Blauer Hintergrund

Penetration Testing

Vulnerabilities exist in every system. We find them, document them precisely, and show concrete ways to close them. Our tests follow OWASP, PTES, and MITRE ATT&CK, established standards that ensure complete and methodologically sound coverage of all relevant attack vectors.

 

Request Pentest Pentest Portfolio

Documenting security alone doesn’t prove it works

Compliance reports document what is present. A penetration test shows whether it works. No audit replaces a controlled attack. Firewalls, EDR systems, IAM configurations, and access controls only hold up if they have been tested. Regulations make it mandatory for many.

Critical Infrastructure & Regulated Industries

NIS-2, ISO 27001, KRITIS and DCRA. Around 30,000 companies in Germany are required to demonstrate the effectiveness of their security measures. A penetration test report is the most direct way to achieve this.

Payment & Platforms

SaaS with payment functions, e-commerce, payment service providers. PCI DSS 4.0.1 has been in effect since March 2025 and specifically mandates technical tests. Anyone processing card data is affected.

Finance, Automotive & Enterprise

Financial institutions under DORA. Automotive suppliers under TISAX. And all who want to win enterprise customers or maintain their cyber insurance.

 

When a penetration test is the right step

Before a Go-live

New web application, new API, new cloud environment. What hasn’t been checked before launch becomes an attack surface after launch.

After infrastructure changes

Migration, new systems, architectural changes. Every change opens potential attack vectors that did not exist before.

For compliance evidence

ISO 27001, NIS-2, CRA, EU AI Act, and DORA require technical security reviews. A pentest report is recognized proof.

To validate existing protective measures

SIEM, EDR, access controls. Their effectiveness only becomes apparent under conditions that simulate attacks.

Upon request from customers or partners

Service providers operating sensitive systems must be able to prove their security.

Regularly

Security is not a state. A penetration test is a snapshot. Those who test annually know their current status.

Request Pentest

What we test

Globus-mit-Schloss-Icon

Web Application Pentest

Web applications according to OWASP Top 10: authentication failures, injection vulnerabilities, business logic errors, insecure session management. For single-page apps, multi-page apps, and admin interfaces. Black-box, grey-box, or white-box.

Vernetztes-Schutzschild-mit-Haken-Icon

Endpoint Pentest

Company notebooks and workstations: OS hardening, local privilege escalation, EDR/AV configuration, application whitelisting, browser security. We check how far a standard user can get with a compromised device.

Schlüssel-mit-Binärcode-Icon

API Pentest

REST, GraphQL, and SOAP according to OWASP API Security Top 10: Broken Object Level Authorization, Mass Assignment, Rate Limiting, Broken Authentication. For internal and external APIs.

Zielscheibe-mit-Haken-Icon

AD Pentest

Active Directory: misconfigurations, Kerberoasting, Pass-the-Hash, delegation attacks, privilege escalation up to domain dominance. We test how far an attacker can get in the network once they have a foothold.

Vernetztes-Schutzschild-Icon

Network Pentest

External and internal network infrastructure: servers, firewalls, VPNs, switches. Identification of reachable systems, manual check for misconfigurations and vulnerabilities. External (Internet-facing) or internal (Assumed Breach).

Gesperrtes-Smartphone-Icon

Mobile Pentest

iOS and Android apps according to OWASP MASVS: Client-Side Security, Reverse Engineering, Data Storage, Transport Encryption. Including backend API testing.

Cloud-Schutzschild-Icon

Cloud Platform Pentest

AWS, Azure, and GCP: IAM misconfigurations, over-privileged roles, storage access, serverless functions, container security. We examine how an attacker escalates within a cloud environment.

KI-Chip-Icon

AI Pentest

AI applications and their interfaces: Prompt Injection, Jailbreaking, Model Inversion, insecure API connections. For LLM-based applications and AI systems in production environments.

Ergebnisse des Penetrationstests

Häkchen-Icon

Technical Report

Each vulnerability with description, risk assessment (e.g., according to CVSS), reproduction steps, and concrete recommendations for action. Directly usable by technical teams.

Häkchen-Icon

Executive Summary

For management and supervisory boards. Clear situation assessment and clear priorities. No technical prior knowledge required.

Häkchen-Icon

Retest Report

After critical findings have been remediated, we verify the effectiveness of the measures and document the result.

Blauer Hintergrund
Vorschau des carmasec-Playbooks

Threat-Informed Defense

How organizations stop fighting shadows.

A playbook (DE) for IT managers and decision-makers who want to understand how real attacks work and how to stop them effectively. Threat-Informed Defense is the approach that aligns defense with real attacker behavior. This playbook explains which techniques attackers actually use, how MITRE ATT&CK works as a foundation, and which measures are demonstrably effective.

Download

FAQ

Questions? Answers.

Which test method is right, Black-Box, Grey-Box, or White-Box?

It depends on the goal. Black-box simulates an attacker with no prior knowledge. White-box provides maximum test depth because we know the system structure. Grey-box is often the most efficient choice in practice: realistic attacker behavior with controllable effort. We recommend the method based on your specific scope, which we clarify in the scoping call.

What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is automated and provides a list of known vulnerabilities. A penetration test is manual, contextual, and shows whether and how these vulnerabilities can actually be exploited. Only a pentest can find logic errors, combined attacks, and complex attack paths.

TLPT and do we need it?

Threat-Led Penetration Testing is an intelligence-driven attack simulation based on real attacker profiles. Not a generic test, but a scenario tailored to your organization, your industry, and current threat landscapes. TLPT is mandatory under DORA for significant financial institutions, coordinated according to the TIBER-EU framework. For all others, it is the next level of maturity after a classic penetration test.

How often should a penetration test be performed?

Annually is the minimum. After significant changes and new systems, migration projects, or new applications, we recommend a targeted retest of the affected area. Those falling under DORA are obliged to conduct tests for critical systems every three years. ISO 27001 requires regular review without a fixed frequency.

Will our systems be affected during the test?

Generally not. In the scoping phase, we agree on which systems will be actively tested and which are excluded. Production systems with a high risk of failure are treated separately. Should we find critical vulnerabilities during the test, we will inform you immediately.

Whether start-up, mid-sized company, or corporation: We find the right solution

Trust is built through results

Contact

Define the scope and start the test

The scoping process takes 30 minutes. After that, it will be clear what is being tested, which method is suitable, and when we can start. If you use AI systems or fall under the EU AI Act, we’ll discuss that during the initial consultation too. Fill in the form and send it to us, and we’ll get back to you.

Porträtfoto von Timm Börgers, Geschäftsführer bei der carmasec.
Timm Börgers
Managing Partner
+49 (0)201 426 385 905
vertrieb@carmasec.com