Pentest - Penetration test

Ask for a manual Pentest and detect vulnerabilities

Ziwit Consultancy Service for your manual audits and pentests
Ziwit Consultancy Services Pentest - Penetration test

A penetration test allows you to identify the vulnerabilities of a computer system as hackers would do, we will tell you everything about how penetration tests work, why you need to do one and how it is performed.

Why Pentest by ZIWIT ?

  • Specialized in offensive cybersecurity and pentests for more than 10 years
  • Consultants and pentesters specialized for each field of intervention (OSINT, Pentest web, hardware intrusion test, infrastructure, AD, wifi, etc.)
  • Recognized as experts by the largest organizations
  • An support before (presentation of the pentesters), during (continuous communication) and after the penetration test (advice, support, etc.)
  • A unique contact allowing to follow your projects from start to finish
Security audit
Security audit

What is a Pentest ?

A pentest is a computer security assessment method that simulates a computer attack to identify vulnerabilities and weaknesses in a computer system,a web application or a network.

It is therefore an in-depth and pragmatic audit of the security of a computer system.

Unlike a traditional security audit, which consists of a static assessment of security controls, the pentest simulates attacks under real conditions and uses advanced techniques to test the resistance of a system. Penetration testing is therefore an effective tool to identify vulnerabilities and weaknesses in your applications, infrastructures and IT systems, so that you can correct them.

For over 10 years, Ziwit has been performing daily penetration tests for all types of companies. Specialized in offensive cybersecurity, we are committed to providing the best technical skills to our customers.

Why make a Pentest ?

Computer attacks are becoming increasingly common and sophisticated, and companies need to be prepared to deal with these threats.

Penetration testing in real conditions allows you to discover security flaws, vulnerabilities, feature abuse and configuration issues in your systems, but above all it allows you to fix these flaws before they are exploited by hackers.

In short : pentesting measures the risk associated with an information system by simulating realistic attack conditions, in order to identify ways to significantly reduce it.

The pentest allows you to :

  • Pragmatically and effectively verify the security of a scope (application, infrastructure, cloud, website, etc.)
  • Demonstrate the security level of an application to stakeholders (Ziwit CS certificate and certification seal)
  • Comply with regulatory requirements and security standards (ISO27001, HDS, HIIPA, SOC2, PCI-DSS, etc.)
  • Raise the skills of internal teams (awareness through concrete cases involving all employees concerned)

Methodology & Penetration test "mode"

The penetration test is applied on a perimeter defined with you. It can be a website, a web application, a mobile application, a range of IP addresses that you expose, your internal infrastructure, etc.

Our consultants define with you the scope on which the security audit will be performed, and also define their technical and organizational methodologies.

Penetration testing can take three approaches :

Audit in black box mode
Black Box Pentest

The auditor has only access to information publicly exposed by the target, no special privileges or rights are granted to simulate an attack on the audited system as carried out by an anonymous hacker outside his organization.

Black box
Grey box

Audit in grey box mode
Grey Box Pentest

Informations and documentations are made available by the auditee in order to increase the audit’s surface and simulate an attack as carried out by a legitimate user of the organization (accounts on the applications, exposed IP access, etc.).

Audit in white box mode
White Box Pentest

Penetration testing method where the tester has a high level of access to the systems or applications to be audited. The pentester has therefore an advanced knowledge of the technical details of the target, such as source codes, configurations and architectures. This approach allows for an in-depth analysis of the target's security and can help to identify vulnerabilities that would not be detected by a black box testing method (or "blind penetration test") where the tester has no prior information about the target. However, the White Box pentest may require more time and resources due to the preparation and in-depth knowledge required to conduct the test.

White box

How does a penetration test work ?

4 complementary steps

The tests
to set up

Our experts help you determine the tests to set up in your organization according to your procedures and needs. It can be a test on your internal networks, your applications or your infrastructure.

The different
Pentests modes

To launch a Pentest, our experts must determine an intrusion test approach. This consists in giving more or less extensive access rights to the ethical hacker.


Security vulnerabilities that can be exploited by a real hacker are highlighted for you. All the vulnerabilities identified by our hackers are really exploitable by a malicious hacker.


