Penetration Testing Services
Agio’s penetration testing experts evaluate the security of your IT assets from the vantage point of a malicious hacker. More targeted than vulnerability assessments, pen tests are designed around a specific goal – to access and compromise protected resources.
More than just a scan, our penetration tests are performed using both automated tools and manually by a team of talented security engineers who operate with the highest level of integrity and professionalism. We will show you what we did and how we did it – scanning for vulnerabilities, enumerating attack vectors, and running exploits. All of your results are provided in our reports. Then we recommend remediation such as software patches, configuration changes, and other fixes.
Network Infrastructure
Regular penetration testing is an essential part of network security and should include all potential threat vectors, including external, internal, cloud, and wireless.
External Penetration Testing
This testing assesses the security of externally facing IT assets for an organization. After discovering potential vulnerabilities and gaps, we attempt to access the internal network and capture sensitive data.
Internal Penetration Testing
Testing efforts begin with the assumption an attacker has already gained access to the internal network. Once inside, the pen tester determines how easy or difficult it is to move laterally through the network and exfiltrate confidential information.
Cloud Security Penetration Test
Agio helps navigate the complexities of conducting penetration testing of your cloud instance. This generally involves close collaboration between you, your cloud provider, and the pen tester.
Wireless Penetration Test
This testing assesses the protocols, access points, technical flows, and policies to determine the security of private and guest Wi-Fi networks. Tactics include sniffing, brute-forcing, and session hijacking.
Application Security
With the proliferation of software-as-a-service (SaaS) offerings, interconnected web applications, mobile apps, and APIs, a strong application security program is more important than ever.
Web Applications
Agio’s application assessment methodology is guided by the OWASP Top Ten Lists of web application and API vulnerabilities. To protect against data theft, ransomware, and other threats, continuous application security testing has become indispensable to ensuring security, confidentiality, and availability.
Mobile Applications
While sharing many of the potential vulnerabilities of web applications, mobile application penetration tests focus even more on client-side security, file systems, hardware, and connectivity. In recent years, mobile devises and apps have also emerged as frequent targets for phishing schemes and harmful malware.
Software Development Lifecycle Review (SDLC)
Software development life cycle frameworks define the process that organizations use to build applications from start to finish. It is invaluable to “build-in” security controls during the application development process by adhering to best practices, adding security reviews at each stage of development, and full testing prior to release.
Social Engineering Testing
People continue to be the least secure “endpoint” in most organizations. In fact, no matter how strong your security technology protections and compliance policy controls, no program can truly be effective without a “cyber aware” workforce. Here are some of the customized training, testing services and simulated attacks we offer:
Phishing
The most frequent type of social engineering attack, phishing, is generally described as sending a fake email to a person, group, or company. Fake attachments or bogus links can infect computers and networks with dangerous viruses and malware.
Spear Phishing
Spear phishing is a more targeted phishing attack –often directed at senior level executives, corporate departments, or specific individuals within an organization.
Vishing
Vishing attacks rely on phone calls, direct line, auto-dialers or may even involve infiltrating or imitating an interactive voice response (IVR) system.
Smishing
Smishing refers to fake requests, messages, links or attachments sent by SMS text.
Targeted Pretexting
This involves a scripted scenario such as convincing the target to dial into a phony help desk/call center or login to an online meeting. Pretexting can also be used in person to gain access to a secure facility by using a fake ID, employee badge, etc.
Baiting
Using digital devices giveaways (such as USB drives) infected with viruses, “call home” applets, or other malware.
Tailgating
Accepting the help of an authorized person to gain access to restricted area where sign-in, or other security checkpoint is present.
OSINT
Open source intelligence gathers information (both publicly-available and dark web) on employees or executives to inform our social engineering campaigns and provide further protection for your organization.
Security Awareness Training
With onsite training and 24/7 access to a full library of courseware, we provide customized social engineering programs that enable you to test your employees in context and measure their results over time.
