Capital Network Solutions is an approved CREST Penetration Testing Service Supplier headquartered in Wales. We provide a pragmatic approach to penetration testing services and layer that approach in a tier list based on complexity. The complexity tier offerings are in context to both Infrastructure and Web Application penetration testing in an external or internal format.
Each tier of complexity will incorporate the previous wherever required within the context of engagement. The term “penetration testing” is often used interchangeably to describe both of the lower two tiers described above.
Tier 1 - Vulnerability Scan
A vulnerability scan is a series of checks based on common vulnerabilities and lists the issues based on criticality using the Common Vulnerability Scoring System (CVSS). The objective is to highlight common problems and often compared to as a monthly “MOT” check of external/public interfaces.
Tier 2 - Vulnerability Assessment
The vulnerability assessment process is dependant on the engagement context, such as a web application and external infrastructure. A vulnerability assessment, often compared as replication to the initial steps in a real-life attack, the point at which a malicious actor is thwarted and moves on to an easier target.
External infrastructure is subject to port enumeration, common vulnerabilities, manual inspection of services of potential interest and bad configurations.
Web technologies require in the context of a vulnerability assessment, inspection of code without the means of further exploiting issues, for example, finding an arbitrary Remote Code Execution (RCE) flaw without further exploitation.
The objective is to highlight common and obscure problems and often conducted to reduce general costs over a penetration test. However, a vulnerability assessment is not a penetration test and excludes numerous attack surfaces and techniques.
Tier 3 - Penetration Test
Similar to a vulnerability assessment, with the inclusion of advanced techniques and methods in real-world attack chains. These methods may include bypassing web application login mechanisms, obscure SQL injection surfaces, weak credentials, etc. while directly exploiting found issues.
Leveraging these issues is a means of gaining general data, passwords, and a foothold within the scope definition using audited methodologies to safely exploit identified vulnerabilities to address the risks by the development of a remediation plan.
Capital Network Solutions do not undertake Denial of Service (DoS) type testing, privilege escalation or defacement activities unless expressly authorised to do so.
The objective is to highlight avenues to critical business systems and services to prevent future compromise from advanced vectors. A penetration test is a go-to standard to identify risk and exposure.
In all cases proof of ownership of systems will be required by CNS as will documented permission and legal disclaimers where appropriate.
The esteemed accreditation means organisations can be assured that our Penetration Testing services stand out from other UK companies, and are:
Offering a comprehensive range of Testing Services from a highly accredited team
“We have worked closely together in recent years to successfully gain our Cyber Essentials Plus accreditation and help ensure new services are designed and tested securely. Given the challenges of today’s budget pressures and increasing Cyber security risk we have found Capital Networks to be an effective, reliable and professional partner"