In security as in life, the hardest weaknesses to pinpoint are your own. Fortunately, we have no problem thoroughly documenting all of your flaws. In fact, it’s kind of our job. 这是一件好事:了解您的漏洞——以及攻击者可能利用它们的方式——是您可以在改进安全程序时获得的最重要的见解之一. With that in mind, Rapid7的渗透测试服务团队将在您的网络上模拟真实的攻击, applications, devices, 和/或人员来展示您的关键系统和基础设施的安全级别,并向您展示需要采取哪些措施来加强它. 就像你妈妈一样,我们不会因为你的缺点让你烦恼而强调它——我们这样做是因为我们关心你.
How can we help?
让我们的专家模拟对您网络的攻击,向您展示您的弱点(以及如何加强它们)。.
Contact UsWay more than security experts
The best way to stop attackers is to think and act like an attacker. Which is why, unlike many security firms, 我们不雇用刚毕业的毕业生或在IT方面比安全经验更丰富的人作为渗透测试人员. Instead, we find good people who know about bad things. Things like ATM hacking, multi-function printer exploitation, automobile keyless entry attacks, endpoint protection bypass techniques, RFID cloning, security alarm system bypass… you get the idea. And those kinds of people? They’re way more than security experts—they’re bonafide hackers.
为了永远领先于攻击者一步,并帮助其他人做到这一点,我们的测试人员投入了25%的时间进行研究并为安全社区做出贡献, publishing articles, presenting at conferences, developing and releasing open source testing tools, and writing popular Metasploit modules. (奖励:由于我们拥有Metasploit,我们的渗透测试人员获得了最广泛使用的无与伦比的访问权限 penetration testing tool in the world.)
What to fix, and when and how to fix it
从大多数渗透测试中,你能期望得到的最好结果是一长串问题,几乎没有关于如何修复它们或从哪里开始的上下文. Helpful, right? Rapid7 provides a prioritized list of issues, 基于使用行业标准排序过程的每个发现的可利用性和影响.
What can you expect? A detailed description and proof of concept for each finding, as well as an actionable remediation plan. 因为我们知道,风险的严重性只是优先考虑补救工作的一个因素, 我们还将深入了解修复这些发现所需的努力程度. In addition, you'll receive:
- An attack storyboard that walks you through sophisticated chained attacks
- 从攻击者的角度比较您的环境与最佳实践的记分卡
- Positive findings that call out what security controls you have that are effective
Compliance is a by-product of good security
We believe that good security begets good compliance. 这就是为什么我们所做的一切——从我们对Metasploit的投资和承诺到我们新的攻击者分析产品——都专注于帮助您更好地了解攻击者以及如何防御他们. This extends to our penetration testing services; every company’s network and challenges are unique, 因此,我们的渗透测试人员为每次交战量身定制他们的方法和攻击向量. We also conduct penetration tests on our own network and products regularly, to ensure they’re always up-to-date in detecting real-world attacks.
Our pen testing services
Rapid7 offers a range of penetration testing services to meet your needs. Can't find what you're looking for? Reach out to learn about our custom solutions.
-
Network Penetration Testing Services – External or Internal
我们模拟真实世界的攻击,以提供对网络基础设施的漏洞和威胁的时间点评估.
-
Web Application Penetration Testing Services
除了开源安全测试方法手册(OSSTMM)和渗透测试执行标准(PTES)之外,Rapid7的应用渗透测试服务还利用了开放Web应用安全项目(OWASP)。, a comprehensive framework for assessing the security of web-based applications, as a foundation for our web application assessment methodology.
-
Mobile Application Penetration Testing Services
As the widespread use of mobile applications continues to grow, consumers and corporations find themselves facing new threats around privacy, insecure application integration, and device theft. 我们不仅要查看API和web漏洞,还要检查应用程序在移动平台上的风险. We leverage the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), 以及渗透测试执行标准(PTES)方法,以彻底评估移动应用程序的安全性.
-
IoT and Internet-Aware Device Testing
Internet-aware devices span from ubiquitous, commercial Internet of Things (IoT) devices and systems to automotive, healthcare and mission critical Industrial Control Systems (ICS). 我们的测试超越了基本的设备测试,考虑了目标的整个生态系统, covering areas such as communications channels and protocols, encryption and cryptography use, interfaces and APIs, firmware, hardware, and other critical areas. 我们深入的手工测试和分析寻找已知的和以前未发现的漏洞.
-
Social Engineering Penetration Testing Services
恶意用户通常通过社会工程比传统的网络/应用程序利用更能成功地破坏网络基础设施. To help you prepare for this type of strike, we use a combination human and electronic methodologies to simulate attacks. 基于人的攻击包括冒充受信任的个人,试图获取信息和/或访问信息或客户端基础设施. 基于电子的攻击包括使用复杂的网络钓鱼攻击,这些攻击是根据特定的组织目标和严格性精心设计的. Rapid7 will customize a methodology and attack plan for your organization.
-
Red Team Attack Simulation
Want to focus on your organization’s defense, detection, and response capabilities? Rapid7与您一起开发自定义的攻击执行模型,以正确地模拟您的组织面临的威胁. The simulation includes real-world adversarial behaviors and tactics, techniques, and procedures (TTPs), 允许您在面对顽固和坚定的攻击者时衡量安全程序的真正有效性.
-
Wireless Network Penetration Testing Services
我们利用开源安全测试方法手册(OSSTMM)和渗透测试执行标准(PTES)作为我们无线评估方法的基础, 哪一个模拟真实世界的攻击,以提供对无线网络基础设施的漏洞和威胁的时间点评估.
Under the Hoodie: True Stories from Rapid7 Pen Testers
Each year, Rapid7 pen testers complete more than 1,000 assessments. 我们收集了一些故事,让你对连帽衫下面发生的事情有一些真实的了解.
The Bank Job
This real-life story of social engineering owes its success to holes—some figurative, and some big enough to walk through. 找出我们的临时麦盖弗是如何绕过银行的安全检查站进行一笔不正当的存款以帮助他从停车场侵入.
