Questions?
Start here.
If you have questions about our services, processes, or any specific inquiries, this FAQ section is here to help. For additional assistance, feel free to contact us.
General Information
Welcome to our FAQ section! Here, you'll find answers to common questions about our services, processes, and best practices.
Whether you're new to penetration testing or looking for specific details, this is a great place to start. For anything not covered here, feel free to reach out to our team directly.
What is penetration testing, and why is it important?
Penetration testing, or pentesting, is a security assessment where ethical hackers simulate real-world attacks to identify vulnerabilities in your systems. It's essential for improving cybersecurity, maintaining compliance, and protecting your business from threats.
How often should penetration testing be done?
The frequency of pentests depends on your organization's risk profile and the sensitivity of your operations.
- For high-risk industries, regular pentesting (multiple times per year) is advised to keep up with evolving threats.
- For less critical businesses, a pentest is recommended for every major update or new feature release.
What if my company doesn’t handle sensitive data? Why would anyone attack us?
Even if you don't store sensitive data, your website or systems could be targeted:- Hackers might use your server for malicious purposes, like hosting phishing websites.
- Your system could be exploited as part of a large randomize cyberattack.
- Opportunistic attacks often target vulnerabilities for practice or profit, regardless of data sensitivity. No organization is immune to cyber threats.
How much does a pentest cost?
Pentest costs vary based on the scope and depth of the testing. Comprehensive tests that analyze multiple systems or delve deeply into vulnerabilities require more time and expertise, leading to higher costs.
What’s the difference between a security scan and a pentest?
- Security Scans: Automated tools that identify common vulnerabilities. They provide a basic level of security but may miss complex issues.
- Penetration Tests: Combine manual and automated methods to uncover deeper, logic-based vulnerabilities. They assess the real-world impact of attacks, providing a detailed analysis tailored to your architecture.
How does a bug bounty program compare to pentesting?
- Pentesting: A structured, time-bound assessment with defined goals, conducted by experienced professionals. It provides comprehensive insights and recommendations in a scheduled manner.
- Bug Bounty: Relies on crowdsourced researchers finding issues at their own pace. While effective for continuous monitoring, it lacks the systematic approach of a pentest.
Choose based on your organization’s needs, but many businesses benefit from using both approaches.
Do you work with startups or small businesses?
Yes, we work with organizations of all sizes. From startups to enterprises, we offer scalable solutions tailored to your needs and budget.
How do I get started with Unit91?
Getting started is simple! Reach out through our contact form or email and our team will guide you through the process of securing your systems.
Testing Process
What systems or technologies can you test?
Our experts have experience with a broad range of technologies and languages. Most vulnerabilities are not language-specific, so we can adapt to any system. Contact us for inquiries about specific platforms or stacks.
Should the pentest be done on production or pre-production systems?
Both options have unique benefits:
- Staging Environment: Ensures user-facing systems remain unaffected and closely mirrors the final setup.
- Production Testing: Tests the system under actual working conditions, revealing vulnerabilities in real-time use.
Do you test for denial-of-service (DoS) attacks?
DoS testing must be explicitly requested. We can simulate DoS attacks to evaluate your system's resilience. This requires careful planning to ensure minimal disruption.
Do I need to provide a demonstration of my system before the test?
A demonstration can help testers understand complex functionalities, allowing them to evaluate business logic more effectively.
However, skipping a demo replicates real-world attack scenarios, where attackers work without prior knowledge.
The choice depends on your objectives.
How are the vulnerabilities reported?
We deliver a detailed report that includes:
- A summary of tested systems and methods used.
- Identified vulnerabilities with detailed explanations and exploitation scenarios.
- Visual evidence, such as screenshots or logs.
- Recommendations for remediation.
Do you fix the vulnerabilities you find?
We provide actionable recommendations for your team to implement. While we don’t directly fix vulnerabilities, we can verify that your remediations are effective after implementation.
Confidentiality
How is sensitive information handled during a pentest?
Confidential data is treated with the utmost care. We do not store or misuse any sensitive information, and it’s anonymized in reports. Audit reports are securely kept for a limited time and only shared with authorized personnel.
How can I trust your team of ethical hackers?
We operate within a strict legal and ethical framework. Tests are conducted only after signed agreements, and all activities are authorized and monitored. Transparency and professionalism are at the heart of our services.
- Engagement begins only after a contract and authorization are signed.
- Testing originates from a single, identifiable IP address.
- Your hosting provider is informed of our activities in advance.
Support and Follow-Up
What happens after the test?
We provide a debriefing session upon request to discuss findings and recommendations. We also do a follow-up validation testing after implementing fixes to ensure effectiveness.