{"id":3589,"date":"2026-04-22T10:24:19","date_gmt":"2026-04-22T10:24:19","guid":{"rendered":"https:\/\/www.carmasec.com\/services\/offensive-security\/penetration-testing\/"},"modified":"2026-05-29T12:26:00","modified_gmt":"2026-05-29T12:26:00","slug":"penetration-testing","status":"publish","type":"page","link":"https:\/\/www.carmasec.com\/en\/services\/offensive-security\/penetration-testing\/","title":{"rendered":"Penetration Testing"},"content":{"rendered":"\n
\"Blauer\n <\/figure>
\n
\n
\n

Penetration Testing<\/h1>\n

Vulnerabilities exist in every system. We find them, document them precisely, and show concrete ways to close them. Our tests follow OWASP, PTES, and MITRE ATT&CK, established standards that ensure complete and methodologically sound coverage of all relevant attack vectors. <\/p>\n

 <\/p>\n

Request Pentest<\/a> Pentest Portfolio<\/a><\/p>\n\n <\/div>\n <\/div>\n <\/div>\n<\/section>\n

\n
\n
\n

Documenting security alone doesn’t prove it works<\/h2>\n

Compliance reports document what is present. A penetration test shows whether it works. No audit replaces a controlled attack. Firewalls, EDR systems, IAM configurations, and access controls only hold up if they have been tested. Regulations make it mandatory for many. <\/p>\n\n <\/article>\n <\/div>\n <\/div>\n<\/section>\n

\n
\n
\n
\n \n
\n \n

Critical Infrastructure & Regulated Industries<\/strong><\/h4>\n

NIS-2, ISO 27001, KRITIS, and DCRA. Approximately 30,000 companies in Germany must demonstrate the effectiveness of their security measures. A pentest report is the most direct way to do so. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

Payment & Platforms<\/strong><\/h4>\n

SaaS with payment functions, e-commerce, payment service providers. PCI DSS 4.0.1 has been in effect since March 2025 and specifically mandates technical tests. Anyone processing card data is affected. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

Finance, Automotive & Enterprise<\/strong><\/h4>\n

Financial institutions under DORA. Automotive suppliers under TISAX. And all who want to win enterprise customers or maintain their cyber insurance. <\/p>\n

 <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n <\/div>\n <\/div>\n<\/section>\n

\n
\n
\n

When a penetration test is the right step<\/h2><\/div>\n <\/div>\n <\/div>\n<\/section>\n
\n
\n
\n
\n \n
\n \n

Before a Go-live<\/h4>\n

New web application, new API, new cloud environment. What hasn’t been checked before launch becomes an attack surface after launch. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

After infrastructure changes<\/h4>\n

Migration, new systems, architectural changes. Every change opens potential attack vectors that did not exist before. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

For compliance evidence<\/h4>\n

ISO 27001, NIS-2, CRA, EU AI Act, and DORA require technical security reviews. A pentest report is recognized proof. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

To validate existing protective measures<\/h4>\n

SIEM, EDR, access controls. Their effectiveness only becomes apparent under conditions that simulate attacks. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

Upon request from customers or partners<\/h4>\n

Service providers operating sensitive systems must be able to prove their security.<\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \n

Regularly<\/h4>\n

Security is not a state. A penetration test is a snapshot. Those who test annually know their current status. <\/p>\n

Request Pentest<\/a><\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n <\/div>\n <\/div>\n<\/section>\n

\n
\n
\n

What we test<\/h2><\/div>\n <\/div>\n <\/div>\n<\/section>\n
\n
\n
\n
\n \n
\n \"Globus-mit-Schloss-Icon\"\n

Web Application Pentest<\/h4>\n

Web applications according to OWASP Top 10: authentication failures, injection vulnerabilities, business logic errors, insecure session management. For single-page apps, multi-page apps, and admin interfaces. Black-box, grey-box, or white-box. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"Vernetztes-Schutzschild-mit-Haken-Icon\"\n

Endpoint Pentest<\/h4>\n

Company notebooks and workstations: OS hardening, local privilege escalation, EDR\/AV configuration, application whitelisting, browser security. We check how far a standard user can get with a compromised device. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"Schl\u00fcssel-mit-Bin\u00e4rcode-Icon\"\n

