We are the providers of external and internal network penetration services, which could help reveal vulnerabilities before “real” hackers do.● Penetration test performed with automation tools and with manual testing by an expert engineer.● After completing a penetration test, we would uncover your security gaps and give you recommendations for countermeasures.● We provide post-implementation review to make sure that all our recommendations are implemented and work in the right way.
Types and models of penetration testing that we offer
There are several types of penetration testing.Qualified experts from ESKA can check and test vulnerabilities in all types in different infrastructure directions.
Сheck whether your website needs a pen test.
Validate your website’s current security status for free.
Scan your website to get confirmation of its security level. It will identify gaps and vulnerabilities in your website’s security system. Just a few clicks can get you an answer to the main question - Do we really need a penetration test?
Still have some hesitations whether cooperation with us is worth the trouble? Check 10 reasons why you should choose us among other companies!
We have 8+ years of experience in the Cybersecurity market.
We have certified experts who are ready for the most difficult challenges.
We are trusted by more than 200 companies (including Governments and international corporations).
Up to date
We always discover the cyber security market and use the most modern technics and tools.
We are the team and we always work shoulder to shoulder that's why we are flexible and scalable.
ESKA that's not just a contractor it is your partner, that's why we are always ready to help in the future. If it's needed we can provide a developer who can fix your vulnerability. We always focused on the relationships and on the customer success!
We don't provide just a report with an incomprehensible list of issues. We always manual check the vulnerability and explain in what way and how to close it, give road map and recommendations.
We are Ukrainian company - Ukraine today faced with the most strong cyberwar and in this war, we are getting the best experience.
Clients that secure with ESKA
Workflow how our white hackers work
A penetration test is usually roughly divided into five phases:
Phases 2 - 4 are usually repeated several times.The actual penetration test usually begins with a tool-based scan of the network.
Methodologies we use
Stage 1. Preparation
Research of all artifacts and resources related to the customer (domain names, IPs, 3d party resources) including from Darknet.Сoordination of test objectives, scope, test methods, and devices.
Stage 2. Scanning phase
At this stage, we are looking for open paths to computers and resources. The system is "touched" for the first time. Here we are attempting to obtain information from different sources.
Stage 3. Enumeration
This phase often runs at the same time as stage 2. Its goal is to get real, useful information through the security check. To carry out the attacks successfully, it is necessary to obtain the most accurate information possible about the system. At this stage, we search for suitable exploits, conduct detailed network analysis, hash cracking, and coordinate further attacks.
Stage 4. Exploit phase
The vulnerabilities found must now be exploited to carry out real attacks on the system. In this way, existing security gaps and weak points are revealed. Here we conduct the verification tests (exploitation of vulnerabilities, circumvention of security measures and active intrusion, man-in-the-middle attacks, post-exploitation, etc.)
Then we repeat levels 2 to 4.
Stage 5. Evaluation and reporting
To be able to realistically assess the actual security situation, a detailed and comprehensive report is necessary. Management can derive appropriate measures from the management reports to achieve proper IT security. During the final analysis, we evaluate and document the results, make the summary and presentation, and listing of weak points, and give recommendations for countermeasures.
Stage 6. Post-implementation review
We will provide specific recommendations for your further actions required and support you in their implementation if needed. We will check all corrections and improvements to make sure that our recommendations work in right way.
Which industries would benefit from a penetration test?
If you are not sure how secure your IT environment is, and you would like to know where are the back doors are in your system, you want to prove that data security is important to you, and you would like to prove that the company is managed properly, conscientiously and professionally by the management in the area of IT security, then the penetration testing is the right option for you.
Medical information is highly valued by hackers and includes such personal data as social security numbers, billing information, insurance numbers, codes of diagnosis, etc. Medical institutions that care about their patients' safety should consider the performance of regular penetration testing so they and their patients can rest assured that their data is safe from intruders.
Organizations providing financial services have strict security guidelines. As a constant target of hackers attacks, financial institutions have to grant a highly secure level of clients transactions, in the meantime ensuring their confidentiality and integrity. Besides the provision of customer security, banks need penetration testing to comply with international certifications, like PCI DSS.
Launching a new product, each company should ensure its users about overall safety and the high security of their personal data storage. The results of a pentest are the best assurance of user safety within your business.
