Vulnerabilities exist in every system. We find them, document them precisely, and show concrete ways to close them. Our tests follow OWASP, PTES, and MITRE ATT&CK, established standards that ensure complete and methodologically sound coverage of all relevant attack vectors.
Compliance reports document what is present. A penetration test shows whether it works. No audit replaces a controlled attack. Firewalls, EDR systems, IAM configurations, and access controls only hold up if they have been tested. Regulations make it mandatory for many.
NIS-2, ISO 27001, KRITIS, and DCRA. Approximately 30,000 companies in Germany must demonstrate the effectiveness of their security measures. A pentest report is the most direct way to do so.
SaaS with payment functions, e-commerce, payment service providers. PCI DSS 4.0.1 has been in effect since March 2025 and specifically mandates technical tests. Anyone processing card data is affected.
Financial institutions under DORA. Automotive suppliers under TISAX. And all who want to win enterprise customers or maintain their cyber insurance.
New web application, new API, new cloud environment. What hasn’t been checked before launch becomes an attack surface after launch.
Migration, new systems, architectural changes. Every change opens potential attack vectors that did not exist before.
ISO 27001, NIS-2, CRA, EU AI Act, and DORA require technical security reviews. A pentest report is recognized proof.
SIEM, EDR, access controls. Their effectiveness only becomes apparent under conditions that simulate attacks.
Service providers operating sensitive systems must be able to prove their security.
Security is not a state. A penetration test is a snapshot. Those who test annually know their current status.
Web applications according to OWASP Top 10: authentication failures, injection vulnerabilities, business logic errors, insecure session management. For single-page apps, multi-page apps, and admin interfaces. Black-box, grey-box, or white-box.
Company notebooks and workstations: OS hardening, local privilege escalation, EDR/AV configuration, application whitelisting, browser security. We check how far a standard user can get with a compromised device.
REST, GraphQL, and SOAP according to OWASP API Security Top 10: Broken Object Level Authorization, Mass Assignment, Rate Limiting, Broken Authentication. For internal and external APIs.
Active Directory: misconfigurations, Kerberoasting, Pass-the-Hash, delegation attacks, privilege escalation up to domain dominance. We test how far an attacker can get in the network once they have a foothold.
External and internal network infrastructure: servers, firewalls, VPNs, switches. Identification of reachable systems, manual check for misconfigurations and vulnerabilities. External (Internet-facing) or internal (Assumed Breach).
iOS and Android apps according to OWASP MASVS: Client-Side Security, Reverse Engineering, Data Storage, Transport Encryption. Including backend API testing.
AWS, Azure, and GCP: IAM misconfigurations, over-privileged roles, storage access, serverless functions, container security. We examine how an attacker escalates within a cloud environment.
AI applications and their interfaces: Prompt Injection, Jailbreaking, Model Inversion, insecure API connections. For LLM-based applications and AI systems in production environments.
Each vulnerability with description, risk assessment according to CVSS, reproduction steps, and concrete recommendations for action. Directly usable by technical teams.
For management and supervisory boards. Clear situation assessment and clear priorities. No technical prior knowledge required.
After critical findings have been remediated, we verify the effectiveness of the measures and document the result.
Ein Playbook für IT-Verantwortliche und Entscheider:innen, die wissen wollen, wie echte Angriffe funktionieren und wie man sie gezielt stoppt. Threat-Informed Defense ist der Ansatz, der Verteidigung an realen Angreiferverhalten ausrichtet. Dieses Playbook erklärt, welche Techniken Angreifer tatsächlich einsetzen, wie MITRE ATT&CK als Grundlage funktioniert und welche Maßnahmen nachweisbar wirksam sind.
Which test method is right, Black-Box, Grey-Box, or White-Box?
It depends on the goal. Black-box simulates an attacker with no prior knowledge. White-box provides maximum test depth because we know the system structure. Grey-box is often the most efficient choice in practice: realistic attacker behavior with controllable effort. We recommend the method based on your specific scope, which we clarify in the scoping call.
What is the difference between a penetration test and a vulnerability scan?
A vulnerability scan is automated and provides a list of known vulnerabilities. A penetration test is manual, contextual, and shows whether and how these vulnerabilities can actually be exploited. Only a pentest can find logic errors, combined attacks, and complex attack paths.
TLPT and do we need it?
Threat-Led Penetration Testing is an intelligence-driven attack simulation based on real attacker profiles. Not a generic test, but a scenario tailored to your organization, your industry, and current threat landscapes. TLPT is mandatory under DORA for significant financial institutions, coordinated according to the TIBER-EU framework. For all others, it is the next level of maturity after a classic penetration test.
How often should a penetration test be performed?
Annually is the minimum. After significant changes and new systems, migration projects, or new applications, we recommend a targeted retest of the affected area. Those falling under DORA are obliged to conduct tests for critical systems every three years. ISO 27001 requires regular review without a fixed frequency.
Will our systems be affected during the test?
Generally not. In the scoping phase, we agree on which systems will be actively tested and which are excluded. Production systems with a high risk of failure are treated separately. Should we find critical vulnerabilities during the test, we will inform you immediately.
»Mit Unterstützung von carmasec haben wir KPIs definiert und einen höheren Grad an Transparenz und Akzeptanz geschaffen.«
DKV Mobility Services
»Professionell, flexibel, nahbar und vor allem: erfolgreich. carmasec hat geliefert, was versprochen wurde.«
Bruker Optics
»Mit carmasec fanden wir einen vertrauenswürdigen Partner, der uns bei der Umsetzung unterstützte und einen umfangreichen Ergebnisbericht lieferte. Wir empfehlen carmasec uneingeschränkt weiter.«
ELIGO
»carmasec leistete einen nennenswerten Beitrag zur Sicherheit unserer Dienste. Professionelle Beratung, saubere Durchführung. Für Infrastruktur-Pentests empfehlen wir carmasec uneingeschränkt.«
tyntec GmbH
Kontakt
Scoping dauert 30 Minuten. Danach ist klar, was getestet wird, welche Methode passt und wann wir starten können. Wer KI-Systeme einsetzt oder unter den EU AI Act fällt: auch das besprechen wir im Erstgespräch. Formular ausfüllen und abschicken, danach melden wir uns.
Do you need help, or do you just want to talk about what’s on your mind regarding cybersecurity or ISMS? We take this seriously and will get back to you as soon as possible.
Not a customer yet?
You are currently viewing a placeholder content from HubSpot. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information