• Français
  • English

Pentest:
Proactive Threat Mitigation

Growing threats on information systems are a today a major issue for company and governments all around the world.

Cybercriminals are using a variety of sophisticated techniques to break into computer network, compromise sensitive assets and disrupt business operations. The consequence of these incidents can be catastrophic, ranging from loss of critical data to disruption of business operations, loss of reputation and customer trust.

Identify and address vulnerabilities before malicious actors do, bolstering cybersecurity defenses and reducing the risk of data breaches.

Talk to our experts

Pentest: External assets discovery

Managing the complete array of IP addresses, virtual hosts, domains, and sub-domains accessible on the Internet can be a challenging task for any company, especially for larger enterprises with multiple IT teams. Do you wish to regain control over your assets available on the Internet?

External mapping: Main challenges

What are the challenges to ensure the safety of assets published on the internet on in the cloud:

  • Maintain up-to-date documentation for all servers published on the Internet or through Cloud services
  • Identify and ensure only necessary services are accessible from the internet.
  • Verify that test, development, or preproduction servers are not accessible externally.
  • Implement control measures for new assets during mergers or acquisitions.
  • Foster collaboration among IT teams to minimize configuration errors and prevent unauthorized access to resources from the internet.

External mapping: Our Solutions

QLab offers a comprehensive solution to discover your Internet assets:

  • Methodology to find published assets with various techniques (whois, ASN, search engines, favicon, etc.)
  • Exhaustive search using external services (censys, crtsh, shodan, etc.).
  • Creation of specific dictionaries based on identified domain names.

Continuous service for ongoing alerts on newly detected assets.

Web Pentest

Demonstrate compliance with regulation and standards through comprehensive reports. Check the robustness of your web applications through a black/grey/white box penetration test to guarantee a level of security against external threats.

Web Pentest: Main challenges

The IT security challenges for a company whether developing a web application or using a third-party service require to:

  • Ensure the application used is robust against external threats
  • A team of web developers with skills in secure programming
  • Use robust base system and application, properly configured
  • Ensure compliance with data protection regulations

Web Pentest: Our Solutions

From the design phase to the post-deployment phase, the benefits of working with our experienced pentest team include:

  • Collaboration with senior pentesters with extensive R&D experience.
  • Adoption of a proven methodology (OWASP), enriched by insights gained from pentesters
  • A manual approach to understand and address all business features of an application
  • Use of expertise in approved tools for efficient vulnerability discovery

External Pentest

Do you want to assess the security of your online assets by impersonating an attacker in possession of limited information on your environment: IP addresses (Black box mode) and user account(s) on accessible services (Grey box mode)?

External Pentest: Main challenges

Online services, from VPNs to databases, pose security risks Protecting against server control, database theft, and network intrusions can be challenging:

  • Restrict online accessibility to selected services through IP filtering, firewall rules, and initial authentication.
  • Keep exposed services up to date to prevent easy compromises.
  • Implement robust configurations to withstand specific attacks on these services.
  • Verify authentication mechanisms to prevent intrusions due to weak passwords.
  • Implement detection mechanisms for potential attacks, including exploitation and brute force.

External Pentest: Our Solutions

Quarkslab’s external pentests tackle challenges by:

  • Targeting network, system, and applications
  • Using dedicated tools, manual tests, and ongoing technology watch
  • Establishing combined attack scenarios
  • Complementing our external assets discovery, providing a comprehensive view of your online exposure and protection

Mobile Penetration testing

Check the robustness of your mobile applications (Android/iOS) through a surface penetration test in a black / grey / white box in order to guarantee a level of security against external threats.

Mobile App Audit: Main challenges

When developing a mobile application, companies must ensure that the entire process is carried out by following the best security practices:

  • Ensure the mobile application is robust against external threats
  • Implement measures to slow down an attacker studying the application (code obfuscation, root/jailbreak detection)
  • Rely on skilled developers in secure programming
  • Use well-configured and robust base system and application
  • Ensure compliance with data protection regulations

Mobile Penetration testing: Our Solutions

From the design phase to the post-deployment phase, benefit from the expertise of our pentest team providing:

  • Senior pentesters with extensive R&D experience.
  • Use of a proven methodology (OWASP), enriched by insights gained from pentesters
  • A manual approach to understand and address all business features of an application
  • Use of tools dedicated to the search for web vulnerabilities

Internal Penetration testing

Seeking to assess internal infrastructure robustness, including entities, by targeting domain controllers and examining trust relationships? This involves verifying network access control implementation and checking server and equipment updates deployment for correctness.

Internal Pentest: Main challenges

Maintaining a specific level of security on internal networks poses numerous challenges, including:

  • Ensuring the application of security policies on all internal assets
  • Implementing measures to defend against attacks and/or establishing proactive surveillance
  • Using well-configured and robust base systems and applications
  • Deploying security updates on equipment, systems, and applications
  • Applying network segmentation to prevent access from unnecessary services

Our Internal Pentest solutions

Tap into our pentest team’s expertise to uncover and address security weaknesses in your internal information system offering:

  • Senior pentesters with internal penetration test experience
  • Diverse attack methods from the MITRE ATT&CK repository
  • A step-by-step approach: network discovery, privilege escalation, lateral movement, server takeover, AD domain compromise
  • Expertise from QLab Desktop Security team to bypass security equipment (EDR, antivirus, etc.)

