Penetration testing. Case Studies
If we are able to automate security and testing tooling, we can incorporate it at every stage of the agile cycle, and improve outcomes for security, test and the development teams.talk to an expert
Case studies of our team’s past projects provide an insight into our services and are an example of how our experience may be relevant to your case.
Tenendo is capable of emulating a real-world attack and can do that without any additional information about the infrastructure. Our in-house developed tools and payloads improve the chances of a successful breach and can provide the Client valuable experience in opposing a sophisticated threat actor.
We also incorporate our blue team operations and compliance experience in red team assessments and can provide in-depth recommendations about threat detection and response processes, monitoring and logging techniques, and infrastructure hardening.
When it comes to quality and security, people are your strongest asset — ours too. We are proud of our team and what we do and have decided to partially share our past projects and cases to provide our customers with a behind-the-scenes look at our process and our past experience. We made sure all cases are anonymous and do not disclose any confidential information, but still provide valuable insight.
The team created several hardware connect-back appliances and used it in a PCI DSS segmentation testing engagement to uncover impactful network vulnerabilities.
During this social engineering engagement, it was possible to achieve persistent internal access, exfiltrate confidential and personal information, and compromise the internal segmented infrastructure.
Tenendo specialists discovered an unattended staging environment and leveraged its vulnerabilities for sensitive information disclosure. This information was later reused in an attack against the main application, that allowed us access to the payment API on behalf of other customers of our Client.
This case is a very good example why manual penetration tests are valuable – the team achieved compromise without administrator access to the application, not using any known exploits or discovering injection/deserialization/other RCE flaws.
The adversary simulation activity allowed the security team to demonstrate a complete compromise path while not using any usual, “exploitable” vulnerabilities.
The adversary simulation activity helped the client identify and remediate multiple issues with the on-premise infrastructure and vulnerabilities, calculate potential risks, and improve the overall security posture. Each finding also included proposed solutions for applying industry-standard defences.
The Azure penetration test helped the client identify and remediate multiple issues and misconfigurations, harden their infrastructure and calculate potential risks.