Frequently Asked Questions
What’s the difference between a vulnerability assessment and a pentest?
Penetration testing (pen testing) and vulnerability assessment are two distinct but related activities in the field of cybersecurity. They both aim to identify weaknesses in a system’s security, but they differ in their scope, methodology, and objectives.
- Objective:
- Penetration Testing (Pen Test): The primary goal of a penetration test is to actively exploit vulnerabilities in a system to determine the extent to which an attacker could compromise the system. It involves simulating real-world attacks to assess the effectiveness of existing security controls and to discover any potential weaknesses that could be exploited.
- Vulnerability Assessment (VA): The main objective of a vulnerability assessment is to identify, classify, and prioritize vulnerabilities in a system. It provides a comprehensive view of potential security risks but does not involve active exploitation of vulnerabilities.
- Scope:
- Penetration Testing (Pen Test): Penetration testing is more focused and involves simulating a targeted attack. It often goes beyond identifying vulnerabilities to actually exploiting them to gain unauthorized access or other malicious activities.
- Vulnerability Assessment (VA): Vulnerability assessments have a broader scope and are more concerned with identifying and categorizing vulnerabilities without actively exploiting them.
- Methodology:
- Penetration Testing (Pen Test): Penetration testing employs a “hands-on” approach, where security professionals actively attempt to exploit vulnerabilities. This may involve using various tools, techniques, and methodologies to compromise systems, networks, or applications.
- Vulnerability Assessment (VA): Vulnerability assessments typically use automated tools to scan and analyse systems for known vulnerabilities. While manual analysis may be involved, the process is less focused on actively exploiting vulnerabilities.
- Frequency:
- Penetration Testing (Pen Test): Penetration tests are often conducted periodically, such as annually, monthly or after major system changes. They are more resource-intensive and may be performed less frequently.
- Vulnerability Assessment (VA): Vulnerability assessments can be conducted more frequently, sometimes even on a continuous basis. Automated tools can scan systems regularly to identify new vulnerabilities as they emerge.
So, I’ve signed up for Katana, what happens next?
After enrolling in Katana, a member of the Damocles Team will reach out to you to gather the necessary details for conducting the Penetration Testing. Typically, this communication takes place within 2 business days. If your domain differs from the target domain, additional information may be necessary to validate ownership or authorize Damocles to proceed with the Penetration Testing. This initial procedure is specific to new customers. The comprehensive report will be delivered within 5 business days, and for subscription-based arrangements, you can anticipate receiving subsequent reports around the same time each month.
So, I’ve signed up for Svalinn, what happens next?
After enrolling in Svalinn, a representative from the Damocles Team will contact you to collect the essential details required for constructing the Web Application Firewall. This communication generally occurs within a span of 2 business days. Following the reception of the necessary information, Damocles will proceed to build the Svalinn instance in readiness for testing. Upon successful testing, you will gain the capability to redirect your traffic through Svalinn to secure your website or application by updating your DNS settings. Additionally, you will receive information enabling you to permit traffic from Svalinn to your existing server.
What is penetration testing?
Penetration testing, commonly known as ethical hacking, is a simulated cyberattack on a computer system, network, or application to identify vulnerabilities that could be exploited by malicious actors.
What is the difference between authenticated and unauthenticated penetration testing?
Authenticated and unauthenticated penetration testing refer to the level of access and information provided to the security tester during the assessment.
What is authenticated penetration testing?
Authenticated penetration testing involves the tester having valid credentials or insider access to the system being tested. This simulates an attack from someone with internal knowledge or compromised credentials.
What is unauthenticated penetration testing?
Unauthenticated penetration testing, on the other hand, does not involve any prior knowledge or credentials. The tester approaches the system as an external threat, attempting to exploit vulnerabilities without any special access privileges.
Can a combination of both testing methods be used?
Yes, a comprehensive security assessment often involves a combination of both authenticated and unauthenticated penetration testing. This provides a more holistic view of an organization’s security posture, addressing both internal and external threat scenarios.