API Pentest<\/h4>\n

REST, GraphQL, and SOAP according to OWASP API Security Top 10: Broken Object Level Authorization, Mass Assignment, Rate Limiting, Broken Authentication. For internal and external APIs. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"Zielscheibe-mit-Haken-Icon\"\n

AD Pentest<\/h4>\n

Active Directory: misconfigurations, Kerberoasting, Pass-the-Hash, delegation attacks, privilege escalation up to domain dominance. We test how far an attacker can get in the network once they have a foothold. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"Vernetztes-Schutzschild-Icon\"\n

Network Pentest<\/h4>\n

External and internal network infrastructure: servers, firewalls, VPNs, switches. Identification of reachable systems, manual check for misconfigurations and vulnerabilities. External (Internet-facing) or internal (Assumed Breach). <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"Gesperrtes-Smartphone-Icon\"\n

Mobile Pentest<\/h4>\n

iOS and Android apps according to OWASP MASVS: Client-Side Security, Reverse Engineering, Data Storage, Transport Encryption. Including backend API testing. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"Cloud-Schutzschild-Icon\"\n

Cloud Platform Pentest<\/h4>\n

AWS, Azure, and GCP: IAM misconfigurations, over-privileged roles, storage access, serverless functions, container security. We examine how an attacker escalates within a cloud environment. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"KI-Chip-Icon\"\n

AI pentesting<\/h4>\n

AI applications and their interfaces: Prompt Injection, Jailbreaking, Model Inversion, insecure API connections. For LLM-based applications and AI systems in production environments. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n <\/div>\n <\/div>\n<\/section>\n

\n
\n
\n

Deliverables of the Penetration Test<\/h2><\/div>\n <\/div>\n <\/div>\n<\/section>\n
\n
\n
\n
\n \n
\n \"H\u00e4kchen-Icon\"\n

Technical Report<\/h4>\n

Each vulnerability with description, risk assessment according to CVSS, reproduction steps, and concrete recommendations for action. Directly usable by technical teams. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"H\u00e4kchen-Icon\"\n

Executive Summary<\/h4>\n

For management and supervisory boards. Clear situation assessment and clear priorities. No technical prior knowledge required. <\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n

\n \n
\n \"H\u00e4kchen-Icon\"\n

Retest Report<\/h4>\n

After critical findings have been remediated, we verify the effectiveness of the measures and document the result.<\/p>\n<\/figcaption>\n <\/figure>\n \n <\/div>\n <\/div>\n <\/div>\n<\/section>\n\n \"Blauer\n

\n \n
\n
\n \"Vorschau <\/figure>\n\n
\n

Threat-Informed Defense<\/h2>\n

Wie Organisationen aufh\u00f6ren, gegen Schatten zu k\u00e4mpfen.<\/h2>\n

Ein Playbook f\u00fcr IT-Verantwortliche und Entscheider:innen, die wissen wollen, wie echte Angriffe funktionieren und wie man sie gezielt stoppt. Threat-Informed Defense ist der Ansatz, der Verteidigung an realen Angreiferverhalten ausrichtet. Dieses Playbook erkl\u00e4rt, welche Techniken Angreifer tats\u00e4chlich einsetzen, wie MITRE ATT&CK als Grundlage funktioniert und welche Ma\u00dfnahmen nachweisbar wirksam sind.<\/p>\n

Download<\/a><\/p>\n <\/article>\n <\/div>\n\n \n <\/div>\n<\/section>\n

\n
\n
\n

FAQ<\/h4>

Questions? Answers. <\/h3><\/div>\n <\/div>\n <\/div>\n<\/section>\n
\n
\n
\n
\n
\n
\n
\n

\n Which test method is right, Black-Box, Grey-Box, or White-Box?\n <\/p>\n <\/div>\n

\n

It depends on the goal. Black-box simulates an attacker with no prior knowledge. White-box provides maximum test depth because we know the system structure. Grey-box is often the most efficient choice in practice: realistic attacker behavior with controllable effort. We recommend the method based on your specific scope, which we clarify in the scoping call. <\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n
\n

\n What is the difference between a penetration test and a vulnerability scan?\n <\/p>\n <\/div>\n

