Penetration testing quote

Get a tailored penetration testing quote from our CREST-certified experts

  • Delivered by CREST-certified consultants
  • Accurate scoping with no unnecessary testing
  • Tailored to your environment, objectives and risk profile
  • Practical remediation guidance and fast turnaround

Need help scoping?

Request a quick call phone

    Select your test types

    Tell us what you need tested

    Select the systems or applications you'd like assessed. Our consultants will use this information to provide a tailored quotation based on your requirements.

    Tell us the details

    Web Application

    Authenticated testing grants us access to the application during testing, therefore we can make legitimate use of all of the application functionality, testing for weaknesses in all possible user inputs and pages. On the other hand, unauthenticated testing provides no access. Authenticated testing provides the most assurance that the entire application has been assessed for vulnerabilities in depth, whereas unauthenticated testing seeks to verify that a malicious actor with no prior knowledge or access cannot gain entry and/or perform unintended actions.

    Think of a user role as a group or level of permissions given to a user – such as "Read only", "User", "Manager" or "Super Admin". It is best to test all user roles, however if permissions are granular or there are a significant number of roles, testing a sample of 3 or more common roles is often considered a reasonable approach.

    A dynamic page may be considered a web page with user input (such as user profile settings, system settings, add/create/edit an item or a search page) or a page that can be used to return content from the database (such as viewing an item in an e-commerce application).

    Here are some example workflows in an instant messaging application:

    • User registration, login and reset password
    • Profile management and settings - 10-15 submenus each with 5-20 settings
    • Posting, editing and viewing stories
    • Outbound and inbound calling
    • Creating, managing and joining communities
    • Community chats, calls and posts
    • User chat; create, messaging, archive/delete, chat settings

    API

    Authenticated testing grants us access to the API during testing, therefore we can make legitimate use of all of the API's functionality, testing for weaknesses in all possible user inputs and pages. On the other hand, unauthenticated testing provides no access. Authenticated testing provides the most assurance that the entire API has been assessed for vulnerabilities in depth, whereas unauthenticated testing seeks to verify that a malicious actor with no prior knowledge or access cannot gain entry and/or perform unintended actions.

    Think of a user role as a group or level of permissions given to a user of the API – such as "Read only", "User", "Manager" or "Super Admin". It is best to test all user roles, however if permissions are granular or there are a significant number of roles, testing a sample of 3 or more common roles is often considered a reasonable approach.

    A parameter is a user input within the request, where the API receives data from the client. This may be supplied in the URL or the request body depending on the request method.

    Mobile Application

    A dynamic page may be considered a page with user input (such as user profile settings, system settings, add/create/edit an item or a search page) or a page that can be used to return content from the database (such as viewing an item in an e-commerce application).

    Here are some example workflows in an instant messaging application:

    • User registration, login and reset password
    • Profile management and settings - 10-15 submenus each with 5-20 settings
    • Posting, editing and viewing stories
    • Outbound and inbound calling
    • Creating, managing and joining communities
    • Community chats, calls and posts
    • User chat; create, messaging, archive/delete, chat settings

    External Network

    Accurately specifying the number of expected live hosts within a network range supports us in accurately scoping the time required to complete the assessment.

    Internal Network

    Accurately specifying the number of expected live hosts within a network range supports us in accurately scoping the time required to complete the assessment.

    Build Review

    Each operating system may have multiple builds, which would typically be organised by version/release. For example, a large organisation may maintain a Windows 11 2XH1 build as well as a 2XH2 build.

    Cloud Configuration Review

    All three cloud environments, AWS, Azure and GCloud, provide a default set of roles and groups. For example, Azure provides a Global Administrator role by default, and AWS provides an AdministratorAccess role. Please do not include default roles and groups in the answer.

    A resource is an object or service, usually providing compute, storage or communication functionality, that has been created inside the cloud environment. To gather a list of all resources:

    AWS
    Use the Tag Editor, and search for resources within the regions in scope. If enabled, you can also use the AWS Console or the AWS Resource Explorer.
    Azure
    The following command can be used with the Azure Resource Manager PowerShell Cmdlet: 
    Get-AzureRmResource | Export-Csv "C:\Azure Resources.csv"
    Google Cloud
    Resources within a GCloud organisation, folder or project can be listed with the Google Asset Inventory. Browse to the Asset Inventory in the Cloud Console, and filter the search to the organisation, folder or project in scope.
    Get a tailored quote

    Almost done!

    Your tailored quote is ready.
    We'll send you a secure link via email.

    By submitting this Form, you agree to our Privacy Policy.