YOUR TRUSTED PARTNER IN RISK MITIGATION

We Have Zero Risk Tolerance

From risk identification, to mitigation, to response, Marcum Darby's suite of risk assessment services has your organizational infrastructure covered.

Risk Assessments

Marcum Darby offers a wide range of Risk Assessments, from testing a web application to evaluating an entire organizational network.

A risk assessment strives to do two main things,

  1. identify and analyze potential future events that may impact individuals, assets, and/or the environment negatively.
  2. to evaluate the risk tolerance that your company may or may not have, and make recommendations based on different factors. Overall, we want to reduce the cost of potential risks out there.

Web Application Assessments

Your Web Presence, Fortified

Marcum Darby's Application Assessment service combines information security best practices and technologies specifically designed to test websites, web-based services, and web applications. Its purpose is to identify weaknesses and risks that your applications are subject to and help to protect against application vulnerabilities. The goal of the evaluation is to find vulnerabilities that threaten your company's data integrity.

We utilize a phased approach to discover potential attack vectors for exploitation. We leverage our experience as application assessors to identify and abuse weaknesses in web based applications due to poor coding procedures, improper input validation and misconfigured security settings. The tester will evaluate the application against the current list of known vulnerabilities to include, but are not limited to:

  • Injection
  • Insecure Cryptographic Storage
  • Cross Site Scripting
  • Weak security controls for URLs
  • Broken Authentication and Session Management
  • Shared hosting vulnerabilities
  • Insecure Direct Object References
  • Sensitive Data Exposure
  • Cross Site Request Forgery (CSRF)
  • Weak Application Logic
  • Security Misconfiguration

Data Center Systems Assessment

Providing A Crystal-Clear Picture Of Your Center's Capacity and Vulnerabilities

Our data center assessment involves evaluating and analyzing your data center or network closet on–site and providing recommendations on maximizing availability, reducing cost and improving efficiency while protecting your data from risk. A data center with high availability is made up of several components that must be synchronized to run and operate smoothly, and it’s essential to keep these components secure, efficient, and healthy at all times. Our assessment includes the following:

IT Infrastructure Assessment

This looks at scalability and architectural concerns such as access rights, hardware, disaster recovery, business continuity considerations, software and virtual environment IT integration and management, pricing, etc. End-user functionality such as real-time data polling, capacity planning, reporting and analytics, unified dashboard, intelligent monitoring and alerting, and dependency mapping are also evaluated against your budget, digital transformation essential elements, and business expectations. Finally, vendor strength and reputation are assessed.

Environmental Assessment

This involves evaluating the data center site to find vulnerabilities and other characteristics that might impact its operations including, but not limited to, evaluating proximity to adjacent hazards like rail lines, airports, rivers or other bodies of water, and building access.

Communications Assessment

Due to the continuous evolution of technology, flexibility and scalability are required for communications infrastructure. We review physical cabling plant pathways and look at routing, airflow management, LAN/ switching architecture/SAN core routing, ability to support current and future storage and server technology, power and cable management, and other factors.

Physical Assessment

During this phase, we assess your mechanical and electrical equipment against industry standards for life expectancy, repairs, and the need for scheduled maintenance. We also evaluate building automation and controls, cooling and temperature control, air distribution, plumbing and drainage systems, fire suppression, space pressurization, and battery room ventilation. Grounding, electrical power monitoring, security and access control, fire alarm, transient voltage surge, standby and critical power generation, and distribution, and any critical electrical systems undergo review.

We will review software versions, configurations, policies, and procedures for potential attack vectors that could cause the Water Authority to be vulnerable to attack. Additionally, we will conduct automated scans to determine if there are any systems operating with default/predictable passwords.

Internet Connection Assessment

Stay Connected With Unparalleled Peace Of Mind

Internet connection assessments come in several forms (including an evaluation of both wired and wireless access points), and are generally modified according to your needs after initial evaluations of your network structure using a heuristic model at the core of all of our assessment phases.

The aspects specifically evaluated and/or tested include, but are not limited to, rating the service provider (ISP) against best practices for data security, reliability, speed and uptime, along with security evaluations that look at direct and remote access control and possible vulnerability to third party interception.

Local Area Network Assessment

Bulletproof Security From The Inside Out

This assessment provides a view of your organization’s security posture from the inside. To conduct the internal part of the assessment, we utilize Remote Access Tools (RAT) specifically designed for not only security, but flexibility during engagements. The RAT acts as a gateway into your  network, so we employ extra safety precautions to ensure your network’s integrity during this phase of testing. Communications are encrypted with high-security cipher suites and require mutual authentication between client and server. Using our custom tunneling framework, the dropper runs a secure tunnel that is tailored to your environment.

