Frequently asked questions
Here you will find the answers to your questions
Here we answer frequently asked questions about our products and the terminology associated with our field of activity.
What is the difference between a cyber security assessment and a penetration test?
The aim of a cyber security assessment is to determine the "state of health" of the landscape of your IT systems and applications. Depending on the agreed assessment specification, a very detailed check is carried out to determine whether (exploitable) vulnerabilities exist. A penetration test focuses in particular on analysing individual applications or networks in order to detect previously unknown vulnerabilities.
How does an assessment work?
Firstly, we discuss the framework conditions with you and define them in an order description. In addition, Laokoon Security will provide you with a non-disclosure agreement (NDA) that guarantees the confidentiality of any information uncovered during the test. Depending on the nature of the test (see "Is physical access to the systems required for the assessment?"), you will then receive an implant or instructions for configuring the VPN endpoint.
The actual test then takes a few days. We agree the time period with you in advance so that you know exactly when the test will begin and end.
You will then receive the evaluation together with our recommendations in the agreed format (see "What do I receive at the end of an assessment?").
What do I get at the end of an assessment?
After the assessment, a management report (CSA report in PDF format) or a vulnerability overview (vulnerability & mitigation sheet in Excel format) is provided in accordance with the previously agreed scope of services. If you wish, we can of course also provide both formats. These contain the vulnerabilities we have identified and recommendations for action or instructions on how the respective gaps can be closed.
What kind of test do I need for my company?
With our product packages, we have tried to give you a quick overview of our service portfolio. Experience has shown that the everyday life of organisations does not fit 100% into a standard template. We would be happy to advise you in an individual online session as to which packages offer the most added value for your particular organisation. Our primary goal is to ensure that your needs are met in the best possible way.
What does an assessment cost?
Our basic conviction is that the opportunity to obtain an overview of your own IT security status should not be limited by your budget. We have deliberately kept the basic version of an assessment low. However, the exact costs depend on the scope of your environment to be tested.
Does the assessment require physical access to the systems?
No, in order to keep the effort and costs for our customers within reasonable limits, we have specialised in the "remote execution" of our assessments right from the start. We agree with you in advance how to access the systems to be tested. Options include direct access via a VPN tunnel or the deployment of a highly secured security implant.
Irrespective of this, the test can of course also be carried out on your premises at your request. This is particularly useful if your organisation's policy or guidelines require a physical presence or if personal contact on site is important to you.
And your company data? Of course, it remains with you on site at all times. Laokoon SecurITy only transfers the information on critical gaps that is required for a meaningful report into its own environment.
What must or should I contribute to a penetration test or cyber security assessment?
Especially if the assessment is carried out exclusively "remotely", detailed documentation of the agreed test object (ideally with a network plan, description of the individual systems, applications, etc.) helps to carry out the assignment quickly, smoothly and without extensive queries during the assessment.
If you do not have any documentation, we will be happy to advise you on further steps.
Can an assessment be compared to a certification?
An assessment is an inventory in which we determine the "state of health" of your network or application. Such an assessment is often the basis for certification. However, Laokoon Security itself does not carry out any certification as part of the cyber security assessments we offer. However, we will be happy to recommend partners who can carry out certification for you following the assessment.
Can damage occur when carrying out pentests and assessments? Who pays for this?
In the course of security assessments, Laokoon Security and various customers have so far not suffered any damage. However, when carrying out assessments, it cannot be completely ruled out that physical or economic damage may occur as a result of our testing activities. If Laokoon Security has culpably violated the test rules agreed with you in advance, Laokoon Security will of course be liable for any damage incurred. More extensive damage is also covered by liability insurance. We will be happy to discuss the details of this with you in advance of any contract award.
What happens if unwanted side effects occur?
If you recognise any irregularities, such as unexplained operational disruptions during the test phase, you can contact the person responsible for the respective assessment at any time (24/7) by phone or email. The tests are then initially paused to minimise any possible impact.
We then work with you to find the cause and agree the next steps with you.
How long does an assessment take?
The duration of the assessment depends on the agreed scope of the assessment and the size of the network to be tested or the number and characteristics of the systems to be tested. In the case of application tests, the complexity of the application to be tested (lines of code, interfaces, language, etc.) is decisive.
Making a generalised statement about the duration of the assessment is therefore quite complex. You will receive a truly reliable statement if you give us the opportunity to define your framework conditions together with you and derive the actual scope of the assessment from this.