MethOdOLOGY

On this Page you will find descriptions of the Methodology used during a Pentest. This is to inform you about what is happening "behind the scenes" and to explain certain necessary Terms used in the Descriptions.

OWASP TOP 10 is a compilation of the top 10 most common Web Application Vulnerabilities. While there still are other vulnerabilities, these are the ones that the Tests include, as the exploitation of said Top 10 is the most common approach by Threat Actors.

OWASP tOp 10

The MITRE ATT&CK Framework is a comprehensive base of adversary tactics and techniques based on real-world observations. There you can find a comprehensive list of steps and techniques used from Reconnaisance, up to Exploitation, Exfiltration and many more.

MITRe ATT&CK

The Cyber-Kill-Chain, developed by Lockheed Martin, shows the general Steps of a Cyberattack carried out by an "APT", which can help with Prevention and Securing Systems.

Cyber-kill-chAin

APT

An APT, or Advanced-Persistent-Threat, is a highly skilled Threat Actor, most often state-sponsored with the Goal of Cyber-Espionage and Sabotage.

"BOx" ApprOAches

The Approaches in a Pentest are generally described using "Boxes".

Black-Box:

A Black Box approach means that no Information is given to the Pentester. All that is known is what is described in the Scope.

Grey-Box:

A Grey Box approach means that limited Information is given to the Pentester. This can be information about the architecture of the application or the credentials for an Account that can be used for Remote Log In.