Audits and pentests
The pentest, is an audit with the aim of verifying the security of a resource (range of IP addresses, website or web application, mobile, internal network...) from the point of view of an attacker. It is the best way of concretely verifying the effectiveness of the protection measures put in place.
More concretely, we assess the security of the perimeter defined with you using a methodology specific to the perimeters tested, which is based in particular on the PTES (Penetration Testing Execution Standard), as well as on fundamental resources such as OWASP.
A clear and detailed audit report is drawn up following the service, mentioning the positive points and the recommendations needed to remedy any vulnerabilities. The pentest report is presented by telephone or at your premises, and breaks down as follows:
- Managerial feedback: gives a business view of the vulnerabilities identified, presents the risks and general areas for improving security
- Technical feedback: details vulnerabilities, enables in-depth technical discussions on the proposed action plan
We invite you to consult the list of our audit services for more detailed information on the intrusion tests we offer.
Understanding pentesting
A penetration test - or pentest - is an offensive evaluation of the security of an information system or digital perimeter. Unlike a document or organisational audit, it reproduces the behaviour of an attacker, in a controlled setting, to test defences in real-life conditions.
The aim is twofold. On the one hand, this involves identifying attack vectors, technical vulnerabilities, configuration faults or partitioning errors that could compromise the confidentiality, integrity or availability of data. Secondly, the test enables risks to be prioritised and practical recommendations to be made, tailored to the context, to improve safety over the long term.
Pentesting is therefore an active process, based on proven standards such as OWASP and PTES (Penetration Testing Execution Standard). It uses dynamic, static, manual and automated analysis techniques. Whereas a vulnerability scan is limited to automatic detection, a pentest incorporates human logic: an offensive security expert, or ‘pentester’, looks not only for vulnerabilities, but also for chains of events or side-effects likely to lead to a real compromise.
Good to know: pentesting is not a substitute for other forms of audit, but complements them with a field approach that is rigorous, contextualised and essential for measuring the robustness of a cybersecurity system in a logic of active risk prevention.
What pentesting is not...
Pentesting is not simply an automated scan for vulnerabilities. Whereas automatic tools are content with a generic scan, often blind to the context, an intrusion test carried out by AlgoSecure relies above all on human intelligence. It is this expertise that enables technical flaws to be combined, logical errors to be detected and realistic operating scenarios to be simulated. The experience of our slotters, combined with a rigorously manual approach, guarantees a more reliable, more accurate and truly actionable audit.
The main types of pentest
A company's attack surface is no longer limited to a simple website. This is why there are several categories of pentest, each targeting a specific environment in order to reproduce the methods of a potential attacker.
Web application Pentest
This test simulates attacks on an online application, identifying technical flaws (XSS, SQL injections, SSRF, etc.) as well as configuration errors on hosting servers or cloud environments.
It follows OWASP standards, including the Top 10 vulnerabilities.
Mobile application Pentest
It combines static analysis (code examination, reverse engineering) and dynamic analysis (tests under conditions of use) to detect design faults, insecure communications or insufficiently protected local data storage. Mobile application testing targets both the code and the underlying architecture.
Code and API Pentest
APIs are often vulnerable to poor rights management, excessive data exposure or a lack of traffic control.
A dedicated test enables you to anticipate authorisation or injection abuse scenarios, which are often absent from automated scans.
IoT (Internet of Things) Pentest
This test explores the entire connected ecosystem: hardware components, firmware, radio communications and associated applications.
It reveals critical risks relating to on-board security, the encryption of exchanges and the presence of backdoors.
Internal network Pentest
Carried out from the heart of the system, this test simulates an internal compromise to analyse network segmentation, equipment configuration and the possible exploitation of Active Directory accounts. It is essential for anticipating lateral movement in the infrastructure.
Social engineering Pentest
Unlike other audits, this test targets users, not only machines. It measures the resistance of teams to phishing attacks, vishing or physical intrusion, in order to assess human vigilance in the face of targeted manipulation.
Our methodology
Before any intrusion attempts are made, we work with you to define the scope to be investigated. This could be your corporate site, specific web applications, a set of peripherals, a range of network addresses, physical buildings, etc.
We also define the level of information our slotters receive at the start of testing :
On the big day, we organise a launch meeting with your technical contacts, then after a final confirmation, we begin technical testing, structured into four essential phases.
01. Reconnaissance phase :
Our penetration tests typically begin with a passive reconnaissance phase where we learn about the target without establishing a connection with it. We identify IP addresses, exposed technologies, open ports, active services and publicly available information leaks. This step enables us to accurately map the attack surface, even from open source sources.
02. Identification of vulnerabilities :
This is followed by fingerprinting via the enumeration of exposed services and applications. At this stage, our experts combine automated tools (scanners, scripts, frameworks) with manual analysis to detect technical, logical or human vulnerabilities. The advantage of this hybrid approach is that it allows us to reveal complex vulnerabilities that tools alone would not be able to identify.
03. Controlled exploitation of vulnerabilities :
For each confirmed vulnerability, we attempt a controlled exploitation to assess its real impact: compromise of a system, unauthorised access, elevation of privileges or lateral displacement. This phase, which is strictly supervised, enables us to measure the actual criticality of the flaws and their potential for linking up in a realistic attack scenario.
04. Report and recommendations :
We then summarise the main findings of the audit during a point de synthèse, before concluding with the drafting of the deliverables. You receive a clear, detailed report, classifying each vulnerability according to its level of seriousness and accompanied by concrete recommendations. In addition, a technical feedback session is held with your teams.
