Threat Led Penetration Testing

Combine routine pen testing non-negotiables within an advanced adversarial simulation engagement.

Naturally reaching beyond the bounds of a traditional penetration test, ‘threat led’ testing has become increasingly central to industry best practice and emerging compliance requirements.

In essence, a ‘threat-led’ testing approach emulates real-world adversaries with specific attack objectives. For instance, imagine you’re primarily concerned about the impact a financially motivated ransomware attack would have on your business. Starting from this scenario, we can work backwards to identify business-critical assets, prioritising the testing of each technology or process an attacker would need to compromise during a genuine cyber attack.

A key differentiator with threat led penetration testing is the ability to meet compliance ‘non-negotiables’, like web app tests or internal penetration tests, while simultaneously gaining a realistic assessment of your organisation’s defences across its people, processes and technologies (much like more advanced Red Team or Purple Team engagements).

Add to that, Threat Led Penetration Testing enables compliance with several of the world’s leading cyber security frameworks and regulations.

When is a ‘threat-led’ approach needed?
Why closing the ‘threat-led’ gap is essential
Key Outcomes
Client Story
Resources
Contact Us

When is a ‘threat-led’ approach needed?

No two threat led penetration tests should be identical.

Your organisation, the threats you face, the technologies you use, and the operations you consider to be ‘business critical’ are all unique. Therefore, depending on your appetite for development and resources availability, JUMPSEC seeks to delivers a combination of the following engagement phases:

Threat Modelling Workshop

JUMPSEC facilitates an in-person workshop in which we map out your entire estate, your business-critical assets, greatest risks and defensive controls. This allows us to gain an intimate understanding of your environment and begin to plan likely attack paths to the crown jewels of your organisation.

Attack Surface Review

This encompasses a validation exercise in which JUMPSEC conducts an independent review of your organisation’s attack surface with the intention to discover further unknown areas of the attack surface beyond the known elements discussed in the threat modelling session.

External Penetration Test (Social Engineering)

With the engagement objectives and priority attack path(s) and outlined, JUMPSEC will employ a tailored social engineering campaign to simulate real-world phishing, pretexting, or other human-based attack techniques. By targeting key individuals or departments, we aim to assess your organisation’s susceptibility to manipulation.

Internal Penetration Test

JUMPSEC conducts penetration testing of the assets along the attack paths to validate if these can be exploited to achieve the objectives in-scope. While testing any assets deemed ‘non-negotiables’ for compliance, we demonstrate whether key technical milestones can be achieved to escalate privileges, traverse the environment, and perform actions with a tangible business impact.

Reporting

JUMPSEC doesn’t believe in exhaustive 100-page reports that fail to prioritise actionable high impact findings. Instead, we identify a select number of vulnerabilities most likely to cause a tangible business impact, while providing an itemised issue listing section in the report which clearly demonstrates risk mitigation to clients and auditors. This allows you to make substantive remediations which can be clearly understood.

Closing the ‘threat-led’ gap

Given the elevated level of assurance, security leaders, legislators, regulators, and more mature sectors (e.g finance) are increasingly mandating that traditional pen tests evolve to take a threat-led approach (i.e DORA, PCI DSS and NIST (CSF)).

Unfortunately, the current standard bearer for threat led testing – Adversarial Simulation – suffers from the perception (and at times the reality) that it’s too strategically advanced, technically sophisticated, expensive, or simply unnecessary for the ‘typical’ organisation.

A covert red team, for example, sees several offensive security professionals pool an array of tactical knowledge and experience into several weeks or months of engagement (as real attackers do), encompassing detailed reconnaissance, social engineering, exploitation – all the way to demonstrating tangible business impact or compromising critical assets and data. This may be viewed as unattainable for a typical organisation.

Yet threat-led methodologies must now become the standard for a wide range of organisations – the majority of whom still exclusively conduct minimal pen testing.

To bridge the gap, JUMPSEC has created a customisable blend of traditional penetration testing and more advanced adversarial simulation, designed to flex to your budget where required.

Key outcomes from Threat led Penetration Testing

Validate the efficacy of existing security solutions.

Highlight areas in which detection gaps could be improved.

Discuss their entire security posture with experts via threat modelling session. Identify the unknown unknowns.

Provide known-good red team attack traffic to build new detections to cover these gaps.

Comprehensively validate your security controls and tooling are working as intended, from granular EDR analysis, to the speed and accuracy of your managed service security functionality.

Meet compliance ‘non-negotiables’ though an itemised issue listing within a comprehensive report that clearly demonstrates risk mitigation to clients and auditors.

Simultaneously gain a realistic assessment of your organisation’s defences across its people, processes and technologies.

Find new and unknown areas of your attack surface.

What Our Clients Say ...

“Recently we engaged a comprehensive purple team exercise. Working collaboratively with JUMPSEC Blue and Red Teams we were able to make real time improvements to our security posture. This included implementing technical solutions, tweaking detections and finding innovative ways to compromise a system. The advantages working in this collaborative manner through a purple team engagement, far outweigh approaches taken in a traditional PenTest."

Groupe Atlantic, UK

Resources

The critical risk in DORA financial regulations

Supply chain attacks are a growing concern, particularly within the financial sector, with attackers increasingly using key technology suppliers as a ‘jumpbox’ to pivot into their intended target organisation.

Read guide

Preparing for DORA

We regularly speak to organisations who are seeking clarity to aid their preparedness for the new Digital Organisational Resilience Act (DORA). Enacted in December 2022, DORA has mandated regulations for financial sector organisations and their critical third-parties.

Read guide