Security
Testing.

Comprehensive security checks to strengthen your IT infrastructure and protect your systems and data from potential attacks.

How effective is your cybersecurity concept?


In a world where digital threats are constantly on the rise, security is of paramount importance. Our mission is to protect your systems and data from potential attacks. With comprehensive security assessments ranging from pentesting to red-teaming, we identify vulnerabilities and provide customized solutions to strengthen your IT infrastructure. Our experienced team uses state-of-the-art techniques and tools to ensure that your applications, networks and systems are optimally protected. In addition, our experts actively shape official penetration test standards. Put your trust in our expertise and let us take your digital security to the next level. Discover our services and find out how we can help you meet your security requirements. Your security is our priority.

Security tests play an essential role in today’s threat situation. Cybercriminals are constantly developing new methods to exploit vulnerabilities in systems. The challenge is to recognize and eliminate this constant threat to ensure the security of sensitive data and systems. Our experts identify your potential vulnerabilities and take preventative measures to better protect against potential attacks.

“White hat”, “ethical hacking” or “pentesting” are terms that describe an authorized method of identifying potential threats and vulnerabilities in an application, system or a company’s infrastructure. Ethical hackers bypass the implemented security measures of a target object and search for vulnerabilities that could be exploited by criminal hackers. To do this, they draw on their expertise and personal skills in IT security, just as criminal or “black hat” hackers regularly do. The resulting information is then used to improve the security of the system or network and avoid potential attack vectors. The profession of “white hat hacker” developed with the rise of cybercrime. Ethical hackers usually undergo several years of professional training.

Ethical hackers must follow a number of rules to distinguish themselves from their counterpart, the black hat hacker:

They must prepare a report and inform the customer and, if possible, the software developer or hardware manufacturer of any security vulnerabilities they find in the software or hardware.

They have the specific task of examining a network and identifying potential security risks.

As far as possible, they should respect the privacy of individuals and the company.

Ethical hackers complete their work in compliance with regulations and do not leave any security gaps open that an attacker could later exploit.

Highly qualified tests by our team of experts.

Our cybersecurity experts know the current penetration test standards inside and out, not least because they are actively involved in their design. We guarantee diligence, reproducibility and transparency in our projects. We combine this with creativity and, in our experts, an average of over ten years’ experience as ethical hackers, with numerous certifications.

  • OSSTMM (Open Source Security Testing Methodology Manual)
  • OWASP Testing Guide
  • IS penetration test according to BSI guidelines
  • IS web check according to BSI guidelines
  • NIST 800-115
  • PCI DSS
  • ISO/IEC 27008 Technical Compliance
  • TIBER-EU Framework (TIBER-DE) Threat Intelligence-based Ethical Red Teaming
  • i-Kfz minimum security requirements
  • IEC 62443-4-2 TeleTrusT test scheme
  • Smart Meter Gateway penetration tests (BSI TR 03109-6 & TR 03145-1)
  • Configuration audits according to manufacturer or internal specifications
  • Office IT (servers, clients, printers, etc.)
  • Telecommunications IT (fax, VoIP, PBX, hard- and softphones, etc.)
  • Applications (web, client applications)
  • Network technology (firewalls, IPS/IDS, routers, switches, WLAN, Bluetooth, VPN)
  • Operating systems (Windows, Linux, bsd-based or unixoid such as AIX, etc.)
  • Virtualization solutions, directory services, network storage
  • Critical infrastructures and industrial Ethernet (OT, ICS, SCADA, PLT, PLC, SPS, DPC, RTU, smart meters)
  • Cloud-based solutions
  • Networks classified as RESTRICTED or SECRET

Key Benefits.

High discretion

We operate with the utmost care and confidentiality as required for top-secret environments. Our Ü3 security-cleared testers provide secure VSA-compliant hardware and processes.

Recognized standards

Our experts contribute to the implementation of internationally standardized methods such as the Open Source Security Testing Methodology Manual and BSI IT baseline protection.

Individual solution consulting

We place a strong focus on delivering actionable results that are tailored to your specific needs. We also provide you with comprehensive advice on the implementation of technical countermeasures.

BSI-certified IT security service provider

We enjoy the full confidence of the BSI and our services meet the highest quality and security requirements in the field of IS penetration testing.

Industry experience.

  • Public administration
  • Defense
  • Critical infrastructures
  • Automotive industry
  • Aviation
  • Financial services
  • Telecommunications, media, technology (TMT)
  • Healthcare
  • Trade / eCommerce

Use cases.

In a national public administration process, vulnerabilities needed to be identified. The main challenge with this penetration test was that it was carried out on the productive system and therefore required security-certified personnel.

In the course of updating an IT security concept, annual penetration tests and configuration audits had to be carried out in the data center and other systems. The tools used included scanners such as nmap and OpenVAS as well as attack tools such as the Metasploit Framework and sqlmap in addition to other manual test methods. The results served as a kind of preliminary test or preparation for an internal acceptance test.

A penetration test uncovered technical and organizational weaknesses that would have posed a risk to approval by the German Federal Motor Transport Authority (KBA). The deficiencies were eliminated and additional security measures were initiated. All minimum requirements were met.

Our security audit team was involved in a customer’s secure software development lifecycle, checking the security level of a web and mobile application during development and infrastructure construction and improving it in good time. Systematic concept analyses, code reviews and security tests were carried out according to the OWASP Testing Guide before the release. Finally, a targeted workshop for developers and administrators was initiated based on the test results in order to avoid similar vulnerabilities in the future.

One of the key questions for operational technology is always whether the technical security of an ICS environment can be tested without jeopardizing security and normal operations. To obtain certainty, a technical security check of the systems at control level 2 was carried out in accordance with the Open Source Security Testing Methodology Manual (OSSTMM). The technical security check took place entirely on site. Both manual and automated test methods were used.

As part of the continuous updating of a public client’s IT security concept and the associated review of security measures, annual penetration tests were carried out on the existing systems.

We used specially configured audit notebooks and a BSI-compliant procedure model for testing classified systems. The tools include passive log analysis programs (such as Wireshark), active scanners (such as nmap, sslscan, ssh-audit), vulnerability scanners (such as Nessus, Burp Suite, Metasploit Framework) and manual interventions in the system.

Through close cooperation with the client and the system’s users and administrators, combined with our powerful test solution for classified systems, the security of the system could be confirmed.

News.

Interview in NITECH: The National Secure Cloud

As part of a strong consortium, the National Secure Cloud (NSC) is committed to ensuring the usability of cloud technologies up to the classification level DEU SECRET. Only technologies that…