HOME / SERVICES / PENETRATION TESTING

SKILLED PENETRATION TESTING SERVICES

Purpose-driven penetration testing designed to uncover real vulnerabilities, not just generate reports. NEWORDER’s human-driven, adversary-aligned methodology finds what automated scanners miss and delivers tactical intelligence your team can act on immediately.

OFFENSIVE SECURITY

AMATEURS HAVE TOOLS. PROFESSIONALS HAVE PEOPLE.

In today’s digital landscape, every organisation depends on technology that is directly exposed to adversaries: networks connected to the internet, applications handling customer data, APIs powering integrations, and cloud infrastructure running critical operations. A single vulnerability in any of these systems can lead to data breaches costing millions in regulatory penalties and reputational damage, ransomware events that halt operations for weeks, credential theft that enables long-term persistent access, and intellectual property loss that undermines years of competitive advantage.

The penetration testing market is flooded with providers who run automated scanners, repackage the output as a consulting report, and call it a penetration test. These engagements produce volumes of theoretical findings ranked by CVSS scores, but they do not tell you what an actual attacker could achieve in your environment. Automated tools identify known vulnerability signatures. They cannot assess custom business logic, chain low-severity findings into critical attack paths, adapt testing techniques based on real-time discoveries, or demonstrate the genuine business impact of exploitation.

NEWORDER operates differently. Our penetration testing services are delivered by experienced human operators who think like the adversaries targeting your organisation. Every engagement blends industry-recognised frameworks, including PTES, OWASP, NIST SP 800-115, and MITRE ATT&CK, with proprietary techniques refined through years of operational experience across Africa, Europe, and the Middle East. We use automated tools to accelerate coverage, but every finding is discovered, validated, and exploited by human operators who understand your environment’s specific context.

The result is not a vulnerability list. It is a tactical intelligence report that proves exactly what an attacker can do to your organisation, how they would do it, and what you need to fix in priority order to stop them.

WHAT WE TEST AND HOW WE TEST IT

NEWORDER delivers penetration testing across every layer of your digital infrastructure, from external network perimeters and internal environments to web applications, APIs, cloud platforms, mobile applications, and wireless networks. Our methodology follows a structured seven-phase lifecycle based on the Penetration Testing Execution Standard (PTES), enhanced with OWASP, NIST, and MITRE ATT&CK frameworks to ensure comprehensive coverage and real-world relevance.

