INCIDENT DETECTION & RESPONSE
PENETRATION TESTING SERVICES
Our security experts perform real–world attack simulations to test defenses and uncover actual risk from the perspective of a motivated attacker. To take this service to the next level, our Security Program Maturity Testing offering delivers insight into programmatic security issues, including identification and guidance on root cause solutions to provide recommendations for defenses based on the attacker mindset.
Penetration Testing Services
Demonstrate Real–World Risk
The best way to know how intruders will actually approach your network is to simulate an attack under controlled conditions. Our Penetration Testing Services team delivers network, application, wireless, and social engineering engagements to demonstrate the security level of your organization's key systems and infrastructure. This simulation of real–world attack vectors documents actual risks posed to your company from the perspective of a motivated attacker.
The post–assessment analysis presents logical groupings of one or more security issues with common causes and resolutions as a finding, which allows Rapid7 to quantify and prioritize the business risk to an organization. An actionable findings matrix can be used as an overarching workflow plan that can be tracked within the security organization. This plan is intended to assist the remediation team in prioritizing and tracking the remediation effort; consequently, each finding has been categorized according to its relative risk level and also contains a rating as to the amount of work and resources required in order to address the finding. Each finding also contains hyperlinked references to resources and provides detailed remediation information.
Understand Real–World Risks
Penetration testing service types:
- Internal and external network penetration tests
- Web and mobile application penetration tests
- Wireless penetration tests
- Social engineering security testing (physical, pre-text calling, and phishing)
The prioritized risk ratings are based on the DREAD Framework. They take multiple business criteria into account to give you a quantitative understanding of the security posture of your network.
Our customized services approach also supports boutique engagements aligned with specific objectives or technologies. Services may include:
- Code Review
- Distributed denial of service (DDoS) testing
- Malware analysis
- Embedded device penetration testing
- Technology and platform-specific penetration testing
- Other customized and threat-focused penetration testing
Customers pursue penetration tests for a number of reasons including meeting compliance requirements such as PCI-DSS, complying with best practices such as OWASP, and ensuring that they meet contractual requirements. The Rapid7 security assessment contains detailed remediation information and prioritized recommendations on which to pursue first.
Rapid7 penetration testing teams are renowned experts who conduct close to 500 penetration tests per year. Team members are security experts who are frequently asked to present at leading industry conferences including BlackHat and Defcon. Rapid7 penetration testers work regularly with Rapid7 Labs and conduct independent research that often results in uncovering new vulnerabilities and exploitation tactics. Their research has been presented at conferences around the world and has helped countless security professionals learn how to improve their security posture against the latest threats.
Demonstrate Real-World Risk
Leverage offensive security experts to test defenses and uncover issues
Security Program Maturity Testing
Penetration Testing Methodology
Rapid7's Security Program Maturity Testing does more than just help our customers identify their security deficiencies, it assists in driving to the root cause to eliminate persistent blind spots. Our process combines our world-class penetration testing methodology with our team's expert approach.
These combined processes allow your organization and security posture to be assessed from the perspective of an attacker, so that recommendations can be provided with the appropriate programs and controls aimed to defend against that same attacker mindset.
After an unobtrusive Internet investigation of your public–facing presence and information, we will paint a picture of what your perimeter looks like to the outside world. This is followed by a more aggressive manual testing, aimed at analyzing and gathering data to build and execute a hacker–minded attack plan. Our penetration testing process also includes password cracking mechanisms and application vulnerability validation.
To supplement the efforts put into penetration testing, our Strategic Services team will then analyze all findings, assess the security program through in–depth interviews and documentation review, and identify key critical security control areas that need to be adjusted. This phase closes the loop and takes the process from symptom identification to root–cause analysis and process planning for mitigation.
Rapid7 will provide your team with actionable reports that include tactical next steps to fix the immediate issues and strategic guidance on remedying the source of those issues. In addition, Rapid7 will perform a debrief to project constituency and summarize the findings of both the penetration test and the strategic root cause analysis.
Security Program Maturity Testing provides a holistic view of your environment from both the perspective of the attacker as well as the informed approach of our consultants. Deliverables include detailed penetration test results along with actionable tactical and strategic recommendations to remediate discovered findings.