Active Devices On The Network

Active devices on the network will be evaluated for implementation of industry best practices, known vulnerabilities, and weak security configurations. Through manual and automated methods, identified vulnerabilities will be exploited to attempt to gain privileged access to company resources and information. Our methodology is based on frameworks defined by NIST SP 800-115 Technical Guide to Information Security Testing and Assessment and Open Source Security Testing Methodology Manual (OSSTMM). Further, our methodology dictates that our testing processes be repeatable and consistent which minimizes assessment risks.

Authenticated Testing

Authenticated testing is performed using low-level user credentials and simulates an employee attempting to escalate their privileges to gain unauthorized access to your organization’s resources.

Unauthenticated Testing

Unauthenticated testing simulates an unauthorized user attempting to gain access to systems or applications on the network. We execute the majority of our penetration testing operations utilizing a mix of cloud services (AWS, Azure, and Google Cloud).

Our operations prioritize protecting client information.  

  • We have taken measures to ensure in the event that we are able to infiltrate your networks, no sensitive data is leaked or exposed to the public.
  • All command and control sessions and data stored on disks are encrypted.
  • We have also put in place internal controls that limit our personal access to your data.
  • Only staff that are assigned to support your engagement will have access to your data.

Our approach to internal network assessments is conducted in four stages. 

1. Vulnerability Assessment

The first stage of assessment is foundational in order to identify vulnerabilities that may exist in the network.

2. Static review of all Configurations

to determine if any misconfigurations or weak security configurations are in place within the network

3. Review of all Security Activity Related Documentation

to uncover what can be improved and what areas the company is excelling in

4. Re-Testing followed by Remediation

to ensure the effectiveness of our remediation efforts in helping to maximize the security of your systems and data

Internet Connection Assessment

Stay Connected With Unparalleled Peace Of Mind

Internet connection assessments come in several forms (including an evaluation of both wired and wireless access points), and are generally modified according to your needs after initial evaluations of your network structure using a heuristic model at the core of all of our assessment phases.

The aspects specifically evaluated and/or tested include, but are not limited to, rating the service provider (ISP) against best practices for data security, reliability, speed and uptime, along with security evaluations that look at direct and remote access control and possible vulnerability to third party interception.

Wide Area Network Assessment

Weeding Out Weaknesses From Every Angle

Our Wide Area Network Assessment will focus on exploiting vulnerabilities in the systems related to network topology and configuration. This testing involves deliberate attacks on the system to identify weak areas which may provide a passage to malicious and unauthorized users for attacking the system, altering integrity and veracity. This technique helps in evaluating system capability to recognize unexpected malicious attacks and can also help in fixing various security bugs and loopholes.

Active Devices On The Network

Active devices on the network will be evaluated for implementation of industry best practices, known vulnerabilities, and weak security configurations. Through manual and automated methods, identified vulnerabilities will be exploited to attempt to gain privileged access to company resources and information. Our methodology is based on frameworks defined by NIST SP 800-115 Technical Guide to Information Security Testing and Assessment and Open Source Security Testing Methodology Manual (OSSTMM). Further, our methodology dictates that our testing processes be repeatable and consistent which minimizes assessment risks.

Authenticated Testing

Authenticated testing is performed using low-level user credentials and simulates an employee attempting to escalate their privileges to gain unauthorized access to your organization’s resources.

Unauthenticated Testing

Unauthenticated testing simulates an unauthorized user attempting to gain access to systems or applications on the network. We execute the majority of our penetration testing operations utilizing a mix of cloud services (AWS, Azure, and Google Cloud).

Our operations prioritize protecting client information.  

  • We have taken measures to ensure in the event that we are able to infiltrate your networks, no sensitive data is leaked or exposed to the public.
  • All command and control sessions and data stored on disks are encrypted.
  • We have also put in place internal controls that limit our personal access to your data.
  • Only staff that are assigned to support your engagement will have access to your data.

Our approach to internal network assessments is conducted in four stages. 

1. Vulnerability Assessment

The first stage of assessment is foundational in order to identify vulnerabilities that may exist in the network.

