Penetration Testing Services FAQs

We are communicative and consultative. During the engagement, we’ll periodically update you with the findings so far – both positive and negative. When we identify critical severity flaws, we will let you know immediately. At the end of the engagement, you receive a summary of all findings.

We will give you custom remediation guidance for every vulnerability that we identify during the test. If you have constraints, we work with you to understand those and propose an appropriate solution to any given vulnerability. 

In a black box test, clients do not provide information about their infrastructure other than a URL or IP, or in some cases, just the company name. Black box penetration tests provide a simulation of how an attacker without any information, such as an internet hacker or a nation-state-sponsored attacker, could exploit the environment.

White box penetration testing is almost the opposite of blind/black box penetration testing. Penetration testers are given access to the source code and relevant design documentation which applies to the application being tested. Penetration testers can perform static testing using source code analysers to identify vulnerabilities. They are then able to compile the application and run it within a sandboxed environment, making use of dynamic testing using debuggers and common application testing tools. As a result, white box testing offers one of the highest levels of technical assurance.

A grey box test is a blend of black box and white box testing techniques: In grey box testing, clients provide snippets of information to help with the testing procedures. This results in added breadth and depth, along with wider testing coverage than black box testing. Grey box penetration tests provide an ideal approach for clients who want to have a cost-effective assessment of their security posture.

The five stages of a typical penetration test include:

Planning and reconnaissance – defining scope, goals and gathering intelligence. 
Scanning – identifying open ports and potential vulnerabilities. 
Gaining access – exploiting flaws to test entry points. 
Maintaining access – determining if persistent presence is possible. 
Analysis and reporting – compiling findings and remediation recommendations. 
 
LRQA follows industry-recognised methodologies for all pen testing engagements.

es, penetration testing can complement Managed Detection and Response (MDR) services. While pen testing simulates attacks to uncover weaknesses, MDR offers real-time detection and response. Combined, they provide a layered approach to cybersecurity, identifying, monitoring and mitigating threats continuously.

Yes, LRQA’s penetration testing services are CREST certified, assuring our clients that testing is conducted to the highest technical and ethical standards by qualified professionals.

LRQA offers a wide range of penetration testing services, including:

• Network Penetration Testing (internal and external)
• Web Application Testing
• Mobile App Pen Testing 
• Wireless Network Testing
• Social Engineering and Phishing Simulations
• Penetration Testing as a Service (PTaaS) 
   

We tailor each pen test to your organisation’s risk profile and compliance needs.

Traditionally, assurance exercises are conducted at a point in time. For example, a penetration test may be conducted annually, as a spot check for vulnerability levels. Findings may then be remediated, root causes identified, and changes made. However, this only provides strong assurance at that point in time and those assurance levels start to reduce as soon as the activity ends.

Attack Surface Management (commonly abbreviated to ASM) is a proactive cyber security strategy focused on identifying, monitoring and reducing the attack surface of an organisation.

As a minimum assurance package, we suggest Attack Surface Management and Continuous Penetration Testing create a cycle of ‘always-on’ Continuous Assurance. This ensures you gain assurance against assets both known and unknown, throughout a year. 

We have a team of expert mobile application penetration testers and they are always in demand. We match internal training and recruitment with external demand as efficiently as possible. We aim to be able to commence mobile application penetration tests within two weeks. Where there is urgency, we can discuss meeting your deadlines.

The length of a mobile test very much depends on the complexity of your requirement and the level of assurance you require. Most mobile tests are at least three days per application. We are providing a manual penetration testing service rather than an automated scan. Speak to one of our experts to get a bespoke proposal for your mobile application test.

Our mobile testing methodology follows the key phases of reconnaissance, enumeration, discovery, exploitation and post-exploitation. We do use automated tools in places to achieve breadth of coverage, but most of the value comes from manual penetration testing. Here, we provide depth of coverage and it is what we spend most of our time doing. We are happy to provide more detailed information on request.

We are communicative and consultative. During the engagement, we periodically update you with the findings so far – both positive and negative. Where we identify critical severity flaws, we will let you know immediately, and follow up in writing. At the end of the engagement, you will receive a summary of all findings. By the time you receive your in-depth reports, you will have no surprises: we communicate as we go. After the delivery of the reports, we are more than happy to give you technical and executive-level debriefs.

Finally, you have full access to our team of mobile application penetration testers after the engagement has been completed. We are here to answer any security questions you may have in the future. 

Our team of mobile application testers understand how to build applications, as well as how to break them. We will give you custom remediation guidance for every vulnerability that we identify during the test. If you have constraints, we will work with you to understand those and propose an appropriate solution to any given vulnerability.