Newer companies may not yet have control over their network security. Conversely, more mature companies often have large, complex networks that can easily contain misconfigurations and weaknesses – particularly as more and more organisations move to the cloud. Both of these scenarios leave the door open for catastrophic security breaches, resulting in increased risk of falling victim to a cyber-attack. As a rule, this also means high financial costs, business interruptions and reputational damage for companies.

Our network penetration testing service identifies and validates vulnerabilities on internal, internet facing, and cloud-based IT infrastructure. We provide recommendations for remedying these vulnerabilities in the report.

The duration of the engagement is about 3 weeks.

Phases of the service:

1. Initiation phase

The emphasis here is on effective communication with the client organisation to create an operating environment that suits both parties. The scope of testing is defined. The client can customise the testing approach and other parameters of the engagement are identified.

2. Intelligence phase

We conduct open source intelligence gathering, network mapping and discovery to build a comprehensive picture of the client’s attack surface. This is also called digital footprinting.

3. Scanning and enumeration

4. Attack and penetration

5. Reporting and documentation

Formation of the assessment

KPMG Cyber team excels at operating under a structured, repeatable methodology. We stress this concept in every engagement to ensure our findings are reliable, reproduceable and of excellent quality.

Our network security experts pentest in-scope networks and systems following manual and automated TTPs that use commercial, open source, and proprietary software to assess the client’s infrastructure from the perspective of an adversary.

We can also pentest the client’s network infrastructure from the perspective of an authenticated user. Our collaboration during the engagement ensures that you understand the risks associated with our findings and can implement the recommendations.

Our network penetration testing approach is based on best practices, including NIST SP 800-53, PCI DSS, OWASP Top 10, MITRE ATT&CK framework, and encompasses:

  • süsteemisystem and service discovery
  • identifying vulnerabilities that can be chained together to obtain unauthorised access to systems, applications, and sensitive data
  • vulnerability exploitation
  • system-level privilege escalation
  • domain-level privilege escalation
  • sensitive networks, systems and data access
  • segmentation testing for the Payment Card Industry Data Security Standard (PCI DSS) compliance, as required
The frequency of security testing is flexible and tests can be carried out either at a specific time interval or scheduled for when a new version of an application is about to be launched or when a new dangerous security vulnerability has been detected. The duration of security testing engagements depends largely on the size and complexity of the application being tested, but is typically about 3 weeks.

Output for the client

Reporting is critical to the success of the assessment, as it provides permanent documentation that can be shared with management and partners.

Each report is customised to the specific scope of assessment and based on the risks of the individual organisation.

The reports are easy to read and understand, but thorough in the findings.

In addition, the description of each vulnerability includes a detailed remediation strategy.

Some of the elements that you will find in our reports include:

  • an executive summary for strategic direction
  • a walkthrough of technical risks
  • multiple options for vulnerability remediation
  • the potential impact of each vulnerability

Provide a safe and sustainable business environment for your company. We help build a resilient and reliable digital landscape, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
Ahtri 4, 10151 Tallinn, Estonia
KPMG Baltics KPMG Global Privaatsuspoliitika
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: