Overview

Penetration Testing (ethical hacking) is where a skilled consultant uses the same tools and techniques as real-world hackers, to find vulnerabilities within your systems. You’ll be kept up to date as we carry out the review, and let you know if significant issues are identified before you receive the report.

Once the review is completed, you’ll receive a formal written report. This will include:

• High level details (in non-technical language) of what the key issues were, and what they mean to the business. Where relevant, root causes will be highlighted so you can address any underlying or systemic issues.
• Detailed descriptions of all issues which were identified, including reproduction steps, and how you can remediate them.

We can also meet with you to explain the findings, the impact to the business (if exploited), and how to remediate the issues. Our goal is to provide you with all of the information you need to either remediate the vulnerabilities identified (and in what order), or make an informed decision to not to resolve the vulnerability — in some cases, the time, costs or risks involved in fixing a vulnerability will outweigh the business impact of leaving it.

Pākiki has very experienced consultants who can carry out almost any type of penetration testing. Even if a particular type of testing is not listed here, feel free to get in touch, we can likely help.

Process

All of our engagements follow a similar process:

1. Scoping: We start by scoping the engagement, understanding what you're looking for, discuss the technologies and platforms in use, and any key concerns that you may have. From this, we produce a Statement of Work detailing the effort required, cost, any prerequisites, and our approach to the engagement.
2. Scheduling: Once the Statement of Work is signed, we'll work with you to schedule the work.
3. Requirements gathering: Prior to the engagement starting, we'll be in touch to organise any prerequisites we require and where practical will test these prior to the engagement. This will ensure the engagement commences on time.
4. Testing: The consultant will start the engagement and will provide regular updates. Any high or critical severity issues will be notified when they are found.
5. Reporting: At the end of testing, a report will be produced and provided.
6. Closeout meeting: A close-out meeting is held to provide any additional context around the business impact of what we identified, and to provide a chance for any further questions on how to remediate what was found.
7. Retesting: Optional Retesting can be carried out in order to ensure that any vulnerabilities have been successfully remediated.