Penetration Testing

We begin by researching publicly available company information, without touching business assets (Open Source Intelligence), in order to better understand the company’s current business model, and what is important to you.  We then analyze public facing business assets, such as web sites and customer portals.  This intelligence reveals what critical information is available without even touching internal properties and identifies areas of weakness.  With this information, an plan of attack is generated. Electric Alchemy attacks are designed to mimic real world threats that are likely to be experienced by your business, both logically, and physically.  In otherwords, we won’t drive a tank through your front door, but we could sneak someone in, through your back door.  Full Scope penetration testing typically includes the following as well:

Social Engineering

Equally as important to your security is identifying the ways in which your own employees are inadvertently providing access to mission critical data. Known as Social Engineering Assessments, this testing is designed to assess the effectiveness of your current security programs and often involves deceiving employees into breaking normal security procedures and revealing secured information.  As an example, an employee may unknowingly divulge critical information to untrusted or unverified sources such as a request for password resets over the phone, or they could click on a malicious link in an unsolicited e-mail, giving an attacker access to your internal network.



The Electric Alchemy methodology used on several engagements has been very agile, technology smart and people friendly.

— Tim Weil, Risk Management Lead at US Federal Agency (Contractor)

External Network Vulnerability Assessment

Electric Alchemy can assess your external, or “Internet facing“, infrastructure to find flaws in firewall policies or exposed services. This includes pre-authenticated testing of exposed web sites as well. Electric Alchemy’s consultants review and verify each finding to ensure that no false positives are contained within the report deliverable. Results are then prioritized based on business risk and recommendations for resolution are provided.

By conducting the types of testing outlined above and remedying the resulting weaknesses, your business can have a higher level of assurance on your data security and can offer credibility to your clients and other business partnerships.