2. Static review of all Configurations

to determine if any misconfigurations or weak security configurations are in place within the network

3. Review of all Security Activity Related Documentation

to uncover what can be improved and what areas the company is excelling in

4. Re-Testing followed by Remediation

to ensure the effectiveness of our remediation efforts in helping to maximize the security of your systems and data

Penetration Testing

We Find Your Weaknesses So Hackers Can't

The aim of a pentest is to demonstrate as clearly as possible what the consequences of a certain issue with your IT security could be, and what that would mean to your organization. A penetration test allows us to demonstrate the seriousness of IT security issues so that your organization becomes aware of the potential dangers.

Cloud Testing

Cloud penetration tests involve shared infrastructure and responsibilities, with each cloud services provider (AWS, Azure, Google Cloud, etc.) having its own requirements. Securing these environments requires a deep understanding of their processes, compliance requirements, and policies therefore allowing our team to evaluate the strengths and weaknesses in your cloud-based systems to improve the overall security level.

Internal Network

When pentesting the internal network, we focus on obtaining privileged rights on the network, assets, and complete Windows domain. An egg is a common analogy when referring to a poorly secured network: you don’t want a hard exterior (egg shell) and then a soft middle with little-to-no security.

Mobile Apps

Mobile apps are a huge part of our lives yet, they’re particularly vulnerable because most are made with less security measures. When testing mobile apps we identify which vulnerabilities there are within the application, before it’s too late. Mobile applications have changed the way we work and communicate. Our tailored approach checks for flaws or exploits that could lead to your data being compromised.

Web Applications / APIs

We look for vulnerabilities to prevent personal or privacy-sensitive information from being obtained from web applications or to prevent hackers from targeting APIs.

Hardware / IoT

Through reverse engineering and firmware hacking techniques, vulnerabilities in IoT devices are discovered. Think about hardware, firmware and (cloud) backends.

Vulnerability Assessment

See Your Strengths And Weaknesses Like Never Before

Adequate security starts with a clear understanding of the threats and vulnerabilities that surround you. We can help you gauge your strengths and weaknesses in various scenarios and not only do we bring years of experience to the table, but our leading experts can also help you anticipate potential sources of new threats.

Vulnerability assessment services are designed to identify security holes related to cyber threats within an organization’s IT infrastructure. We provide vulnerability assessments which include a series of diagnostics on an organization’s devices, applications, and networks, and we use this data to recommend areas for improvement based on urgency and scope.

Our vulnerability management team works hand in hand with you to identify your most critical IT systems, tune existing or new scanners to explore your internal and external network infrastructure, identify the essential vulnerabilities exposing those systems, and remediate those vulnerabilities in a prioritized fashion.

Active Devices On The Network

Active devices on the network will be evaluated for implementation of industry best practices, known vulnerabilities, and weak security configurations. Through manual and automated methods, identified vulnerabilities will be exploited to attempt to gain privileged access to company resources and information. Our methodology is based on frameworks defined by NIST SP 800-115 Technical Guide to Information Security Testing and Assessment and Open Source Security Testing Methodology Manual (OSSTMM). Further, our methodology dictates that our testing processes be repeatable and consistent which minimizes assessment risks.

Authenticated Testing

Authenticated testing is performed using low-level user credentials and simulates an employee attempting to escalate their privileges to gain unauthorized access to your organization’s resources.

Unauthenticated Testing

Unauthenticated testing simulates an unauthorized user attempting to gain access to systems or applications on the network. We execute the majority of our penetration testing operations utilizing a mix of cloud services (AWS, Azure, and Google Cloud).

Basic Cyber Security Controls Assessment

Safety Starts With The Basics

Detects hidden weaknesses by proactively identifying insecure architecture and controls, misconfigurations, technical vulnerabilities and mistakes. Be confident that sufficient security controls are implemented and are working as expected.

Cyber Security Controls Assessment includes the review of core security preventative and detection controls. These include the analysis of the following key security technologies, including:

  • Firewalls/UTM
  • Checks on IPS
  • Content Filtering and Anti-Malware
  • Endpoint Security
  • Data Loss Prevention (DLP)
  • Ransomware Susceptibility Checks

Remote Access Assessment

Ease Of Mind From Wherever You Work

Many businesses are now being forced to learn new ways to work, and that has a direct impact on how you set up remote accessibility to your infrastructure. With these changes come increased risk and it’s critically important that those who are supposed to have access to get the work done they need to, without putting your systems at risk.