To go further than a vulnerability report, our experts will provide a real summary of the vulnerabilities detected but also the countermeasures for each of them.

Overall Penetration Testing Methodology

Overall Penetration Testing Methodology

The Kick-Off

Essential step of the Pentest to formalize the audit procedures with all the stakeholders in anticipation of the penetration test. During this phase, we exchange with you on the scope to be audited and formalize the test procedures, for that we :

  • Apply the reference documents allowing the pentest to be carried out successfully.
  • Identify the actors involved in the project on the customer’s side and on Ziwit’s side and we validate the communication channels for smooth information exchange.
  • Define the modalities of the mission : test strategy, project monitoring and steering,secure electronic document exchange.

Information gathering

Once the scope and methods have been defined, the consultants take charge to gathering as much information as possible on the scope.

This is the mapping phase, the census of your infrastructure on the defined scope, the analysis and contextualization, this phase allows to fully understand the systems, habits and processes before starting to exploit them to test their resilience.

The analysis / audit

Once the documentation has been recovered and the formalization steps carried out, our auditors specialized in Pentest, carry out the audit on the defined scope. We will then explain the difference between a penetration test with internal methodology and a penetration test with external methodology. The external pentest aims at validating the possibilities of compromise of a hacker acting from outside.The purpose of the internal pentest is to validate the security issues inherent in the company's network, its services, its internal applications, but also the configurations of workstations and equipment.


Reporting is certainly the most important phase of the pentest. Once the mission is completed, our team writes reports containing the complete analyzes conducted by the consultants. The auditor must provide the IT department with a written report explaining his methodology and the discovery of any vulnerabilities in the information system. It must propose appropriate corrective measures, through concrete action proposals, but also :

  • The tools used named with their availability (eg dedicated hardware, open source software, professional software) and their uses (all public, reserved for specialists)
  • The collected information at each step
  • The detected flaws with their impact
  • The focal points
  • A set of prioritized recommendations with the difficulty of implementing the patch (financial, technical, human, etc.).

Pentest reporting is therefore directly part of the risk management process and encourages effective and pragmatic countermeasures in order to quickly reduce the risk to an acceptable level for the client or the regulations.

Penetration test report


In order to validate the remediation of the vulnerabilities identified during the pentest, the client may request a counter-audit.

The counter-audit allows our auditors to check that the corrections have been applied, and that the remediation philosophy has been understood by the teams in charge of the correction. One day is needed to carry out the counter-audit and write the report.

It should be noted that the Ziwit teams remain available between the pentest’s realization and the counter-audit, at no additional cost, in order to advise the client in the remediation’s choice.

Our areas of intervention

Web Pentest

Penetration test on your websites and web applications, to evaluate their robustness and security status (web vulnerabilities, configuration problems, abuse of features, escalation of horizontal and vertical privileges, etc.).

Mobile Application Penetration Test

Audit of your mobile applications (Android and IOS) and their constitution (application layer, configuration, data exchanges and security, webservices and related APIs, etc.). A static audit and a dynamic audit are performed.

Exposed Infrastructure Pentest

Penetration test on the elements of your infrastructure that you expose, to obtain a visibility on the various access points to your infrastructure (applications, file servers, mail servers, VPN access, remote access, exposed network equipment, etc.). This audit is generally performed in “Black Box”.

Infra and Network Pentest

Pentest on your internal infrastructure, allowing to evaluate the possibilities of malicious acts by a hacker with access to the company's internal network (compromise of a workstation, compromise of the exposed and pivotal infrastructure, physical attack, access to the network, etc.).

IOT Pentest

Penetration test on the different layers (hardware, software, interfaces, links, network, etc.) constituting the connected object. Different auditors are solicited on these missions: hardware and software pentester.

The main purpose of a connected object pentest is to detect the flaws present on the different layers in order to secure the entire environment of the connected object.


The RedTeam audit simulates attacks targeting the company, and allows multiple scenarios. Where a pentest targets a particular scope, we will use several methodologies (phishing, social engineering, pentest, physical intrusions, use of data available on open sources, etc.) allowing us to validate the sources of risks and to test the internal teams (often considered as defenses in Blue Team).

