1 Do I have to provide you with access in our systems/infrastructure?

Depending on the scope of the assessment, internal access may be required. The Pre-Engagement Agreement (PEA) defines among others, the scope (internal or external) of the assessment, thus the need of any kind of access or internal info.

2 Do I have to provide you with internal information/blueprints of topology prior to penetration testing?

Please see the previous FAQ item.

3 What kind of professionals are in your team?

Our team consists of:

  1. Penetration Testers
  2. System Engineers
  3. Network Engineers
  4. Lead Auditors
  5. Legal Counselors
4 Are you considered as "hackers"?

A "hacker" is not a strictly defined term. It is generally related with illegal or malicious activities but that is not true.

To cut the long story short, we are mainly considered penetration testers. We focus on performing cybersecurity assessments on IT systems. In case the assessment is requested to be done in a more "malicious" way, we act as ethical hackers.

5 How are penetration tests performed?

Generally, we utilize commercial software and in-house developed, proprietary tools in order to carry out all the penetration testing activities. The selection of tools is based on the type of security assessment performed (vulnerability scan, application pentest, full pentest).

6 Is there a possibility of non-availability, data loss or corruption regarding my services?

The assessment activities do not aim to disrupt your services or damage your data. However, based on the scope of the assessment agreed between us, we can perform the assessment in a malicious scope.

7 Is there a formal agreement that defines scope and other topics of a vulnerability scan or a penetration test?

Every assessment service is provided after a commonly accepted Pre-Engagement Agreement (PEA). In this agreement, the scope of the assessment, the communication and notification methods as well as the permitted time window in which assessment can be performed are defined.

8 What are the final deliverables of the penetration testing services?

Based on the type of the security assessment performed, the final deliverable varies from a brief prioritized overview of the vulnerabilities to a thorough, multi-level report with traceability over the penetration activities and mitigation recommendations.

For more information regarding what each option pentest option provides, please check our Penetration Services section.

9 Do you provide some kind of certification for your security assessments?

Although there is no formal certification regarding organizations which pass a security assessment (pentest, system audit, vulnerability scan, etc), recognizing the increased need in such an assurance, SpearIT offers the SpearBadge™ logo.

For more information, please check the SpearBadge™ page.

10 How am I notified in case of successful exploitation or breach?

The persons notified and the channels of secure communication are defined, as mentioned in the previous question, in the Pre-Engagement Agreement (PEA).

11 How do you protect my data?

During any activity (eg in case of a successful exploitation during a pentest), any private information or data that comes in our hands are protected by the latest standards in encryption.

Additionally, confidentiality, integrity and non-repudation mechanisms are applied in the communication methods used.

Finally, the Non-Disclosure Agreement (NDA) which is signed along with the Pre-Engagement Agreement (PEA) addresses any privacy obligation.

12 Do you retain my data after an assessment?

Usually, any data related to any assessment is destroyed with a certified data erasure technique (DoD 5220.22-M).

The NDA signed defines the data and information retention.