Penetration Testing Services

Discover vulnerabilities by thinking and acting like a real hacker

The best defense is a good offense

Organizations use Penetration Testing for a variety of reasons. Often it’s to fine-tune their security devices, satisfy rigorous compliance requirements, or properly test the effectiveness of their blue teams. Regardless of the reason, performing penetration testing correctly using real attack techniques remains more important than ever.

computer screens in a security operations center
Uncover hidden risk

If there’s an obscure security vulnerability in your system, you can rest assured a malicious hacker will eventually find it. Raxis engineers use the same tools and techniques that the bad guys do, and we’ll help you stay one step ahead.

two people working on a laptop while standing in front of a large screen
Strengthen security posture

You’re following cybersecurity best practices, but how do you know you’ve covered everything? Using the perspective of an outsider, we’ll take a close look to be sure.

user appearing stressed out at his computer
Reduce exposure time

According to IBM, it takes an average of 277 days to identify and contain a data breach. The average cost of a data breach is $4.35 million. A Raxis penetration test can detect potential points of entry before it’s too late.

cola soft drink being poured into a glass
Protect your brand

Building customer confidence takes years of effort, and customers want to know that you’re staying secure. Penetration testing, and the resulting attestation letter, is a great way to show that your operation is doing everything it can to keep their data safe.

credit card transaction via rfid
Adhere to regulatory requirements

Penetration testing is an essential component of several regulatory compliance organizations, including PCI, HIPAA, GLBA, SOC 2, ISO 27001 and many others.

user operating laptop with ransomware on screen
Justify cybersecurity spending

Safely demonstrating the effects of a real hack against your infrastructure is a highly effective method to justify the investment in cybersecurity.

Penetration Testing built for you

Raxis will actively work to uncover and exploit vulnerabilities in order to gain unauthorized access across any type of technology. That’s how we keep the malicious hackers out of your network.

External

A popular choice for customers with an internet presence. We’ll take a close look at your internet facing systems (including cloud hosted) and use our hacking skills in an attempt to safely breach your network perimeter. This is not a vulnerability scan, as our penetration testers will attempt to breach your perimeter, pivot to other opportunities, exfiltrate critical data, obtain and crack password hashes, and demonstrate how a foothold would be maintained.

Internal & VPC

The internal network pentest is a popular choice among larger organizations as it simulates the impact of a malicious insider. Raxis examines your corporate network closely for various vulnerabilities such as issues stemming from unpatched software to system misconfigurations. We support all types of internal networks, including Virtual Private Cloud (VPC) solutions. If hashes are obtained, a password crack attempt using our hashcat GPU cluster is performed for a password analysis.

Web Application

Our diverse team draws from a well of experience to find application flaws in websites and application services that could allow hackers to attack your business. The application, its database and runtime platforms, API calls, and input/output parameters are specifically targeted to provide a holistic assessment of your security posture. All exploits are thoroughly documented in the report with additional guidance for management and technical leadership.

Wireless

Wireless penetration testing is critical to perform, and many organizations skip this area with the assumption it is secure since they are using WPA2. However, misconfigurations and weak passwords are far more prevalent than expected due to the large number of access points that are needed to power a sizable network. To help you become more secure, Raxis wireless penetration testing dives deep into the wireless environment using the same attack tools that malicious hackers use today.

Mobile

Using a combination of emulators and dedicated hardware, Raxis puts your mobile application to the test on both the Android and iOS platforms. Similar to the Web Application assessment in workflow, the mobile assessment adds an emphasis on device security, platform configuration, mobile API elements, credential management, and data compartmentalization. In most cases, we will use our own jailbroken devices for testing.

API

APIs come in many flavors but often are plagued by similar vulnerabilities. Using blended attack techniques, Raxis scrutinizes each API call for anomalies through direct interaction and by manipulating application data in flight by manually interacting with advanced testing tools. Potential insertion points are thoroughly tested and verified with a focus on session management, data integrity, and parameter fuzzing.

IOT

Internet of Things (IoT) and Embedded Systems are more prevalent in our connected world than ever before. We’ve tested cable modems, physical access controls, surveillance cameras, and more. These embedded devices power our IoT connected world and, unfortunately, often contain vulnerabilities. Maybe it’s due to a proprietary network stack or because they’re running outdated code, or maybe the design gaps are reflecting a lack of industry standards. Maybe all of the above. No matter the reason, we’ve exploited devices and embedded controllers even as their designers have said it was impossible.