\n

A vulnerability scan is automated and provides a list of known vulnerabilities. A penetration test is manual, contextual, and shows whether and how these vulnerabilities can actually be exploited. Only a pentest can find logic errors, combined attacks, and complex attack paths. <\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n
\n

\n TLPT and do we need it?\n <\/p>\n <\/div>\n

\n

Threat-Led Penetration Testing is an intelligence-driven attack simulation based on real attacker profiles. Not a generic test, but a scenario tailored to your organization, your industry, and current threat landscapes. TLPT is mandatory under DORA for significant financial institutions, coordinated according to the TIBER-EU framework. For all others, it is the next level of maturity after a classic penetration test. <\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n
\n

\n How often should a penetration test be performed?\n <\/p>\n <\/div>\n

\n

Annually is the minimum. After significant changes and new systems, migration projects, or new applications, we recommend a targeted retest of the affected area. Those falling under DORA are obliged to conduct tests for critical systems every three years. ISO 27001 requires regular review without a fixed frequency. <\/p>\n<\/div>\n <\/div>\n <\/div>\n

\n
\n

\n Will our systems be affected during the test?\n <\/p>\n <\/div>\n

\n

Generally not. In the scoping phase, we agree on which systems will be actively tested and which are excluded. Production systems with a high risk of failure are treated separately. Should we find critical vulnerabilities during the test, we will inform you immediately. <\/p>\n<\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n <\/div>\n<\/section>\n

\n
\n
\n

Whether start-up, mid-sized company, or corporation: We find the right solution<\/h2><\/div>\n <\/div>\n <\/div>\n<\/section>\n
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>
\"Logo<\/figure>\n\t <\/div>
<\/div>\n<\/section>\n
\n
\n
\n

Trust is built through results<\/h4><\/div>\n <\/div>\n <\/div>\n<\/section>\n
\n
\n
\n
\n
\"Logo\n <\/div>\n
\u00bbMit Unterst\u00fctzung von carmasec haben wir KPIs definiert und einen h\u00f6heren Grad an Transparenz und Akzeptanz geschaffen.\u00ab<\/blockquote>

DKV Mobility Services<\/strong><\/p><\/article>\n <\/div>\n <\/div>\n

\n
\n
\"Logo\n <\/div>\n
\u00bbProfessionell, flexibel, nahbar und vor allem: erfolgreich. carmasec hat geliefert, was versprochen wurde.\u00ab<\/blockquote>

Bruker Optics<\/strong><\/p><\/article>\n <\/div>\n <\/div>\n

\n
\n
\"Logo\n <\/div>\n
\u00bbMit carmasec fanden wir einen vertrauensw\u00fcrdigen Partner, der uns bei der Umsetzung unterst\u00fctzte und einen umfangreichen Ergebnisbericht lieferte. Wir empfehlen carmasec uneingeschr\u00e4nkt weiter.\u00ab<\/blockquote>

ELIGO<\/strong><\/p><\/article>\n <\/div>\n <\/div>\n

\n
\n
\"Logo\n <\/div>\n
\u00bbcarmasec leistete einen nennenswerten Beitrag zur Sicherheit unserer Dienste. Professionelle Beratung, saubere Durchf\u00fchrung. F\u00fcr Infrastruktur-Pentests empfehlen wir carmasec uneingeschr\u00e4nkt.\u00ab<\/blockquote>

tyntec GmbH<\/strong><\/p><\/article>\n <\/div>\n <\/div><\/div>\n <\/div>\n<\/section>\n

\n
\n
\n
\n

Kontakt<\/p>\n

Scope definieren und Test starten<\/h2>\n

Scoping dauert 30 Minuten. Danach ist klar, was getestet wird, welche Methode passt und wann wir starten k\u00f6nnen. Wer KI-Systeme einsetzt oder unter den EU AI Act f\u00e4llt: auch das besprechen wir im Erstgespr\u00e4ch. Formular ausf\u00fcllen und abschicken, danach melden wir uns.<\/p>\n

\n
\"Portr\u00e4tfoto<\/figure>\n
Timm B\u00f6rgers<\/strong>
\nGesch\u00e4ftsf\u00fchrer<\/span>
\n+49 (0)201 426 385 905<\/a>
\nvertrieb@carmasec.com<\/a><\/div>\n<\/div>\n\n <\/article>\n
\n
\n