Configuration audit

Considering migrating servers to newer systems or evaluating the robustness of current application configurations and network equipment? We ensure adherence to security standards, policies, and best practices throughout the process.

Main challenges of configuration

Deploying new systems, applications, or network appliances in a company presents various challenges:

  • Verify configuration compliance with recognized standards such as ANSSI RGS, CIS, NIST, etc., or internal policies.
  • Ensure configurations do not introduce security risks that could impact the information system.
  • Analyze and manage expanding sets of rules on security equipment like firewalls and IDS/IPS.
  • Implement effective identity and access management to prevent fraudulent access (user/service account lifecycle).
  • Evaluate the efficiency of specific configurations (EDR, IPS, etc.).

Our Configuration Audit Solutions

Access our pentest team’s expertise for configuration challenges, offering:

  • In-depth knowledge of systems and networks.
  • Proficiency in various solutions to cater to a diverse range of applications.
  • Extensive skills, especially through R&D efforts in the internal laboratory focused on new technologies.
  • An approach to eliminate false positives: combining automated collection with manual verification of configuration items.
  • Utilization of recognized tools such as Nessus Professional and Nipper.

Wi-Fi penetration testing

Do you need to assess the resilience of your internal Wi-Fi infrastructure, including guest and company networks, to ensure secure internal access for employees and provide reliable Internet access for visitors?

Enterprise Wi-Fi audit: Main challenges

Maintaining a specific level of security on a Wi-Fi network poses various challenges, including:

  • Validate the configuration of the corporate Wi-Fi network and chosen security measures.
  • Ensure the guest network/captive portal prevents access to the internal network.
  • Confirm robust policies on employee laptops for pairing with corporate Wi-Fi.
  • Verify captive portal resilience against network/web attacks.
  • Check protection against Man-In-The-Middle attacks, ensuring no compromise of user accounts.
  • Assess probe efficacy for detecting fraudulent access points

Wi-Fi audit: Our solutions

Get support from our pentest team’s expertise to identify security vulnerabilities in your Enterprise Wi-Fi network, offering:

  • Senior pentesters with Wi-Fi penetration testing experience
  • Diverse attack methods and of appropriate equipment/tools
  • Adaptable approach based on customer-specific threat scenarios.
  • Expertise to address other wireless protocols through the QLab team.

Red Team & Adversary simulation

Assess the robustness of your security system by simulating an attack orchestrated by our experienced Read Team, acting as determined and terchnically advanced as adversaries, while having a limited level of information about your environment.

Red Team & Adversary simulation: Main challenges

Red Team testing are designed to challenge the security of your organization by simulating realistic, targeted attacks to reveal potential vulnerabilities and improve your overall security posture.

Our advanced service aim at:

  • Evaluate resistance to sophisticated attacks by simulating advanced tactics, techniques, and procedures (TTPs), assessing readiness and detection capabilities.
  • Uncover security vulnerabilities missed in traditional penetration testing campaigns.
  • Measure physical and logical security through comprehensive assessments, including physical security and social engineering tests.
  • Testing your incident response setup by assessing your organization’s ability to detect, respond and contain a simulated cyber attack

Red Team & Adversary simulation: Our solutions

Our Red Team services offer a proactive and comprehensive approach to improving the security of your organization. Our deliverables will include:

  • Precise identification of vulnerabilities and security weaknesses detected during the assessment
  • Recommendations comensurated with your context to strengthen the security of yourassets
  • Detailed reports on the testing activity and progress, the positive aspects of your security and the associated corrective actions

PHISHING CAMPAIGN

Are you looking to assess your organization's resilience against phishing attacks by simulating realistic scenarios where external attackers attempt to deceive your employees using sophisticated tactics, all while having limited information about your environment?

Phishing campaign: Main challenges

Phishing attacks often target the human layer of security, aiming to exploit user trust to gain access to sensitive information. Here are some specific challenges your organization might face:

  • Evaluating your resilience against a simulated attack, which remains the most common initial access vector used by threat actors
  • Training you employees to recognize and report phishing attempts
  • Measuring your capacity to identify and block phishing emails attempting to breach your company

Phishing campaign: Our solution

The phishing service offered by Quarkslab addresses these challenges through a comprehensive and proactive approach. Our commitment includes:

  • Create and send realistic phishing emails
  • Simulate real world tactics used by attacker
  • Test the organization ability to detect, report and respond to phishing attacks.

Our benefits

A team with solid profiles and appropriate certifications.

Our team

OSCP

OSEP

SANS-SEC560 (Enterprise Pentest)

SANS-SEC760 (Exploit for Pentest)

SANS-FOR508 (Advanced Forensic)

CEHv6

EC-Council

 

An experienced team to create unique pentests tailored to each context.

QLab

12 years of existence

Reverse Engineering

Vulnerability Research

Cryptography

Cloud

Blockchain

 

Conferences:

SSTIC, BlackHat, Hardware.io…

Our tools

Vulnerability testing in Kubernetes environment
Elevation of privileges in the Android emulator
File system mapping
Emulation and symbolic execution
Scripting automation under IDA

Resources

Strenghten your security
with Pentest by QB

Read our technical blogposts
written by Quarkslab’s
security engineers