Penetration Testing

What is Penetration Testing?

Put in the simplest of terms, penetration testing (often referred to as just a “pen test”) is hacking your own systems in the closest way possible to the way a real hacker would to uncover any possible weakness in your network defenses so you may take actions to correct it before you are attacked. The only difference between a pen test and a real sinister hacking attack should be permission as long as the pen tester is properly training and experienced. To prepare for this kind of work, a pen tester must put in a lot of time studying how hackers operate and the motivations that drive them. At Silicon Defenses our personnel have not only studied hard at the most trusted sources of information security training in the world to master the art of hacking and hold certifications, they spent literally decades interacting and studying the enemy. They have also been trusted to plan, design, implement, maintain and monitor the most secure networks for banks and insurance companies.

How is penetration testing different from vulnerability scanning?

It’s easy to confuse the two since they are essentially trying to accomplish similar objectives. A vulnerability scan is simply that. It’s only a scan or series of scans usually using a commercial or open-source scanning program. Some people may stop there, however at Silicon Defenses we go much further by running application specific scanning utilizing many various open-source, commercial and proprietary tools. However in the end, we are only scanning for vulnerabilities and nothing else. Penetration tests take things much further in all directions. Scanning for vulnerabilities or weaknesses is just one part of the process. The tester must perform reconnaissance to gather preliminary information about his target(s). Then they will scan for those vulnerabilities. Next they will try to gain access to your systems. They will try to maintain that access covertly using techniques to avoid intrusion detection systems, anti-virus systems and any other defenses you may have engaged. All the while, they will also be working diligently to cover their tracks so they won’t leave any trace of ever being there.

Penetration tests vary depending on the level and type of test being provided. There are quite a few different varieties of pen tests, however we tend to group them together into just a few different names to try not to confuse things too much. First, you have external and internal. An external penetration test is originated from outside of your network to test the devices that are facing the internet. During an internal pen test, you will provide us either a location from which to do the scanning inside one of your offices that can access all of your internal network devices or provide equivalent access to us remotely through a VPN or similar secure method. This will flush out any avenues of attack someone may find and take advantage of if they have breached your perimeter defenses.

Then there’s also what many refer to as Black Box vs. White Box testing. Black Box usually means that the tester is going in to the attack completely blind. You provide no preliminary information to the tester about your company or systems. This is the most realistic type of testing. The White Box test is performed to more specifically target systems with coordinated attacks with prior knowledge of what they are going after. The levels of knowledge often vary. Sometimes the tester will only be told which server are running certain types of applications. Then at the other extreme the tester may be provided with full disclosure of all the systems, what they are running and even perhaps the source code and credentials of those systems. There are certain advantages and disadvantages of each. A black box test is more realistic however it can be much more time consuming and less effective in finding flaws in your systems. White Box tests maximize time by doing deeper and more thorough examinations of applications and systems.

If you decide to trust Silicon Defenses to help with your network security we will custom design your test to properly fit your organization’s needs. Our goal is to provide the best quality technical support with the highest level of customer service at the most reasonable price you can find.

We believe in giving you a ballpark picture of what to expect when pricing our services so there are no surprises and you can quickly and easily do your preliminary information gathering without having to talk to any sales people just to get some basic info. Please keep in mind these are just base prices to help you gauge your budget. We will work with you on larger projects or if you plan to build a lasting relationship with us like we hope you will once you’ve seen the value our partnership can provide for protecting your security.

Base Prices

External Basic Penetration Testing:

$2,000 up to 10 IP addresses
only $100 per IP address beyond the first 10

Internal Basic Penetration Testing:

$3,000* up to 254 IP Address (one class C subnet) at one physical location
$750** per location with up to 254 address beyond the first

External Advanced Penetration Testing:

$2,500 up to 10 IP addresses
only $100 per IP address beyond the first 10

Internal Basic Penetration Testing:

$5,000* up to 254 IP Address (one class C subnet) at one physical location
$1,200** per location with up to 254 address beyond the first

*The pricing for internal testing assumes we can have remote access via VPN or any other form of secure communication or the physical locations are 20 miles or less from our Jacksonville, FL location otherwise we will have to charge a reasonable amount for travel expenses to be determined on a case-by-case basis considering all of the factors involved.

**The pricing does not include travel expenses we may need to charge if the additional locations are further than 20 miles from the original location and in addition to the travel expenses charged if that location is 20 miles more than our Jacksonville location (see first *).