Penetration Testing
We understand penetration testing as an intensive, technical security examination of IT systems, IT components, networks and applications.
Before we start the assessment, we will determine the scope, goals, depth and level of detail comprehensively with you and compile everything in a final project description. This allows for a goal-orientated, structured approach and a mutual understanding of the assessment goals.
Our team consists of experienced penetration testers with different specialties, who turned their passion into their profession. This enables us to support you in short-term assessments or long-term security projects, and offer you specialised services in several fields:
* Penetration Tests of Web Applications and APIs
* Security Assessment of External and Internal Networks
* Assume Breach Assessments
* Active Directory Security Assessment
* Assessment of Cloud Environments
* White Box and Configuration Analysis of IT and Cloud Systems
* Holistic Technical Security Assessments of Corporate Environments
* Penetration Test of Desktop Applications and Fat Clients
* Penetration Test of Proprietary Applications, Devices and Protocols
* Security Assessments of OT Environments Including Architecture and Configuration Analysis
* Security Analysis of Your Payment Process and the Involved Corporate IT Systems
We visit DefCon 31
We were very happy to visit DEFCON in Las Vegas, NV, USA in August 2023 for the first time! DEFCON is an annual event which attracts up 30,000 attendees interested in the fields of Physical Secur...
Welcome to our new team members
Our team has grown and we are happy to welcome three new employees to our pentesting team. With their help, it is easier for us to respond to the many project requests we’ve had and we hope to be able...
Thomas at Treasury on Tour in Cologne
Treasury on Tour is an event by Schwabe, Ley & Greiner to bring together the leading heads of treasury with high-grade lectures, discussions and the possibility to network. HACKNER Security Intell...
References & Case Studies
Finance 
Payment Processes on a Technical Level
Finance
For a global sportswear company, the security of payment processes was assessed on three company locations. Securing the interfaces between the different payment tools is usually an underestimated attack vector in this scenario. Not many people are aware of the use of payment files (mostly XML), which contain all the bank account information, including the receiving account.
File transfer, you say? The word "interface" is not always correct in this context because the interface is a human who copies the payment file from their local work station to a network share. This leads to the files being modifiable not only during transmission but also at the location they are being stored at. Internal attackers can utilize this by changing the receiving account in the file to their own account. Depending on the receiver you could make quite some money with this trick.
But how can I prevent this? In short term it is worth to secure payment processes with available methods, meaning encryption of transmission paths and restricting file access. In the long term, this unfortunately is a more elaborate task! Structures and interfaces need to be established that prevent employees from having access to files altogether.
Insurance 
Risk for Insurances Through Manipulation of Data
Insurance
Insurance companies process personal data. Therefore, a web application focused on vehicle registration was subjected to a security check. In addition to classic web attacks, there are also risks such as the manipulation of data after a contract has been concluded. This can lead to insurance fraud by customers and insurance employees.
IT Service 
Logical Denial-of-Service-Attack
IT Service
From time to time, we receive exceptional requests: For example, a company’s order for securing their web portal against denial-of-service attacks. To put it in blunt words: “Send requests towards our portal until a certain request limit and we want to see if we can stand our ground!” The special challenge was to purposefully exploit logical technical weaknesses for the attack.
This was quite a new project for us, as we usually do not conduct denial-of-service attacks, but the specific attack strategy made us curious. Which paid out in the end, as exploiting a programming error made it possible to not just make the site unavailable but also to go down.