Cyver uses 3 assessment levels, designed to offer everything from basic cybersecurity assessments to complete pentesting. Depending on your organization, you might need one pentest level, or to test in several stages across different environments to manage risk while reducing total cost.
No matter which pentest level you choose, all findings and reports will be available through our cloud portal. Here, you can onboard your team to see findings in real time, request retests, and communicate directly with the hackers responsible for testing your environment.
Level 1 – Awareness
The Level 1 Pentest is a fast, basic assessment incorporating about 50% automated testing and 50% manual review. This test looks for basic issues like XSS and SQLI vulnerabilities – essentially working to catch the most basic and obvious security problems. Level 1 tracks to OWASP 10 guidelines and ASVS Level 1 standards.
Nearly every organization should start out with a basic pentest. Awareness is ideal for organizations that might have obvious and very easily detectable issues. Level 1 offers an affordable, easily repeatable pentest, ideal for catching early stage “low-hanging fruit”. We always recommend running a level 1 pentest before you go live.
In most cases, we recommend starting with a Level 1 assessment to ensure basic security is in place. You can then follow up with a more thorough Level 2 or 3 pentest to ensure basic issues are resolved and to test for deeper issues. However, some web applications never need further testing. For example, you might only need level 1 if:
- You haven’t done any pentesting before and have to start from the ground up
- You don’t process any sensitive data
- All payments are processed through secure portals with third-party security standards and encryption or no payments are accepted
- You do not operate in an industry where data protection is required
Level 2 – Secure
Level 2 pentesting tracks to ASVS Level 2 standards. It’s comprised of about 70% manual research with 30% automated assessment. Here, one of our hackers deep dives into your environment to find vulnerabilities. While this assessment will catch “basic” security problems, the intent is to pentest a site with solid basics to assess deeper issues. This allows you to further strengthen security, removing vulnerabilities to even lesser-known or harder to catch risks.
Level 2 security assessments are ideal for organizations working to improve security. We recommend that most organizations use Level 2 as a basic assessment for routine security. This is especially important if you are:
- Processing payments
- Implementing business critical functions
- Processing sensitive data or B2B transactions
- Processing third-party healthcare data
- Operate in an industry requiring data protection
Essentially, we see Level 2 as a baseline, with which you can secure your processes, payments, and data protection.
Level 3 – Advanced
A Level 3 Pentest incorporates significant custom scripting, manual review, and leveraging of vulnerabilities. Here, the pentester at Cyver takes on the role of a malicious hacker, to attempt to gain control of the environment with Root/Administrator privileges. It includes 80% manual testing and 20% automation. It tests for complex factors ranging from confidentiality controls to app availability, authentication, authorization, auditing, non-repudiation, and much more.
Level 3 assessment is required for most compliance needs. For example, if you’re pentesting to meet DigiD, HIPAA, ISO, PCI, or other compliance needs, you likely need a level 3 assessment. This tracks to ASVS level 2 and constitutes a very high level of complexity in assessment.
- You have to meet compliance requirements
- Your website or application is modularized with individual security controls
- You operate in an industry with very high levels of data protection
Level 3 assessment constitutes the highest level of assessment available.
Depending on your organization and its needs, any of the three levels might be suitable. You can also upgrade your pentest with addons for compliance specifications, to include code review, or to meet custom requirements (which must be discussed during the consultation).
Of course, if you’re not sure which level you need, we can help.