FAQ
Professional Infrastructure Security
We can run our web penetration tests with white listed IPs to check the security of your web applications beyound your WAF firewall. This is optional and to ensure that in case your WAF fails or is bypassed, your web application are still secure and not prone to any known vulnerabilities.
ISO 27001 compliance requires the aggregation of event
data from multiple systems and the security management
of sensitive assets within an organization (SIEM). While not all other security standards and frameworks specify the SIEM requirement explicitly, most frameworks including SOC, PCI, NIST include requirements for monitoring, logging and security events management. These requirements are best met when an actual SIEM is implemented vs individual point solutions. In addition most auditing teams prefer to see a SIEM deployed in your organization, which makes their job easier and reduces the friction between your organization and the auditing team.
Implementing a SIEM is also requirement by most insurance companies in order for them to provide you with ransomware coverage, and lower premiums.
Yes, we offer multiple managed service options and different support SLAs. Contact us to find out more.
We work with all major cloud providers including: AWS, GCP, Azure, Rackspace, IBM, Oracle and DigitalOcean.
You might be able to get better coverage and lower your cyber insurance premiums by utilizing a combination of SIEM, IDS, regular vulnerability and scheduled penetration tests.
We offer flexible payment terms including monthly payments, payments via credit card, or direct bank ACH.
While providing a site map is not mandatory for our unauthenticated public web pen tests, we strongly encourage that you provide us with a list of key URLs (API links) especially if your are utilizing a Single Page Application (SPA) like using HTML5/JavaScript/React/etc.
We utilizie multiple Web Application Scanners (WAS) as a dynamic application security testing (DAST) applications. A DAST crawls a running web application through the front end to create a site map with all of the pages, links and forms for testing. Once the DAST creates a site map, it interrogates the site through the front end to identify any vulnerabilities in the application custom code or known vulnerabilities in the third-party components that comprise the bulk of the application.
Our WAS identifies OWASP Top 10 vulnerabilities such as cross-site scripting (XSS) and SQL injection in custom application code and vulnerable versions of third-party components running on your site. Both categories of vulnerabilities are essential to ensure comprehensive vulnerability coverage in modern web applications.
Yes, our WAS is able to identify a number of cyber hygiene issues in web applications in two minutes or less through the use of predefined scan templates. The SSL/TLS scan template checks for improperly issued or soon-to-expire SSL/TLS certificates, which helps users avoid costly and embarrassing browser warnings and redirects. The Config Audit scan checks for a number of server-side misconfigurations that leave web applications vulnerable to hacker reconnaissance or man-in-the-middle attacks.
Yes. Our WAS scans modern web applications including single page applications. While no scanning tool can guarantee 100% coverage of all application types and vulnerabilities, our WAS crawls and scans many of the most popular single page application frameworks.
No. Our WAS is a dynamic application security testing (DAST) tool, meant to test running applications and does not perform static code reviews. Static application security testing (SAST) tools perform code reviews.
Compliance Expertise
We have extensive experience with the most stringent standards, such as FedRAMP and NIST 800-53, practical implementations of CIS benchmarks & controls, MITRE ATT&CK framework, and OWASP Top 10. All of our team members hold various security certifications and formal training through CISSP, CISM, GIAC, and SANS.