Compliance is not enough.  Look at the latest security headlines and ask yourself, was that company PCI certified?  Was that government agency FIPS/NIST compliant?  Probably.  Compliance is important, but you must dig deeper to stay out of the headlines.

Attackers can compromise data directly through techniques such as SQL Injection and Cross Site Scripting, but they can also use web applications to establish a foothold into your network, from which they can pivot to other assets and uncover sensitive or valuable data.  Automated tools are not enough to uncover these types of attacks.

Our Web Application Penetration Test (WAPT) is an assessment of the transactional elements of your web-based application.  Applications such as online banking, online trading, eCommerce, Business to Consumer (B2C), Government to Citizen (G2C), or any other critical application, should have a comprehensive assessment of its security posture.

With our proven Methodology, we will provide you with confidence that your development team or third party developer has built a secure application, and that your organization has demonstrated due diligence in its efforts to protect confidential or sensitive information.


Our approach to security assessments begins with established methodologies from organizations like the Open Web Application Security Project (OWASP), the National Institute of Standards and Technology (NIST) and the Institute for Security and Open Methodologies (ISECOM).  We apply these methodologies using a balanced combination of automated tools and manual techniques with an emphasis on discovery of vulnerable application logic that cannot be found using an automated approach.  Automated tools represent less than 10% of our methodology.  Our certified professionals then add their own experience and creativity to provide a real world scenario that would be common in attacks by experienced cyber criminals and state sponsored actors.

WAPT Benefits

Our Web Application Penetration Testing Services…

  • Provide your organization with a view of your current application security posture
  • Enable regulatory and PCI compliance, where applicable
  • Decrease business risk by enhancing overall security posture
  • Safeguard your organization’s reputation by protecting from the negative publicity of a breach
  • Reduce litigation and breach notification expenses
  • Measure your application against current best practices and standards
  • Result in reduced insurance premiums, where applicable
  • Ensure that your application is hardened to survive an application-level attack
  • Increase security awareness for your software developers that will carry over to future development projects


Compliance is not enough.  Look at the latest security headlines and ask yourself, was that company PCI certified?  Was that government agency FIPS/NIST compliant?  Probably.  Compliance is important, but you must dig deeper to stay out of the headlines.

Is your internal network and your perimeter secure? We can help you reduce risk with an External and Internal Network Penetration Test. Both tests are real-time, real-world assessments that are performed manually by an experienced consultant. Automated tools represent less than 10% of our methodology.

Our External Network Penetration Test (ENPT)

  • Assesses your network perimeter and exposure to the Internet
  • Tests your Internet exposure points

Our Internal Network Penetration Test (INPT)

  • Assesses your internal (Intranet) exposures, such as malicious employees, contractors or an external threat that has gained internal access
  • Tests critical internal IT assets


NPT Benefits

  • Provide your organization with a view of your current network security posture
  • Decrease business risk by enhancing the security of your network
  • Measure your network against current best practices and standards
  • Ensure that your network is sufficiently hardened to survive a concerted attack
  • Ensure employees adhere to your security and acceptable use policies


Staffing needs can fluctuate quickly, requiring the acquisition of outside assistance. We can provide the appropriate resources to meet your needs, so that your business continues without disruption.

We can staff highly skilled personnel to elevate business in areas such as

  • Security Product Selection (Bake-Offs)
    • Requirements definition
    • Use case documentation
    • Capabilities definition
    • Unbiased product comparisons
  • Security Product Implementation
  • Security Operations
  • Incident Response
  • Rent a CISO

Our personnel will quickly begin contributing to your business and allow you to more efficiently use internal and external resources.


Security works best if treated as a program that is continually improved, and not only as a checkmark on a compliance report. Our Security Assessment Roadmap consultant will analyze current information-security states and compare them to practical starting points tailored to your business needs.

Next, we work with you to outline the steps for creating a sustainable information security program. Our goal is to identify the priorities that will pay the highest dividends for your organization.

The resulting Security Assessment Roadmap will identify and recommend high-priority security projects for the next three to five years, with year-one projects being those that meet your most immediate security needs or serve as the foundation for a comprehensive security program.


The breadth of incident types is immense and not just limited to network breaches and malicious software. Incident Response (IR) teams are often tasked with handling unauthorized access from external and internal sources, distributed denial of service (DDoS), insider misuse and data loss.

Notable impediments to IR include lack of time to review and practice procedures, and lack of budget for tools and technologies. The most cited obstacle to effective IR processes is lack of time to practice response procedures. This speaks to the need for both hands-on walk-throughs and mock exercises that test written policies and aid in standardizing triage and response in enterprise incidents. The six steps of IR are

  • Preparation
  • Identification and scoping
  • Containment
  • Eradication
  • Recovery
  • Lessons learned

IR is not a one-time event; rather, it is a continuous lifecycle that generates ongoing best practices. Most mature IR teams achieve greater success in detection and containment by using proactive continuous monitoring and response rather than reactive intermittent response processes.

PTP can help your organization craft an incident response plan and capability. Additionally, we can partner with your personnel to resolve incidents.


Compliance assessments are all about “knowing what you don’t know”. An “outside” view is fundamental to avoiding conflicts of interest and oversight of key potential vulnerabilities.

Our compliance assessments ensure processes that carry out business functions to achieve the business objectives are secure. Key elements of a compliance assessment are

  • Identify and document the business objectives, critical business and IT processes
  • Identify dependence of business on IT systems
  • Enterprise Security Assessment
    • PDCA (Plan, Do, Check, Act)
  • Protection from damage scenarios
    • Violation of laws, regulations or contracts
    • Breaches of the privacy of an individual
    • Physical injury
    • Prevention from performance of normal duties
    • Negative effect on external relationship
    • Financial consequences