Operational Technology

Raxis Operational Technology (OT) penetration testers are experienced in all types of controllers, including SCADA systems used by power generation, logistics, water treatment, oil platforms, and transportation. We’ve flown all over the world and even undergone HUET safety training. As the PLC, RTU, HMI, and other systems are often forgotten while deployed in the field, security gaps are repeatedly prevalent at all levels. Finding the vulnerabilities is usually the hardest part of the battle, and our process doesn’t leave any stone unturned. We perform OT Penetration testing both onsite and remotely using Transporter to securely interface the private side of the network.

arrow hitting the target in the bullseye

Penetration Testing yields more accurate, realistic results

Many of our competitors dress up a vulnerability scan and market it as a penetration test.

The Vulnerability Scan, or vuln scan for short, is a security assessment conducted using a software tool, and the output is an automated report. Vulnerability scans are used to meet regulatory requirements or ensure security controls are working. They have a purpose and are often done before a penetration test, but they may miss misconfigured elements only an expert could find.

Penetration Testing is performed manually by an engineer and uncovers security risks that the vulnerability scan simply can’t see: for example, a nested critical vulnerability that is hidden behind a moderate exposure, an unconfigured data form or a business logic error that the scanner didn’t realize provided critical access. This additional visibility significantly reduces the ability of malicious hackers to compromise systems.

The basics of Penetration Testing

Our highly skilled engineers utilize the same tools, techniques, and quick thinking as malicious hackers to infiltrate and safely compromise a small portion of your data in a controlled, secure manner.

Scope

Your penetration test will need to be scoped to include any internet connected system that handles data important to your organization. If you’re looking to meet requirements for an audit such as PCI, we’ll need to make sure that any systems specified in the audit are covered in your pentest scope.

Pricing

Typically, Raxis bases charges on the number of IP addresses that are deemed in scope. This only includes systems that you confirm that are online. If we are not provided a definitive list of online systems and need to discover them, such as with a black box pentest, then additional charges may apply. If you have a budget in mind along with the goals of your penetration test, we’re happy to discuss options on how we can accommodate your needs.

Timeline

The actual work duration for penetration tests can range from 3 days to several weeks. Keep in mind we can be booked out for several weeks at a time during the busy season, so please schedule your penetration test as soon as you can to hold the timeslot. PTaaS on-demand pentest services can often be scheduled faster.

Quality Engineers

The advantage of working with a highly focused penetration testing team is evident in the quality of our deliverables. Ask for a sample report if you’d like to see what we can do. Remember, when we find security gaps, you get to fix them before they are exploited.

Reporting

Raxis reporting has been considered to be “top-notch” by our customers for many years. You’ll find a detailed analysis of your external environment, a play-by-play storyboard that details everything we tried, screenshots of the output provided by our hacker tools, and a clear remediation plan.

Re-test

Sometimes compliance requires a re-test be performed to validate the remediation. We’ll include the re-test with your scope to make sure that you’re protected from cyber threats as well as adhere to compliance standards.

F.A.Q.

Frequently Asked Questions

  • What is penetration testing?

Raxis specializes in providing Penetration Testing services to companies looking to fine-tune their security defenses. Our team simulates real-life cyber attacks to uncover any weaknesses and vulnerabilities in your systems. Through our in-depth tests, we can identify any potential exploits and provide you with a detailed report of our findings to help you improve your defenses. Let us help you stay one step ahead of cybercriminals and protect your valuable information.

  • Why use Raxis for penetration testing?

The Raxis Penetration Testing team is second to none at pinpointing real world security risks by using the same tools and techniques as a malicious attacker. We’re all in the United States (with many of us based in Atlanta), most of us have at least 10 years of experience, and pentesting is our primary expertise. With so many technology defenses prevalent today, a pentester must understand every aspect of security and the latest techniques to bypass those many controls. The Raxis crew never stops learning the latest exploits, and we have a ton of fun sharing our knowledge. We don’t do checkbox security, and we never will.

  • Why do companies need penetration testing?

Businesses and organizations alike require penetration testing to assess the integrity of their security measures, identify any potential weaknesses, and validate the necessity for increased cybersecurity budgets. In today’s ever-evolving digital landscape, it is crucial to stay ahead of potential threats by conducting thorough and effective pentests with a trusted partner like Raxis. From uncovering hidden vulnerabilities to highlighting the importance of continued investment in security, Raxis offers valuable insights and support to protect your business and its sensitive information.

  • Is penetration testing a one-time process?

