NETWORK Penetration tests

The tests focus on a comprehensive assessment of the following areas:

•  Network infrastructure: configuration of firewalls, routers, switches and open port detection
•  All kinds of advanced attacks on Active Directory services
•  Systems security: verification of updates, patches and vulnerabilities in operating systems (Windows, Linux) and applications
•  Active Directory: analysis of password policies, user rights and detection of errors in the domain structure
•  Network services: testing of DNS, DHCP security, SMB/NFS protocols and communication encryption
•  Network segmentation: assessing the effectiveness of isolating critical resources (e.g. financial servers) from other departments
•  Access control: checking multi-factor authentication (MFA) mechanisms and least privilege rules
•  Detection systems: testing the response of IDS/IPS solutions and monitoring tools (e.g. SIEM)
•  Emergency procedures: verification of the operation of backups

What are the most dangerous vulnerabilities detected during testing?

Common threats include outdated software with unapplied patches, default or weak passwords, unsecured file shares and redundant user permissions. Risks are also outdated legacy systems, lack of encryption of sensitive data (e.g. databases) and misconfigured firewall rules allowing lateral movement.

Can pentesting disrupt systems?

We carry out tests with the utmost caution – we avoid invasive techniques (e.g. DDoS) and carry out work outside of working hours. Every action is consulted with the IT team and preceded by a data backup. As a result, the risk of downtime is reduced to a minimum and your business operations remain unaffected.

How is our data protected during testing?

We guarantee full confidentiality by:

•  Signing of the NDA agreement prior to the start of the collaboration
•  Encryption of data during both testing and storage
•  Immediate deletion of information after project completion
•  Restrict access to reports to authorised persons only

Will the tests help meet legal requirements?

Yes. Penetration testing is required by, among others, PCI DSS (req. 11.3) and DORA. Not directly also by GDPR.
We provide documentation according to OSCP or CREST standards, accepted by auditors. Example: risk assessment report according to the CVSS 3.0 scale, which you can present to supervisory body.

You will receive detailed documentation, including:

• A structured list of identified gaps, grouped by criticality (Critical / High / Medium / Low)

• Step-by-step remediation guidance for each vulnerability (e.g. GPO configuration in Active Directory)

• Realistic attack scenarios with visualised exploitation paths

• Actionable recommendations aligned with leading frameworks such as NIST, CIS Benchmarks, and MITRE ATT&CK

This report provides both technical depth and clear guidance, helping your team prioritise and address security issues effectively.