start like a normal user to learn about functions, workflows and the actual purpose.
Based on this, we derive generic and specific "abuse cases" that could undermine the confidentiality and integrity of the information, the availability of the application, the authenticity of the acting person or even the whole business process.
We typically perform penetration testing of web applications using the greybox approach, looking not only at the web GUI itself, but also at associated APIs and web services, as well as the underlying infrastructure.
A penetration test includes the following steps:
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Automatic scans for vulnerabilities
- Manual analysis and hacking
Evaluation
- Creation of a detailed report
Methodologically, we follow proven guidelines when conducting penetration tests:
In terms of content, we are mainly guided by the established standards of the OWASP project:
- Application Security Verification Standard (ASVS)
- Web Security Testing Guide
- Mobile Security Testing Guide
- OWASP Top Ten Projects, e.g. for Web Applications
If necessary or useful we extend this by:
- CIS Benchmarks (Review of configurations)
- IT-Grundschutz (Review of configurations)
- ISO/IEC 27001:2013 (for technical audits)
Pentest of fat client appications
In an application pentest, we analyze a reference implementation of the software under test in several stages. We start like a normal user to learn about functions, workflows and the actual purpose.
Based on this, we derive generic and specific "abuse cases" that could undermine the confidentiality and integrity of the information, the availability of the application, the authenticity of the acting person or even the whole business process.
We usually perform penetration tests of fat client applications using the greybox approach, looking not only at the GUI of the application but also at the backend and the communication channels.
A penetration test includes the following steps:
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Automatic scans for vulnerabilities
- Manual analysis and hacking
Evaluation
- Creation of a detailed report
Methodologically, we follow proven guidelines when conducting penetration tests:
In terms of content, we are mainly guided by the established standards of the OWASP project:
- Application Security Verification Standard (ASVS)
- Web Security Testing Guide
- Mobile Security Testing Guide
- OWASP Top Ten Projects, e.g. for Web Applications
If necessary or useful we extend this by:
- CIS Benchmarks (Review of configurations)
- IT-Grundschutz (Review of configurations)
- ISO/IEC 27001:2013 (for technical audits)
Pentests of clients and servers
Typical test objects are physical or virtual Windows or macOS clients, Citrix servers, as well as reference images of Windows, Linux or AIX servers that are used, for example, as templates for cloud VMs or in a container registry.
In a client or server pentest, we analyze a reference implementation with respect to many aspects: Are accesses limited to a minimum? Is the system adequately hardened? Are all components up to date, including drivers, operating system, middleware and third-party applications? Is strong authentication used and are administrative accesses restricted? Is locally stored information access-protected, appropriately encrypted, and does not contain highly sensitive information such as credentials? Are hard drives encrypted and adequately protected in case of theft or loss?
We typically perform penetration testing of clients and servers using the whitebox approach. A penetration test includes the following steps:
Preparation
- Coordination of the scope and the depth of testing
- Kick-off meeting
Execution
- Automatic scans for vulnerabilities
- Manual analysis and hacking
Evaluation
- Creation of a detailed report
Methodologically, we follow proven guidelines when conducting penetration tests:
In terms of content, we are mainly guided by the established standards of the OWASP project:
- Application Security Verification Standard (ASVS)
- Web Security Testing Guide
- Mobile Security Testing Guide
- OWASP Top Ten Projects, e.g. for Web Applications
If necessary or useful we extend this by:
- CIS Benchmarks (Review of configurations)
- IT-Grundschutz (Review of configurations)
- ISO/IEC 27001:2013 (for technical audits)
Ready to have an application, client or server image tested?
Let us agree on the scope, clarify the commercial aspects and convince you of our skills.
Individualization of assessments
Penetration tests are the "classic" among assessments and a very good choice in many cases.
However, they reach their limits when, for example, several components are in scope at the same time, active testing is not permitted for legal reasons or due to failure risks, or a view "without operational blindness" is desired.
That is why we have further developed our assessment approaches. They differ in their objectives and in the use of different methods and techniques. We can flexibly combine these methods and offer you an individual assessment.
The only thing we need is a concrete objective or question, what you want to achieve with the results. Then we will find a good balance between the scope covered, the depth of testing and the degree of realism, thus keeping the effort and costs for the assessment within reasonable limits.
We will be happy to advise you on individual assessments, just get in touch! In the meantime, get inspired by our other assessments.
More HvS security assessments

Test your IT security with a security stress test! Find out how quickly attackers can infiltrate your network and what damage an attack could cause.

How well can you detect and defend against real cyber threats? Our Red Teaming Assessment simulates attacks to uncover vulnerabilities and improve detection.

The training camp for incident response teams. How quickly does your Blue Team recognize attacks? Is the severity correctly assessed and how long does it take to successfully defend against them? Send your team to training camp!

Professional industrial espionage often involves physical attacks or insider attacks (social engineering), even if the target is in cyberspace. Our social engineering assessments protect your company from social engineering attacks.

The cloud - whether IaaS, PaaS or SaaS - can be secure if it is planned and configured correctly. We help you to ensure this! Arrange a cloud assessment appointment with us today.

Which systems are accessible and potentially vulnerable? Our vulnerability scan identifies security gaps, shadow IT and forgotten services - before attackers do.