One of the first things we evaluate is the methods for access, especially at the administrative level, that you have in place. We evaluate VPN configuration to ensure you are using the appropriate levels of encryption and have the right protocols and best practices in place, ensure that MFA and other security protocols are enforced, review procedures and documentation, check that administrate systems and their source are properly protected (i.e. SSH or RDP over VPN, etc),  and review cloud application or production configuration.

Security Audits

Meeting All Your Regulatory Requirements

Security audit is an integral part of any business and security measures are of little use if they are not enforced. A security audit assesses how effectively your organization’s security policies are being implemented and our audits will show you where gaps and vulnerabilities might exist in your current systems and procedures.

IT security services emphasize cybersecurity guidelines and policies that ensure that your compliance requirements have been met. The audit covers your employees’ devices and your organization’s infrastructure. However, that is not the only aspect of information security that it covers.

Cybersecurity audit focuses on security policies and guidelines. It ensures that your statutory regulations have been met. It does a 360-degree audit of your organization’s security. The audit evaluates the following:

Data Security

A data security audit starts with a complete review of your network access control. Auditors will also check if you use encryption and your data security during transmission and storage.

Operational Security

The IT security services look at the security policies in place. It also examines the security control, process, and procedure in your data loss strategy.

Network Security

Auditors review your security protocols and network controls. They will check your antivirus configurations and security monitoring capabilities are functioning correctly.

System Security

The auditor will ensure that your data hardening process is working effectively. They will also check the patching processes and role-based access.

Physical Security

In the last stage of an audit, the auditor reviews the biometric data, role-based access controls, multi factor authentication, and disk encryption.

Security Program Assessment

and Maturity Scoring

Align Your Security With Industry Best Practices

Our goal is to help you optimize your security program so that it properly aligns with industry best practices. When developing a maturity model therefore, the industry (both in the United States and abroad) have borrowed from NIST CSF, SO/IEC 27001 and other frameworks to develop models to help organizations better assess their current state of affairs. For instance, the cybersecurity capability maturity model (C2M2) developed for the Department of Energy and the NIST CSF are often used together to evaluate the following 10 domains, providing a measurement for each one to help organizations identify areas of weakness and strength. We also focus on NIST CSF, which represents five cyber security functions that are evaluated during this process.

The CSF denotes a progression expressed as “tiers” that reflect a progression from informal, reactive responses to approaches that are agile and risk-informed—essentially indicating maturity level. That said, you can clearly see how using NIST CSF alone would be inappropriate and bordering on professional negligence because doing so specifically goes against NIST’s own recommendations on the use of CSF, and, the domains against which we’d evaluate your organization’s security program would be woefully inadequate.

This is further complicated by the fact that most of the models currently in use are “self assessments”, and this reality brings with it significant objections in that the assessment could be biased due to the subjective nature of the process, which should be avoided.

Our Security Program Maturity Assessment (SPMA) fulfills your needs by serving as an objective 360-degree audit or gap analysis of your security program that utilizes cybersecurity best practices and globally recognized cyber frameworks, including NIST 800-53 controls and others used by the US Government and our allies, as well as industry leaders, to fully answer important questions surrounding your existing security program, which then can effectively serve as an efficient and affordable pathway forward for positive change.

The SPMA assesses compliance with several industry requirements, as well as the following control sets and frameworks:

  • Center for Internet Security Top 20 Common Security Controls (CSC20)
  • NIST Cybersecurity Framework (NIST CSF)
  • NIST Special Publication 800-53 (NIST 800-53)
  • NIST Special Publication 800-171 (NIST 800-171)
  • Department of Energy Cybersecurity Capability Maturity Model (DOE-C2M2)
  • ISO/IEC 27001:2013 (ISO 27001)

Each of these control frameworks map to one another and are designed to provide a structure with which a security program can measure its maturity and effectiveness—now and for the future.

The goal of the SPMA is three fold and falls squarely into your requirements:

  1. 1
    It objectively evaluates your current program using a comprehensive set of questions and statements to produce a numerical score that identifies if your model is currently an untapped growth opportunity, functional but in the developing stage, operational but has areas that are untapped and requires further growth, or if it is fully aligned
  2. 2
    it demonstrates to those unfamiliar with cybersecurity operations that you have considered all that you should, or if you want to build a capability
  3. 3
    it demonstrates how you are actively managing the cyber risk of your organization.