Hackers' attacks may lead to security breaches compromising the sensitive data of your company, which would result in serious reputational damage and the loss of trusted clients. The company's reputation costs much more than a penetration test, which could prevent the potential security breaches in the bud.
The entertainment industry is a tidbit to the hackers since it has a lot of attractive data from the content yet to be released to the sensitive information of the service subscribers. Сompanies should conduct the regular pentests, finding even the smallest loopholes in cybersecurity so they don't become a glaring tunnel for the breach of client's data. Also, pentest is a necessary step in obtaining the TPN certification.
Each month, we usefully close our projects. Here is the list of our recent ones.
The innovative startup that provides the people management solution for the SMB market launching sales on the Enterprise level.
Our customer, a young startup with a strong customer case, asked us to conduct testing and provide an independent report on their vulnerability assessment. The web application was evaluated, and we provided it with a detailed report on its security status.In the future, that report helped them confirm their level of security and raised the level of trust of their future customers.
A financial company that provides investment services decided to improve its security.
An international investment services company is constantly working with customers' crucial data and must ensure their security and safety. ESKA has assessed the entire infrastructure of the company using black-box testing. Our white hackers have been able to find compromised user accounts and potential vulnerabilities as these accounts can be stolen.In the future, the company was able to significantly increase the level of security and ensure the security of its customers.
The Logistics company wanted to check their already built mobile application before launch.
A dominant Logistic provider finished their new mobile application, developed by 3rd party contractor, and requested to check the security level of this mobile application. Our white hackers have been able to check the mobile application logic and code weak points and provide recommendations for mobile application architecture and code security levels.As a result, our customers get the confirmation of the level of protection of the mobile application, recommendations for improving the level of security, and contractors' qualifications.
Health Care medical center request for Wi-Fi penetration test
A medical center that has public Wi-Fi Access Points in places of concentration of visitors needed to check their secure perimeter and network security vulnerabilities. The test was made in two steps: Public internet SSID test and an internal corporate network test.
The result provided recommendations and steps for increasing corporate network security.
How secure computer systems and networks are can only be found out through realistic IT penetration tests, which reveal all possible gaps. After we complete a penetration test, we would uncover your security gaps before the hackers get to exploit them. As a result:
We will discuss specific recommendations for your further actions required and support you in the further procedure even after the review.
On this block, you will find answers to the most popular questions of our customers. Didn’t find what you need? Just send us a request.
A week rarely goes by without reports of attacks on sensitive systems. It results in financial damage, and the reputation and trust of customers and partners crumble.
To protect yourself against attacks, adequate countermeasures must be taken at different levels. Well-trained employees and processes that also take IT security into account are essential for effective protection. However, above all, the security check through a penetration test by an independent third party is an effective means.
So, what is exactly a penetration test? A penetration test is an authorized, planned, and simulated cyber attack on a company or a public sector institution. The aim is to identify and eliminate previously unknown points of attack before hackers can use them to steal intellectual property or other sensitive data or otherwise damage an organization.
During the penetration test, trained testers attempt to attack your IT systems using the methods of criminal hackers to determine the vulnerability of systems, after which appropriate protective measures can be taken.
What are the types and models of penetration testing?
External network penetration testing.Anything exposed to the Internet needs some form of security testing. If an external host is compromised, it can lead to an attacker digging deeper into your internal environment. External network penetration testing is focused on the perimeter of your network and identifies any deficiencies that exist in the controls that protect against remote attackers targeting the Internet-facing systems in your environment. When performing external penetration testing, our penetration testers mimic real scenarios as best as possible to root out all potential vulnerabilities. Our external network penetration testing techniques include the following:● Port scans and other network service interactions and queries● Network sniffing, traffic monitoring, traffic analysis, and host discovery● Spoofing or deceiving servers via dynamic routing updates (e.g., OSPF, RIP spoofing)● Attempted logins or other use of systems with any account name/password● Use of exploit code for leveraging discovered vulnerabilities● Password cracking via capture and scanning of authentication databases● Buffer overruns/underruns● Spoofing or deceiving servers regarding network traffic● Alteration of running system configuration except where denial of service would result● Adding user accounts.