Although penetration testing can provide valuable insights into a company’s security measures, it should not be a one-time occurrence. In order to stay ahead of evolving threats, regular and ongoing testing is necessary to continuously monitor and assess the effectiveness of these measures. This allows for necessary adjustments and improvements to be made in real-time, ensuring that a company’s data and assets are protected at all times. By viewing penetration testing as an ongoing process, businesses can stay constantly vigilant and prepared for potential cyber attacks.

  • What does it mean for a penetration test to be in a timebox?

While malicious hackers may have all the time in the world to attempt to break into your systems, our tests are scoped for a certain amount of pentesting hours — the timebox. Our engagement ends with a report that clearly explains what Raxis accomplished during the time of your test and what you can do to make your environment more secure against a malicious hacker attempting the same things.

  • Why does Raxis ask for information about my network and systems before scoping my pentest?

Raxis specializes in Penetration Testing for companies of all sizes with varying network landscapes and unique goals. We work closely with your team to create a personalized quote that meets your specific needs and stays within your budget. Our comprehensive approach ensures that no areas are overlooked and all vulnerabilities are identified, giving you the information you need to make informed decisions about your cybersecurity.

  • Is penetration testing legal? Do you break the law?

At Raxis, we take pride in our ethical and legal standards. That’s why we have clear contracts outlining the boundaries of our work. We have a strict policy against damaging or destroying any of our customers’ property. Our goal is not to cause harm, but rather to expose potential vulnerabilities that can be exploited by real hackers. We provide valuable insight and education to our customers so they can take necessary precautions to prevent cyber attacks. Our agreements are known and approved by company leadership, ensuring transparency and consent. We believe in operating with integrity and always prioritize the well-being and safety of our clients.

  • Are there rules that penetration testers follow?

It is of utmost importance for penetration testers to adhere to strict rules and regulations. Our main focus lies in maintaining the system’s uptime and ensuring data integrity. We make it a priority to avoid causing any actual damage, unlike malicious hackers. Furthermore, when collecting proof of access, we take extra precautions to obscure any sensitive data. Of course, we always operate within the parameters and guidelines set by our clients, however, we also strive to push the boundaries and truly test the limits of their security measures.

  • My application is cloud hosted. How does that work for penetration testing?

At Raxis, we pride ourselves on our thorough approach to penetration testing. Once we have scoped the project, we work closely with cloud providers to inform them of our activities. Our team of experts has completed numerous tests on various platforms, including Amazon AWS/EC2, Microsoft Azure, Google Cloud, Rackspace, and VMWare cloud. We have also worked extensively with popular content delivery front ends such as CloudFlare and Akamai. No matter what technology stack our clients have, Raxis will utilize the best methods possible for their specific pentest needs. Our detailed reports will provide valuable insights and recommendations for improving your overall security posture.

  • Why do you download and crack password hashes as part of a penetration test?

Raxis believes that password cracking is a crucial aspect of our thorough and comprehensive penetration testing service. Our skilled team utilizes advanced techniques and tools to assess the strength of your organization’s password policy and the level of enforcement in place. Additionally, our experienced professionals may utilize previously cracked passwords to gain access to other systems, allowing for a more thorough simulated data breach. To ensure the utmost security, Raxis utilizes high-strength encryption to protect all hash data both at rest and in motion. As part of our commitment to privacy and security, once the password cracking process is complete, we ensure the secure deletion of all password hashes. You will receive a detailed summary of our findings, including information on password strength, complexity, and analysis, all provided in a redacted pentest report.

Pivoting makes the difference

Pivoting is critical in penetration testing as it allows for lateral movement within a network, uncovering deeper vulnerabilities and potential attack vectors. By pivoting, testers can gain a more thorough understanding of a network’s security posture and provide more comprehensive recommendations for improvement.

Specifications

Penetration Testing

  • Powered by Raxis One, a secure web interface for all Raxis services
  • Fully capable of working with cloud providers and content delivery networks such as Amazon AWS, Microsoft Azure, Google Cloud, Cloudflare, Akamai, hybrid cloud, and SaaS solutions
  • Utilizes the same tools and techniques as a blackhat hacker
  • Exploitation, pivoting to other in-scope systems, and data exfiltration in scope
  • Executive debrief conference provided, if desired
  • Optional re-test to validate remediation
  • Remote or on-site
  • Based on the MITRE ATT&CK penetration testing framework
  • Meets or exceeds requirements for NIST 800-171/CMMC, PCI, HIPAA, GLBA, ISO 27001, and SOX
  • Available as a subscription service
  • Available as a one-time service
  • NIST 800-53 compliant