External Infrastructure Penetration Testing — Your external perimeter is the first thing attackers see. We evaluate your internet-facing infrastructure using the same reconnaissance, enumeration, and exploitation techniques employed by real threat actors. This includes internet footprinting to map your publicly visible digital estate, port scanning and service enumeration across all externally accessible systems, vulnerability identification and manual validation of exploitable weaknesses, exploitation of confirmed vulnerabilities to demonstrate real-world access and impact, and testing of perimeter defences including firewalls, IDS/IPS, and web application firewalls. External testing reveals whether an attacker on the internet can breach your perimeter, access internal systems, or exfiltrate sensitive data without requiring any insider access.
Internal Infrastructure Penetration Testing — Once inside your network, how far can an attacker go? Internal testing simulates a threat that has already gained initial access, whether through phishing, a compromised VPN credential, or a vulnerable internet-facing service. Our operators assess Active Directory security including domain configuration, trust relationships, Group Policy weaknesses, and privilege escalation paths. We test network segmentation to determine whether an attacker in one zone can pivot to reach critical systems, servers, or databases in other segments. We evaluate service and protocol security across SMB, RDP, SSH, SNMP, LDAP, and other protocols commonly exploited for lateral movement. We assess credential handling including password policies, cached credentials, Kerberos delegation, and service account exposure. And we demonstrate full attack paths from initial foothold through privilege escalation to domain compromise, showing exactly how an attacker would reach your crown jewels. The classic engagement model is our "Zero to Hero" assessment: starting with no information, no credentials, and no insider knowledge, we attempt to escalate from an unprivileged position to Domain Administrator, demonstrating every step of the attack chain.
Web Application Testing — Web applications are among the most frequently targeted assets because they directly handle sensitive data, customer transactions, and core business processes. Our operators manually intercept and analyse every request and response in your web application, going far beyond automated scanning. Testing covers the complete OWASP Top 10, including broken access control, cryptographic failures, injection (SQL, NoSQL, OS command, LDAP, XSS), insecure design, security misconfiguration, vulnerable components, authentication failures, data integrity failures, and logging and monitoring failures. But we go well beyond the Top 10 to target application-specific weaknesses: business logic flaws that exist in the unique workflows, rules, and processes your application implements, race conditions that allow attackers to manipulate timing-dependent operations, parameter tampering and privilege escalation through manipulation of hidden fields, cookies, and tokens, file upload vulnerabilities that enable remote code execution, session management weaknesses including fixation, hijacking, and token prediction, and server-side request forgery (SSRF) and insecure deserialisation attacks that target backend infrastructure through the application layer.
API Security Testing — Modern applications are powered by APIs that handle authentication, data exchange, business logic, and third-party integrations. APIs are now one of the most commonly exploited attack vectors in modern breaches because they expose programmatic access to sensitive functions and data. We test REST, GraphQL, and SOAP APIs for authentication bypass and broken authentication flows, broken object-level authorisation (BOLA) where users access other users' data by manipulating identifiers, broken function-level authorisation where users invoke administrative functions, mass assignment vulnerabilities where attackers modify fields they should not have access to, injection attacks across all input parameters, rate limiting failures that enable credential stuffing, enumeration, and denial of service, excessive data exposure where API responses return more information than the client needs, and server-side request forgery through API endpoints that make backend requests.
Cloud Penetration Testing — Cloud environments introduce unique attack surfaces that do not exist in traditional infrastructure. Misconfigured cloud services are now among the most common root causes of data breaches worldwide. We test AWS, Azure, and GCP environments for IAM misconfigurations including overly permissive roles, policies, and cross-account access, publicly accessible storage (S3 buckets, Azure Blobs, GCS buckets) containing sensitive data, exposed management interfaces and insecure API endpoints, network security group and virtual network misconfigurations, container and serverless function security weaknesses, cloud-native service misconfigurations across compute, database, and messaging services, and privilege escalation paths within cloud identity systems that enable an attacker to move from a low-privilege role to administrative control.
Mobile Application Security — We test iOS and Android applications against the OWASP Mobile Top 10, including improper credential usage, insecure data storage on the device filesystem and keychain, insecure communication including certificate pinning bypass and traffic interception, insufficient binary protections including reverse engineering and code tampering, inadequate privacy controls and excessive data collection, and insecure authentication and session management. Our process includes decompilation and reverse engineering of the application binary, analysis of local data storage, keychain usage, and shared preferences, interception and manipulation of all network communications, analysis of backend API security from the mobile client perspective, and testing for client-side logic vulnerabilities and hardcoded secrets.
Wi-Fi Assessment — Wireless networks frequently provide an alternative entry point that bypasses perimeter defences entirely. We test for rogue access points and unauthorised wireless devices, WPA2/WPA3 configuration weaknesses and authentication bypass, evil twin attacks and wireless man-in-the-middle scenarios, segmentation between wireless and wired networks to determine whether wireless access enables lateral movement to production systems, and guest network isolation to verify that guest users cannot reach internal resources.
Social Engineering and Phishing Assessment — Technology is only one part of the attack surface. People remain the most commonly exploited vector for initial access. We design and execute targeted phishing campaigns, pretexting scenarios, and social engineering exercises to evaluate your organisation's human-factor resilience. Every campaign is customised to your organisation's context, using realistic scenarios that mirror the techniques actual threat actors employ against organisations in your industry.

Manual-First Methodology

Every finding is discovered and validated by human operators using real-world exploitation techniques. Automated tools assist with coverage, but human expertise drives the engagement. Our operators adapt testing methods dynamically based on real-time discoveries, following attack paths that automated tools are unable to identify or pursue.

Polymethodologist Approach

No single framework covers everything. NEWORDER blends the lifecycle management of PTES with the application depth of OWASP, the infrastructure rigour of NIST SP 800-115, and the adversary realism of MITRE ATT&CK. This produces engagements that are structured, comprehensive, and grounded in how real attacks unfold.

Tactical Reporting, Not Scanner Dumps

Every engagement delivers two distinct deliverables: an executive summary for leadership that communicates business risk in clear, non-technical language, and a technical report for your security and development teams with detailed findings, evidence, reproduction steps, and prioritised remediation guidance. We do not deliver 200-page automated reports with thousands of unvalidated findings.

