Threat Led Penetration Tests

  • Did you spend thousands for a penetration testing engagement only to get a fancy report with findings straight out of a Vulnerability Scanner?
  • Did you ever commission a penetration test and get an impossible all clear with no findings?
  • Did you get a report full of boilerplate text about 'the importance of security' with minimal context to your setup?

If you answered yes to one of the above questions, you have unfortunately paid good money, but did not get any value. At best you got an interpretation of a vulnerabilty scan report. I do things differently. I do penetration testing.

Threat-Led penetration tests is a term made popular by the Digital Operational Resilience Act (DORA). In short this means doing pentests which actually matter. Running your code through a SAST tool is not a pentest; running Nessus or Nikto against your website is not a pentest; neither is running your server configuration against a benchmark... you get the drill.

Threat-Led Penetration Testing involves testing your system against a particular threat scenario. Companies subject to PCI should be familiar to this concept as penetration tests are usually focused on trying to extract cardholder data. For other industries like telecoms, other scenarios such as threats to the availability of the network may be more important to be addressed. Banks have other critical assets that need to be tested.

I don't just stop at uncovering flaws. I provide comprehensive, actionable reports that not only highlight vulnerabilities but also offer pragmatic recommendations for remediation. My reports are renowned for their clarity and attention to detail, giving you the steps you need to fortify your defenses and stay one step ahead of cyber-adversaries.

Use the form found at the very end of this page to request a quote detailing what kind of test you require. You will receive your quotation within 1 business day.

FAQs

1. How much does a penetration test for my company cost?

This depends on the target scope. As a benchmark, let us take the host on which this simple website is running, having some dynamic content and a backend database. Testing this would require time to:

  1. Figure out the purpose of the application,
  2. Enumerate all possible information
  3. Identify attack entrypoints, (e.g. outdated dependencies, injection attacks, scripting attacks)
  4. Conduct tests (attacks) based on the information gathered
  5. Document the report
A thorough test for such a target including documentation, and re-testing after the client fixes any vulnerabilities originally found will take around 15-20 hours. The price for this test will be in the €1,800 range.

2. Your prices are lower than other companies in the market, what is the catch?

I run this entirely on my own with no sales, project management or marketing personnel expenses. There are no management costs to pass on to you. The only monetary expenses are software licenses and research content that I purchase to keep my skills sharpened which are absorbed by the engagements conducted. The invisible cost to the client are the long hours that I take in my free time to keep my skills up to date to conduct this practice effectively.


3. What about the quality of your work?

Feedback is consistently very positive along the lines of 'this is the best pentest report I have got'.

The idea of a penetration test is that no stone is left unturned in a target. By having me conduct an engagement there are no separate 'Infrastructure tests' and 'Web Application tests', simply because there are no two kinds of attackers. It would be unfair (and unprofessional) to put a system in scope for testing and only check for half (or less) of the attack surface.

If your host has a web interface it must be tested, period. Same goes for your portals. Untrusted users use your log in portal? Create a tester profile, as this needs to go tested.

An important step I take is that I don't only focus on the OWASP style vulnerabilities but make sure to also understand the application. Only then you can get a test which checks for logical errors, such as showing excessive PII or PANs, or identifying whether the user roles granted by the app and API match the access one should actually have.

As for the report, every client is surprised with the depth and quality of the reports delivered. As Ed Skoudis emphasises, no matter how much effort is put into the testing, the penetration test report is ultimately the only item the client gets.

Be very careful, there are a lot of charlatans operating in this space, who their idea of a penetration test is filling in URLs and IP addresses in a vulnerability scanner and pressing a button. Then you get charged thousands for them copy pasting results into their fancy templates. That said, there still are a few honest good pentesting companies that I have no problem recommending if I am swamped or if the engagement is larger than what I am able to handle.

4. I have tight deadline, can you provide me a pentest in 2 weeks time?

No. Please look elsewhere.

I am not in the business of churning out a quick report merely to satisfy compliance, therefore please schedule this well in advance. Unfortunately it is also not uncommon that the tests overrun the stipulated time by a week or two. This is often due to having to put more time into the test than originally anticipated (thus not sacrificing quality), which is still charged to the client at the originally quoted price.

I have a full time job in a blue-team setting. I do take time off dedicating full days for client engagements, but you must also accept having tests run during nightly hours as part of the rules of engagement.

5. Who are you? What are your qualifications?

I am Christian Bajada.

I am an OSCP (first listed recommended cert in PCI penetration testing guidance), CISA and hold an MSc in Information Security from Royal Holloway College. Also have an MSc in Blockchain and Digital Ledger technologies. Currently looking into obtaining the CREST certifications as mentioned in the typical skills mentioned in MFSA's Guidance on Technology Arrangements, ICT and Security Risk Management, And Outsourcing Arrangements. The most important 'qualification' I have is that I am set to keep my skills alive, practicing regularly on the HTB platform and several CTFs and hackathons.

6. Which clients do you serve?

Most type of tech based clients; financial institutions, insurances, online casino platforms, e-commerce sites etc. Ideally the networks scoped have not more than 200 active hosts per engagement.

7. Can I send you an email instead?

Yes. Please use [email protected]

8. Do you keep our sensitive information?

I delete information relating to an engagement after 60 days of completion. This is kept just in case you need to dispute any findings or decide to fix an item and require this to be reflected in your report.

9. I shall send out a quote, what happens now?

Most engagements typically follow this process:

  1. I give you a call to clarify the target scope and objective of the pentest.
  2. After 24 hours you shall receive a no-obligation quote with a price breakdown.
  3. If you accept the quote I will invite you to send your standard NDA. Alternatively I will send out mine that covers your rights. Other documents that shall be sent are a 'Scoping Document' as well as the 'Authority to Proceed' document which you need to sign authorising me to start testing according to the specified rules of engagement.
  4. If you are a new customer, I may require the payment of 10% of the engagement.
  5. You send me usernames or any other information required to conduct the test.
  6. Testing commences on the requested dates. Be patient.
  7. Any High risk or Critical findings are communicated immediately during the test.
  8. You will receive the penetration testing report containing all findings.
  9. Upon your request you will be allowed any time you require to rectify any findings. Any fixes will be retested allowing you to demonstrate your current security posture.
  10. Final payment paperwork and settlement of balance.