Our auditors simulate intrusions as if they were malicious attackers or collaborators
We carry out intrusion tests on 3 levels:
Tests carried out without information in order to simulate the actions of an attacker
Tests carried out from access accounts in order to simulate the behavior of a user
Tests carried out with in-depth knowledge of the environment (diagrams, source code, documentation, etc.).
The different audits
The tests are carried out manually by our experts with real consideration of the business risks and the “business” logic of each application or environment. Our teams can intervene in all types of environments where it is possible to intrude.
- Web apps and APIs
- Mobile app
- Internal networks / LAN
- Cloud environment
- Physical Intrusion / Redteam
- PCI-DSS infrastructure
- External infrastructure
Web apps and APIs
Application penetration testing aims to detect and demonstrate the existence of security flaws in web applications and APIs.
We carry out manual penetration tests on mobile applications developed for the Apple iOS or Google Android platforms as well as related infrastructures.
Internal networks / LAN
Connected to your LAN by simulating the behavior of a trainee or a malicious collaborator, we are looking for flaws that allow access to confidential information and to obtain administrative privileges on the IS.
A review of the environment to verify the quality of the positioning of the components constituting the target infrastructure, and thus qualify the level of protection and availability of the services and resources provided.
Physical Intrusion / Redteam
The objective of Red Team tests is to reproduce as closely as possible the activity of a professional attacker during an attack targeting your IS, using all methods (logical, physical and social) to access your internal network and to your most critical data.
These critical infrastructures may suffer from specific vulnerabilities affecting all layers (client/servers, network, database and application) of your ERP. We carry out an in-depth test by putting business risks into perspective.
As part of the fifty certifications carried out every year, XMCO carries out intrusion and segmentation tests against the certification scope of each of its customers. Followed by a QSA, the team in charge of the project will put into perspective the risks related to card theft and will associate each of the vulnerabilities with the requirements of the standard.
The objective is to identify the vulnerabilities exploitable by a malicious person, from the Internet, which affect the base of the audited perimeter.
This involves identifying exploitable vulnerabilities against the Wi-Fi infrastructure with a view to entering the internal network (segmentation, takeover).