Vulnerability Assessments and Pentesting Services

Vulnerability Assessments are audits where the level of hardening, patching and configuration of controls is checked to see where potential vulnerabilities might exist, generally by performing scans and sometimes by checking for the existence of certain default configurations that present a risk of compromise to the environment.

Pentesting (or Penetration Testing) is the practice of checking a computer system, network or web application to find vulnerabilities that a hacker could exploit. These differ from Vulnerability Assessments in that the pentester will often confirm the potential findings by running a shell on a remote system, creating a new administrator account, or executing a command or displaying a message from a place where such actions should be prohibited.

Both will often include suggested remediations, steps to reproduce findings, and an evaluation of which things are the most dire and should be addressed first, as well as provide resources to instruct how to address or remediate such findings in case the client doesn’t already know how best to go about doing so.

Enterprise Governance, Risk Management and Compliance Consultation (HIPAA, PCI, et al)

​Risk Management, or the limiting and avoidance of risk, is a key component of running a business. Risk management is part of a larger scope of business objectives known as GRC, along with Governance, the instruction and priorities passed down from management and the board, and Compliance, or things which must be done to stay within the limits of the law or industry regulatory bodies’ guidance. Often, as a company grows in size, these Governance, Risk Management and Compliance objectives can become more and more siloed, and with the ever-evolving landscape of threats and the shifting legal and industry regulations it can become difficult to prioritize and to govern effectively and efficiently, and our expert advisors can help you navigate these crossroads.

Adversary Simulation Services – Red Teaming

​Some clients, seeking to better gauge their controls as well as their ability to detect and respond to attackers, will hire individuals and teams to simulate a realistic attacker to conduct operations similarly to how the real adversaries would. This is different from a pentest in that the team isn’t trying to find as many vulnerabilities as possible, confirm and document them all; instead, the intention is generally to be as stealthy as the actual malicious actor would, maintain persistence, and pivot to the organization’s most valuable assets (the “crown jewels”) methodically.

digital defense dynamics