Ambersail Assured. High Quality Penetration Testing Services At A Sensible Price.

ambersail penetration testing service

Test For Compliance. Best Practice. Peace of Mind. Our team can quickly create a test package that meets with what you need.

CREST Certified Team. UK Based. Providing you with the assurance you will be working with recognised experts.

Competitive Costs. Prices starting from £1,850 / US $ 2,350 / € 2,100.

 

What We Assess

  • Web Applications – such as ecommerce, banking.
  • Mobile Apps.
  • Networks – such as servers, routers.
  • Wireless Networks.
  • Testing For Compliance – Such as the PCI Data Security Standard or FCA.

Penetration Testing Services Suited To Your Business

Application Penetration Testing

A security assessment of a web application such as an Ecommerce site. Its aim is to identify any security weaknesses that can be exploited by hackers.
Any web application may be targeted by criminals. Many websites provide access to valuable data such as credit card details, personal information or intellectual property.
Our testing follows standards developed by OWASP and CREST.
Read moreDownload PDF

Network Penetration Testing

A security assessment of any network service. An example of a service might include mail, file transfer, web cameras or IOT (Internet of Things) devices. The assessment will locate issues with these services that might allow a hacker to access your environment.
Read moreDownload PDF

Mobile App Penetration Testing

Penetration Testing mobile apps that run on a variety of platforms. For example iOS, Android, or Windows Mobile.
This includes the front-end user interface and the back-end web services.
Tests centre on OWASP Mobile App penetration testing recommendations including data storage, transmission, cryptography and functionality.
Read moreDownload PDF

Wireless Penetration Testing

Testing of wireless networks and supporting technology. Commonly perform onsite with the objective of identifying configuration weaknesses. Weaknesses that can be exploited to provide access to central company networks via publicly accessed wireless devices.
Read moreDownload PDF

Penetration Testing For PCI DSS

PCI DSS Penetration Testing focuses on networks that support payment card processing. The test is requirement 11.3 of the PCI Data Security Standard.
It must test all systems that could affect the security of payment card data.
It will confirm if your payment card network is configured securely and can only be accessed by the right people.
Read moreDownload PDF

Penetration Testing For The FCA

FCA Penetration Testing is completed to by UK based financial organisations that are regulated by the FCA.
Testing includes all networks that support financial services. Testing is an explicit requirement found in the assessment questionnaires to be submitted to the FCA.

Read more Download PDF

Contact us if you have any questions on what type of testing that you need.

 


Questions Frequently Asked By People…

Penetration Testing is the process of assessing or testing technology to find any weaknesses that can be exploited by hackers. The goal is to find and fix these weaknesses before a hacker finds them.
There are no set rules on what can be tested. Targets can include web applications, web servers and firewalls. Any computer network is potentially at risk.

Penetration Testing Services should be performed under controlled circumstances. Testing should be thorough and include locating weaknesses with configuration. How systems have been coded. How they operate.

Testing should be conducted by experienced security engineers. These are often people who have built or designed systems. This core knowledge of how networks and systems are built is invaluable when trying to undermine the controls that have been put in place.

If you go out to market, costs for Penetration Testing Services vary considerably

As a rule of thumb, a decent penetration test will include manual testing from a qualified, experienced engineer. The amount of manual testing plays an important part in how much the service costs. The testing engineer will be looking to identify and capitalise on configuration and logic weaknesses. Often these can only be spotted by an experienced tester.

Very cheap services will have no engineer involved – relying on automated tools. We would not consider an automated test as a penetration test.

Don’t expect a tester to blindly start hacking away at your networks.

Although testing projects are straight forward to complete, there are some basic steps to make sure that companies get best value from testing and that no serious problems arise.

Organisations that have an objective or goal for testing generally find testing useful. Goals might include understanding whether confidential data is accessible. If an online account management system can be exploited to allow valid users to see accounts they shouldn’t. Meeting compliance regulations such as for the PCI Data Security Standard.

Having a goal helps focus the penetration test into delivering results for what is actually important to you – the customer.

The next stage is agreeing targets for testing. This is very important as the targets will form the basis for testing and define the scope of the job. Targets might include a web application address, or a range of IP addresses.

Once the targets are understood, the testing dates and targets are signed off and the job can begin.

During testing, Ambersail takes great care to minimise disruption to client networks. Let’s not forget that testing is meant to identify weaknesses. Not to bring a computer system to its knees.

As testing progresses, any important findings are fed back to customers straight away. This is to ensure that corrections can be applied immediately. Customers can contact us at any time to discuss progress and request general advice.

Once testing is complete, the results are analysed and recorded in a findings report. Reports have two distinct sections. The first section provides high level, management style advice. The second section contains detailed findings and fix information.

Once the reports have been written and reviewed by our Internal Quality Assurance team, they can be delivered to customers. Report delivery can also be backed up by presentations and workshops. This can be onsite at your offices or using remote meeting facilities.

Some organisations look to perform testing because they want to better understand security and to make their networks and systems more robust.

Other organisations need to perform testing as a ‘tick in the box’. Often to satisfy regulatory or compliance requirements.

All reasons are valid. If it gets companies testing and improving the security of their systems, it can only be a good thing.

We are judged, or at least we should be, on how thorough our testing is and how well you understand the reports that we produce. The exercise is pretty much pointless if you cannot act on findings and recommendations that we make.

The main ‘product’ from testing is a penetration test report. Reports have two distinct sections. The first section provides high level, management style advice. The second section contains detailed findings and fix information.

To help understand the report, we offer a walkthrough of results as standard. This can take place either remotely or at your offices.

Retesting is also encouraged and built into our testing packages. Should testing identify weaknesses that need to be fixed, we can validate any changes made after an agreed period of time. A very important consideration for all Penetration Testing Services.

Should you wish we provide Penetration Testing Certificates. Verifiable statements that list when tests have taken place. Very useful when demonstrating an organisation’s commitment to performing cyber security tasks.

We would suggest any components or system that poses a risk to your business operations.

We recommend that you first understand why you need to perform a penetration test and then work out which networks or systems support what you are trying to protect.

If ‘assets’ that need to be protected are networks then a good place to start will be the network (IP) addresses. These could be either internal networks, external networks, or both.

If it is a web application – such as an Ecommerce site, then its specific web address.

We also review specific business systems and technologies such as wireless or IP telephony testing.

Social Engineering tests are interesting as we normally target a physical building or group of people. To get best value from these types of test, we always plan carefully to create customised set of tests specific to that customer.

Ambersail penetration testing services can be delivered remotely from our test facilities or onsite with you, depending on where the test system is situated and how we can connect to it.