These results are delivered in the form of a written assessment that clearly outlines your current posture in plain English and consists of the following:

  • A comprehensive roadmap for your organization
  • Key strategic, operational, and tactical/technical recommendations
  • Observations by our SMEs for your SMEs
  • A detailed report to help non technical management and decision makers.
  • Identified gaps and focus areas
  • Actionable items as A, B C, D, and E priorities
  • A one page summary analysis and scorecard including CMMI level rating

The report is intended to address the highest impact and risk areas, and give your subject matter experts detailed information for implementation within your organization. It can be delivered in person, as needed.

Active Devices On The Network

Active devices on the network will be evaluated for implementation of industry best practices, known vulnerabilities, and weak security configurations. Through manual and automated methods, identified vulnerabilities will be exploited to attempt to gain privileged access to company resources and information. Our methodology is based on frameworks defined by NIST SP 800-115 Technical Guide to Information Security Testing and Assessment and Open Source Security Testing Methodology Manual (OSSTMM). Further, our methodology dictates that our testing processes be repeatable and consistent which minimizes assessment risks.

Authenticated Testing

Authenticated testing is performed using low-level user credentials and simulates an employee attempting to escalate their privileges to gain unauthorized access to your organization’s resources.

Unauthenticated Testing

Unauthenticated testing simulates an unauthorized user attempting to gain access to systems or applications on the network. We execute the majority of our penetration testing operations utilizing a mix of cloud services (AWS, Azure, and Google Cloud).

Gramm-Leach-Bliley Act (GLBA) Assessment   

Your Customer Data Has Never Been In Safer Hands

We are very familiar with the Gramm-Leach-Bliley Act (GLB Act or GLBA), which is also known as the Financial Modernization Act of 1999. Under the act, you have several obligations in terms of how you protect private information, including how you facilitate which information, if any, you are permitted to disclose or retain for future use based on the owner’s choices. As you are aware, the Department of Education is aggressive at ensuring the confidentiality, security, and integrity of student and parent information as it relates to the federal student aid programs. Thus, our GLBA Assessment is specifically designed to evaluate your security policies and the effectiveness of your internal controls to prevent unauthorized access or disclosure of sensitive information to third parties that falls under GLBA’s authority.

Our Assessment, in part, utilizes or otherwise pulls elements from the “Interagency Guidelines Establishing Information Security Standards” as outlined in the following standards:

  • FDIC: 12 CFR Part 364 Appendix B
  • FRB: 12 CFR Part 208 Appendix D-2
  • NCUA: 12 CFR Part 748 Appendix A
  • OCC: 12 CFR Part 30 Appendix B

It is further informed by:

  • GLBA Safeguards Rule
  • Identity Theft Red Flags Rule
  • FERPA
  • Federal Trade Commission (FTC) policies
  • State Privacy Laws
  • International Laws (for global students)

Our comprehensive GLBA Risk Assessment reviews compliance against these, the FSA Program Participation Agreement (PPA), as well as two provisions in the Student Aid Internet Gateway Agreement (SAIG) where applicable, and is conducted per 16 C.F.R. Part 314. Further, we evaluate your program against core elements of a GLBA Risk Assessment including, but not limited to:

  • Identifying possible threats to customer data.
  • Assess the risk of the threats.
  • Assess the sufficiency of controls.

Key requirements of the Safeguards Rule include evaluating the following:

  • Written Information Security Program
  • Written Reports to the Board of Directors
  • Periodic Risk Assessments
  • Access and Authentication Controls
  • Encryption of Customer Information at Rest and in Transit
  • Designation of a Qualified Individual
  • Multifactor Authentication
  • Data Retention and Disposal

Per 16 C.F.R. Part 314, Safeguards Rules, and other policies will document your organization’s current safeguards for each risk, and offer recommendations or actionable items if required. The process includes, but are not limited to:

  1. 1
    Identify Data & Assets
  2. 2
    Identify Threats
  3. 3
    Assess Risk
  4. 4
    Evaluate Current Controls
  5. 5
    Evaluate Risk Management Plans
  6. 6
    Validate Control Sufficiency
  7. 7
    Make Recommendations

Data Security

A data security audit starts with a complete review of your network access control. Auditors will also check if you use encryption and your data security during transmission and storage.

Operational Security

The IT security services look at the security policies in place. It also examines the security control, process, and procedure in your data loss strategy.

Network Security

Auditors review your security protocols and network controls. They will check your antivirus configurations and security monitoring capabilities are functioning correctly.

System Security

The auditor will ensure that your data hardening process is working effectively. They will also check the patching processes and role-based access.

