Offensive Security

Find vulnerabilities with real world impact

Penetration Testing

For your business’ security, it is important to identify vulnerabilities that could allow adversaries access to your systems and data. Vulnerabilities that put your business at significant risk of a compromise are not only damaging for you, they could have an impact on your employees and your customers. Do you know your risk profile and what types of adversaries might attack you?

Penetration testing is our bread and butter! Volkis “pentesting” services will find the vulnerabilities that could be used to hack your networks, web applications, mobile applications, wireless networks, core services and cloud environments. A skilled penetration tester will use the same tools, techniques, and instincts that an adversary would to break into your systems.

What vulnerabilities exist in my systems? Do I need to worry about it? What could attackers do to me if exploited? What can I do to prevent this? All these questions can be answered with a penetration test.

Web Application / API
Web Application / API

Make sure your bespoke web applications or APIs are resilient against attackers.

Internal
Internal

Find vulnerabilities from the perspective of an attacker inside your network.

External
External

Test your internet-facing servers and services against external threats.

Mobile
Mobile

Find those hidden vulnerabilities lurking inside your custom made mobile apps.

Microsoft 365
Microsoft 365

Take a different approach to cloud security and have us investigate your Microsoft 365 tenant for real-world vulnerabilities with demonstrated exploits.

Continuous penetration testing
Continuous penetration testing

Year-round coverage of your attack surface ensures pentests are not just a “point-in-time” exercise. Pentest your newly developed application as soon as they are ready.

Detection alert testing
Detection alert testing

Volkis will deliberately set off alerts in a methodical way so you can see those alerts in action, allowing you to gain familiarity with the alerts and ensure they are working properly.

And more!
And more!

We employ various security experts with domain knowledge in less commonly penetration tested areas such as Wireless, Citrix, SCADA, or Desktop Applications. If you’re unsure, reach out!

Red Team Exercises

Volkis red team services will target your organisation over an extended period using skilled attackers, infrastructure specifically tailored to the engagement, and social engineering attacks to compromise sensitive information and core business services.

As close to a real-world hack as you can get, the engagement will be performed over a window period, usually 3-4 months. Our attackers will use drip scanning, passive investigation, and evasion techniques to get by your detection and response systems, breaking into your environment without being seen.

The targets will be information and systems that are relevant to your organisation and likely targets for attackers. Instead of targets such as “compromise an administration account”, we look for key business services such as your CRM, financial systems, critical applications, and your web infrastructure to identify real, meaningful impact to your organisation. This allows you to get into the minds of your adversaries and be better prepared for a targetted attack. It’s also an excellent opportunity to test your Incident Response plans against a seemingly real attack, putting your Blue Team’s skills to work.

Social Engineering

With Volkis social engineering exercises you can test the security awareness of your users, and incorporate the results into an ongoing security awareness programme.

Our social engineering capability includes:

  • Phishing attacks: We can send malicious emails to your users that will attempt to trick them into downloading software, providing credentials, or visiting a particular web site. Phishing attacks can be sent to a large number of users in a cost effective manner.
  • Vishing attacks (phone calls): We can test your employees or service desk to identify if they are likely to give out privileged information or credentials over the phone, or if they would be willing to undertake potentially damaging actions from an unknown source.
  • SMishing attacks (SMS): We can test your users’ abilities to detect a malicious text by sending SMS messages to their company phones. This text may instruct them to either download a malicious app or provide credentials.
  • Malicious USBs: We can provide malicious USBs that, when inserted into a user’s laptop or PC and executed, will call back to Volkis. This will test the likelihood of your users being tricked by a malicious attacker with physical access to your premises, or by someone who could send a USB stick through post.

Physical Intrusion

Sometimes the easiest way to get access to your sensitive data is to simply walk in and take it. Volkis’ physical intrusion services will test your organisation to see if that is possible.

Physical intrusion testing will test the resilience of your access control and physical protection systems to see if they can be bypassed or broken. Can your passes be duplicated by someone standing next to them in the elevator? Can someone simply walk through a back door or open a window?

Volkis will employ a variety of different attack types throughout the engagement to gain access. This can include:

  • Social engineering
  • Lock picking
  • Door bypasses
  • Badge cloning

If access is gained, the consultant will collect evidence to see what the impact from that physical access is. Depending on the rules of engagement, the consultant may take pictures of desks, access sensitive areas, or connect to the network using a laptop or a concealed network tap.

At the end of the engagement, the consultant will outline any weaknesses and provide actionable recommendations for improving the security of the physical premises. This could include improving access control, improving procedures and processes for handling entrants, or user education.

Modular services

Get more from your penetration tests

“Not just another penetration test.” Volkis does things a little differently by offering you a modular ecosystem of auxiliary services. These services can be combined with a penetration test to better meet your goals or to increase visibility. Just like the Power Rangers combined into a more powerful robot, our services combine to give a better, more accurate result!

Executive board briefing
Executive board briefing

We will create a custom, non-technical presentation to show the results of the penetration test to your execs in an easily understood way.

Code assisted testing
Code assisted testing

Find more vulnerabilities by providing us a copy of the source code. We use that code along-side our regular methodology to get you a better result.

Developer workshop
Developer workshop

Skill-up your developers or system admins by going through the penetration test findings in technical detail. We’ll highlight how to avoid inadvertently creating these vulns in the future.

Custom reporting
Custom reporting

Want us to contextualise risk into your own risk matrix? Prefer a CSV or Markdown format? We’re happy modify our report into something that will work best for you, or even report directly into your ticketing system.

Open but secure

One of our core philosophies is to be open but secure. Infosec doesn't need to be in the shadows and it's important that clients and others understand how and why we do things. Transparency is a big deal and our Handbook is one way we achieve that.

Our Handbook is a place where staff, clients, partners, colleagues and anyone with interest can go and see the inner workings of Volkis. We try to publish anything that isn't confidential!

Check out the Handbook  

Methodologies

Our technical penetration testing methodologies tell you how we perform our penetration tests. Although each engagement is different, the methodologies provide an overview of our high level processes, which we modelled of industry standards and our own experiences.

Methodologies  

Engagement Guide

The Penetration Testing Engagement Guide is the standard we hold our consultants to for every engagement we do. You can hold us to these standards of excellence.

Engagement Guide  

Sample Report

You can see our Penetration Testing Sample Report to understand what you're going to get out of your penetration test. Our professional report has all the information you need to remediate the vulnerabilities we find and is backed by a debrief and ongoing consulting.

Sample Report  

Learn the 6 things to look for in a penetration test company

Learn more