It is important to note that our approach is based on an iterative process: each phase feeds into the next, and the results of the exploitation can feed into a new phase of research or reveal complementary weaknesses.
Who are our pentesters?
Behind every pentest audit mission conducted by AlgoSecure is a team of seasoned experts specialising in offensive security. Our pentesters are certified to the industry's most demanding standards: OSCP (Offensive Security Certified Professional), OSEP (OffSec Experienced Pentester), BSCP (Burp Suite Certified Practitioner), OSED (OffSec Exploit Developer), MCRTA (Multi-Cloud Red Team Analyst) or CRTO (Certified Red Team Operator).
Beyond the titles, it's their double skills that make the difference: specialised technical skills to identify, exploit and document complex vulnerabilities, and proven ability to engage in dialogue with your teams - technical or managerial - to turn findings into concrete action plans.
L’état d’esprit du test d’intrusion
An audit, not a duel
At AlgoSecure, the aim of an intrusion test is never to point the finger at internal teams. The aim is to reinforce the security of your information system in a constructive approach. It's not a role-playing game where the penetrator « wins » or « loses », but a precise diagnosis aimed at identifying levers for improvement, without judgement or competition.
Dialogue as a lever for efficiency
The success of an audit hinges on the quality of the discussions between the auditors and your teams. Progress reviews are often carried out to validate the scope, adjust if necessary and ensure that the discoveries are in line with the technical and business context. Thanks to this collaboration, it will also be possible to anticipate the impact on production and streamline investigations.
How do you welcome a pentest?
A successful assignment always starts with good preparation. Tell your teams in advance, inform your technical partners (IT service providers, hosting companies, etc.), and make sure you don't launch the audit in the middle of a critical operation. Sharing known vulnerabilities also helps to optimise analysis time.
The benefits of AlgoSecure
Our high-quality methodology allows you to benefit from :
- From intelligible pentest reports written manually
- The complementary viewpoint of two security experts.
- A manual analysis essential to complement the automatic approach
- Clear and precise recommendations, remedies and corrective action
- A replay at your premises to allow discussion with your teams
We are PASSI qualified!
Since November 2020, we are Prestataire d'Audit de la Sécurité des Systèmes d'Information (PASSI). This French qualification, delivered by ANSSI, confirms our audit expertise as well as the care with which we ensure the confidentiality of our clients' data. This qualification also confirms our respect of the ISO 19011 audit procedure. We are qualified on pentests, configuration audits, architecture audits, as well as organisational and physical audits.
Frequently asked questions about pentests
Beyond the technical obligation, a penetration test is part of a strategic approach to securing an information system. Whether it's to anticipate threats, meet a specification or demonstrate compliance with a reference system, penetration testing is a high added-value tool.
Act preventively, rather than under duress. The main advantage of pentesting is its ability to detect vulnerabilities before they are exploited. It's a proactive action that puts you one step ahead of the attackers and helps you avoid critical consequences: service interruption, data leakage, damage to your image, etc.
Meet compliance requirements. Many certifications now require regular penetration tests, such as PASSI (Prestataire d'Audit de la Sécurité des Systèmes d'Information), ISO 27001, or standards such as PCI-DSS in the payment sector. Pentesting therefore becomes an essential step in validating your cybersecurity posture.
Increasing team awareness and reinforcing practices. Intrusion testing is also an educational tool. It provides a concrete understanding of the risks associated with certain practices, decisions or configuration errors. In this way, it fosters a stronger security culture in-house, and engages your technical teams in a continuous improvement process.
Reduce risk, with a pragmatic approach. In cyber security, the notion of risk is broken down into three levels: business risks, IT risks and cyber risks. For example, if your website is unavailable, you could lose sales. Pentesting enables these risks to be identified, translated and then reduced through a structured action plan. The aim is not simply to draw up a list of vulnerabilities, but to prioritise realistic, operational corrective actions in line with the resources available. This is also an advantage when it comes to negotiating cyber-security insurance policies: a company that has demonstrated its security maturity can derive a direct financial benefit.
Vulnerability scanning is a tool that can be used to highlight various security flaws. As the results are surface-based, the vulnerability scan needs to be supplemented by a webpentest to assess the vulnerabilities (the association of these vulnerabilities, the possible attack paths, etc.) and check whether they can be exploited.
To find out more, see the article on the differences between a vulnerability scanner and a pentest.
The duration of a web pentest depends on several factors: in particular the scope of the application, determined mainly by its size and the number of IPs or URLs supplied. On average, tests take between 6 and 14 days.
To ensure that the scope to be audited is properly estimated, our surveyors are involved in the pre-sales process and/or are consulted by our sales team.
We're deploying two pentesters for several reasons. As part of penetration testing, the ‘human analysis’ aspect is of paramount importance. These experts analyse vulnerabilities, the chains of these vulnerabilities, and implement scenarios similar to a malicious attack.
By opting for a team of two pentesters, we guarantee our customers a high level of expertise and quality service. We promote the pooling of our experts' skills, encouraging the exchange of information, the verification of detected faults, and the sharing and pooling of their knowledge.
Other pages that might interest you :
Web application audits
We audit your internal or external web applications.
Mobile application audits
We audit your Android and iOS mobile applications.
Red Team audit
We test the security of your building and your staff based on scenarios we conceive with you.
Contact : 04 26 78 24 86 | Follow us on 
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.