Physical Security

In the last stage of an audit, the auditor reviews the biometric data, role-based access controls, multi factor authentication, and disk encryption.

Security Program Assessment

and Maturity Scoring

Align Your Security With Industry Best Practices

Our goal is to help you optimize your security program so that it properly aligns with industry best practices. When developing a maturity model therefore, the industry (both in the United States and abroad) have borrowed from NIST CSF, SO/IEC 27001 and other frameworks to develop models to help organizations better assess their current state of affairs. For instance, the cybersecurity capability maturity model (C2M2) developed for the Department of Energy and the NIST CSF are often used together to evaluate the following 10 domains, providing a measurement for each one to help organizations identify areas of weakness and strength.

  1. 1
    Risk management
  2. 2
    Asset, change and configuration management
  3. 3
    Workforce management and cyber security program management.

The CSF denotes a progression expressed as “tiers” that reflect a progression from informal, reactive responses to approaches that are agile and risk-informed—essentially indicating maturity level. That said, you can clearly see how using NIST CSF alone would be inappropriate and bordering on professional negligence because doing so specifically goes against NIST’s own recommendations on the use of CSF, and, the domains against which we’d evaluate your organization’s security program would be woefully inadequate.

This is further complicated by the fact that most of the models currently in use are “self assessments”, and this reality brings with it significant objections in that the assessment could be biased due to the subjective nature of the process, which should be avoided.

Our Security Program Maturity Assessment (SPMA) fulfills your needs by serving as an objective 360-degree audit or gap analysis of your security program that utilizes cybersecurity best practices and globally recognized cyber frameworks, including NIST 800-53 controls and others used by the US Government and our allies, as well as industry leaders, to fully answer important questions surrounding your existing security program, which then can effectively serve as an efficient and affordable pathway forward for positive change.

The SPMA assesses compliance with several industry requirements, as well as the following control sets and frameworks:

  • Center for Internet Security Top 20 Common Security Controls (CSC20)
  • NIST Cybersecurity Framework (NIST CSF)
  • NIST Special Publication 800-53 (NIST 800-53)
  • NIST Special Publication 800-171 (NIST 800-171)
  • Department of Energy Cybersecurity Capability Maturity Model (DOE-C2M2)
  • ISO/IEC 27001:2013 (ISO 27001)

Each of these control frameworks map to one another and are designed to provide a structure with which a security program can measure its maturity and effectiveness—now and for the future.

The goal of the SPMA is three fold and falls squarely into your requirements:

  1. 1
    It objectively evaluates your current program using a comprehensive set of questions and statements to produce a numerical score that identifies if your model is currently an untapped growth opportunity, functional but in the developing stage, operational but has areas that are untapped and requires further growth, or if it is fully aligned
  2. 2
    it demonstrates to those unfamiliar with cybersecurity operations that you have considered all that you should, or if you want to build a capability
  3. 3
    it demonstrates how you are actively managing the cyber risk of your organization.

These results are delivered in the form of a written assessment that clearly outlines your current posture in plain English and consists of the following:

  • A comprehensive roadmap for your organization
  • Key strategic, operational, and tactical/technical recommendations
  • Observations by our SMEs for your SMEs
  • A detailed report to help non technical management and decision makers
  • Identified gaps and focus areas
  • Actionable items as A, B C, D, and E priorities
  • A one page summary analysis and scorecard including CMMI level rating

The report is intended to address the highest impact and risk areas, and give your subject matter experts detailed information for implementation within your organization. It can be delivered in person, as needed.

Active Devices On The Network

Active devices on the network will be evaluated for implementation of industry best practices, known vulnerabilities, and weak security configurations. Through manual and automated methods, identified vulnerabilities will be exploited to attempt to gain privileged access to company resources and information. Our methodology is based on frameworks defined by NIST SP 800-115 Technical Guide to Information Security Testing and Assessment and Open Source Security Testing Methodology Manual (OSSTMM). Further, our methodology dictates that our testing processes be repeatable and consistent which minimizes assessment risks.

Authenticated Testing

Authenticated testing is performed using low-level user credentials and simulates an employee attempting to escalate their privileges to gain unauthorized access to your organization’s resources.

Unauthenticated Testing

Unauthenticated testing simulates an unauthorized user attempting to gain access to systems or applications on the network. We execute the majority of our penetration testing operations utilizing a mix of cloud services (AWS, Azure, and Google Cloud).

Success message!
Warning message!
Error message!