Reconnaissance Audit and OSINT

The reconnaissance audit provides visibility on the various information available on the targeted company (confidential documents, employee IDs and passwords, IPs, shadow It, databases, etc.). The information is then cross-referenced to define the risks related to them.

A specific OSINT department and tools developed internally (CYBERVIGILANCE By HTTPCS) allow us to be particularly effective on these audits.

Global Security Audit

Audit of all your scopes :

  • Information exposed on the internet or on malicious forums (OSINT)
  • Assets and Exposed Infrastructure
  • Shadow IT
  • Pentest exposed infrastructure
  • Focus on sensitive exposed assets
  • Internal infrastructure pentest-type audit on physical sites

This audit provides general visibility of your security status (external and internal).

Differences between external pentest and internal pentest

The external Pentest

The external penetration test targets the assets exposed by the company that are visible on the internet. It can be your applications, websites, file servers, mailboxes, exposed network assets, VPN, etc.).

The Internal Pentest

The internal penetration test starts from the assumption of a presence within your network : exploitation of an external vulnerability on one of your IT equipment or applications, purchase of identifiers on the darknet allowing to connect to your infrastructure, compromise of a workstation, VPN access… but also collaborators (yes yes, it’s common !).

What to do after a Pentest ?

Performing a pentest allows to validate concretely the vulnerabilities and security issues that can compromise or abuse your computer systems. It is a pragmatic and effective audit to ensure a state of security at a given time.


Following a pentest, the identified vulnerabilities must obviously be corrected, or workarounds proposed. The report is used to guide the remediation and the necessary actions / charges, but Ziwit consultants also remain available even after the report has been submitted !


Our experts check the correct application of the patches after they have been applied, in order to issue the Ziwit Consultancy Services certification valid for 1 year. This certification is a real sign of confidence that you can show to your partners, investors, regulatory authorities or any other stakeholder who wants to ensure the integrity, security and reliability of your IT system.

Continuous improvement

The pentest allows you to improve security at a given moment in the life of your infrastructure. It is therefore necessary to use it as a reference, but also to set up a continuous improvement of your security.

Pentest an application, what to do next ?

In order to ensure that there are no more new vulnerabilities or configuration problems that could cause IT security concerns, you can set up a vulnerability scanner between two pentests. We offer a proactive solution to detect vulnerabilities automatically.

The vulnerability scanner provides daily visibility into vulnerabilities and configuration issues in your applications. This will ensure that in case of development, modification, or the arrival of new vulnerabilities, your application will not be vulnerable !

Penetration test report

Delivery of your intrusion test report

Following the audit of your organization, our experts will provide you an audit synthesis, including the following points :

  • The general listing of the detected vulnerabilities
  • A detailed synthesis of each vulnerability
  • Countermeasures to implement
  • Good practices for your employees to follow
  • Support in complying with ISO 27001 & ISO 27002

The advantages of Ziwit Consultancy Services reports :

  • A customized structure according to your needs
  • Detailed points accessible to all
  • Easy to follow good practices
  • An oral presentation upon request

Ziwit Consultancy Services certification

Gain the trust of all stakeholders in your ecosystem

Our experts check afterwards if the corrections have been applied properly, in order to deliver the Ziwit Consultancy Services certification valid for 1 year. This certification is a real guarantee of trust that you can assert to your partners, investors, regulatory authorities or any other stakeholder wishing to ensure the integrity, security and reliability of your IT system.

  • PCI DSS, RGPD, HIPAA compliance assessment
  • Assistance in in obtaining ISO 27001 & ISO 27002 certification
  • IS security audit, including workstations and telephony
  • Websites, business or e-commerce applications security audit
  • Web Services Security Audit
  • Infrastructure Services Security Audit

A need for an IT security audit?

Our team of IT security experts is ready to offer you the audit that best suits your needs and your business.

Your satisfaction and security are our priorities. Contact us

Contact us!

+33 1 85 09 15 09
Consult our privacy policy & GDPR.
We only use technical cookies related to the operation of the site and audience measurement (anonymous statistical data). OK