Internal network penetration testing.Whether it’s disgruntled workers, previously terminated employees, or someone trying to steal trade secrets, there is a high chance of potential internal threats. Even without malicious intent, simple configuration issues or employee mishaps can also result in a network compromise, leading to the majority of attacks originating from within. Our internal network penetration tests target the networked environment that lies behind your public-facing devices.This service is designed to identify and exploit issues that can be discovered by an attacker who has gained access to your internal network:● Internal subnets● Domain servers● File servers● Printers● Network devices● Phones● Buffer overruns/underruns● Workstations and laptops
Web applications penetration testing.Web applications are unique constructs, mixing various forms of technology and providing an interactive front for others to use. Some web applications are made public, while others might be internal applications existing on an intranet. No matter the location, there are always security variables. How well does your application handle input? Does it work with backend servers in a secure manner? Will your session management scheme hold up to penetration testing?Web application penetration testing tests for the following:● Application logic flaws● Forced browsing● Access and authentication controls● Session management● Cookie manipulation● Horizontal escalation● Vertical escalation● Brute-force password guessing● Poor server configuration● Information leakage● Source code disclosure● Response splitting● File upload/download attacks● Parameter tampering● URL manipulation● Injection attacks for HTML, SQL, XML, SOAP, XPATH, LDAP, Command● Cross-site scripting● Fuzzing
White box, gray box, black box: what is the difference?
Dealing with the client's security system, we can take different approaches which include color-based assessments.
Black box tests are the most common and preferred by multiple organizations since analysts work at the same level as a typical hacker. The pentester does not know the details of the evaluated system in advance. The Black Box tests determine and detail the vulnerabilities in an exploited system from the outside. At a technical level, this type of testing relies on dynamic analysis of the programs running inside, as well as of the networks.
While this kind of testing can be extremely fast, depending on the pentester's ability to find vulnerabilities, as well as implicit network failures, it has a downside. It implies that if the analyst fails to penetrate the perimeter - the failures found inside will remain hidden.
Contrary to the gray box or black-box tests, white-box tests have full access to the source code of a system, as well as to the architecture, infrastructure, and documentation. In this sense, these kinds of tests are the ones that involve the longest amount of time, since the analysts must sort through an immense amount of information to find what is truly useful for the mission. One of the flaws of this kind of test is that they can generate blindness based on the deep knowledge they have of the system, which can often obviate the actions that a hacker without knowledge can commit.
However, this is not a realistic attack, as the cybercriminal may not have all the attack details.
A Gray Box test is a step up from a Black Box test, where the analyst has the same network access as an average system user. The Gray box test starts with incomplete information on the attacked system. This can be some key data, network topology, operating systems, their version, etc. Typically, this information will have a logical balance and can simulate what a cybercriminal would have after studying the system for a while.
In this sense, he has more knowledge about the network infrastructure and architecture and has greater privileges, which can help implement a much more focused and efficient analysis. This also helps to generate simulations of persistent threats within a system, to evaluate the response capacity of users. The Gray box methodology allows deeper penetration and more exhaustive testing than the black box, without totally discarding the simulation element.
How much does a pentest cost, and what influences its price?
The price for our service results from the size and complexity of the pentest. The scope of the test objects and networks, the license fees for the scan tools used, and the nature of the tests affect the costs. If the follow-up tests are necessary, it also adds to the overall price. We discuss all the pricing criteria and create your non-binding offer in a personal consultation.
The penetration testing is recommended conduct at least twice a year, but the optimal quantity is determined after the analysis of the particular business. By default, you will receive our final report within 1-2 weeks of completing the penetration test. If an earlier transmission of the results is required, please let us know in the joint kick-off meeting. For time-critical projects, we will be happy to provide you with our results earlier, if possible.
After completing the pentest, you will receive a final report, which is divided into different sections:
Here you get a non-technical summary of the project and the identified findings for the management level. All critical findings are concisely summarized.
The procedure, scope, and tools
It is a detailed description of the test methods used, the analyzed test object and scope, as well as the tools and scripts used during the pentest.
Findings and Actions
An important part of our final report is the detailed, technical description of all identified findings. You will also receive a comprehensive recommendation on how to fix each vulnerability, suitable for technical personnel (such as developers or administrators).
Standardized risk assessment
To assess our findings, we follow well-known standards such as the OWASP risk assessment method. The risk of a vulnerability is based on the probability of occurrence and its impact.
If you are interested in a network penetration test, we would be happy to provide you with a free quote. All you have to do is leave your contact information and data about your company in our contact form, and we will contact you as soon as possible.