Proven Attack Path Demonstration

We do not just identify that a vulnerability exists. We prove what an attacker can achieve with it. Every critical and high-severity finding includes demonstrated exploitation showing actual access gained, data reached, or systems compromised. This transforms abstract vulnerability scores into concrete business impact that executives and board members can understand and act on.

Zero Operational Disruption

We coordinate closely with your team throughout the engagement, planning testing phases around operational needs and performing assessments in a controlled manner. Emergency contact procedures are established before testing begins. If an unexpected issue arises during testing, we halt immediately and communicate with your team before proceeding.

Regulatory Compliance Support

Our penetration testing supports compliance with POPIA, GDPR, PCI DSS (Requirement 11.3), ISO 27001 (Annex A.18), CIS Controls v8.1 (Control 18), SOC 2, and industry-specific regulatory requirements. Every engagement produces evidence and documentation that auditors and regulators accept.

OTHER SERVICES

FREQUENTLY ASKED QUESTIONS

FAQ

What makes NEWORDER's penetration testing different from using standard security tools?

NEWORDER integrates the attacker’s perspective into every engagement. While automated tools catch generic vulnerabilities based on known signatures, they cannot assess custom code, business logic, chained attack paths, or context-specific weaknesses. Our operators combine automated tools for coverage with manual expertise for depth, adapting testing techniques dynamically based on real-time findings to detect vulnerabilities that standard tools fundamentally miss.

How often should our organisation conduct penetration testing?

We recommend penetration testing at least annually, or whenever there are significant changes to your systems, applications, infrastructure, or codebase. Organisations in regulated industries (finance, healthcare, government) or those undergoing rapid digital transformation should consider quarterly or semi-annual testing. NEWORDER can establish a customised testing schedule aligned with your risk profile, compliance requirements, and release cycles.

What is the difference between a penetration test and a vulnerability scan?

A vulnerability scan is an automated process that identifies known weaknesses based on signatures and databases. It produces a list of potential issues but does not validate whether they are genuinely exploitable or demonstrate business impact. A penetration test is a human-driven engagement where operators actively exploit vulnerabilities, chain findings together, escalate access, and demonstrate real-world consequences. A vulnerability scan tells you what might be wrong. A penetration test proves what an attacker can actually do.

Will penetration testing disrupt our production environment?

NEWORDER designs every engagement to minimise operational disruption. We prefer to test in staging or pre-production environments where possible. When production testing is required, we coordinate closely with your team, schedule testing during appropriate windows, and establish emergency procedures before testing begins. Our operators use controlled techniques that safely simulate attacks without causing damage to systems or data.

What do we receive after a penetration test?

You receive an executive summary with business risk context and prioritised findings for leadership, a technical report with detailed vulnerability descriptions, CVSS scores, evidence screenshots, reproduction steps, and specific remediation guidance for your technical team, attack path diagrams showing how findings chain together, and a prioritised remediation roadmap. We also conduct a face-to-face debrief session where our operators walk your team through the findings and provide hands-on remediation guidance.

What testing approach should we choose?

Black box testing provides the most realistic simulation of an external attacker. Grey box testing balances realism with efficiency and is most common for internal and application testing. White box testing provides maximum coverage for code-level review. NEWORDER recommends the appropriate approach during scoping based on your objectives, timeline, and risk profile. Many organisations benefit from combining approaches: black box for external perimeter, grey box for internal infrastructure, and white box for critical applications.

Does NEWORDER test cloud environments?

Yes. Cloud penetration testing is a core capability across AWS, Azure, and GCP. We test IAM configurations, storage permissions, network security, container security, serverless functions, and cloud-native services. Cloud environments introduce unique attack surfaces that do not exist in traditional infrastructure, and misconfigured cloud services are among the most common root causes of data breaches.

Can penetration testing support our compliance requirements?

Yes. Penetration testing directly supports compliance with PCI DSS (Requirement 11.3 mandates regular penetration testing), ISO 27001, CIS Controls v8.1 (Control 18 is specifically penetration testing), SOC 2, POPIA, and GDPR. NEWORDER provides engagement documentation and reporting that auditors and regulators accept as evidence of security testing due diligence.

TAKE ACTION

CAN YOUR BUSINESS AFFORD TO BE HACKED?

Contact us for a no-obligation discussion about your penetration testing requirements. From infrastructure and cloud to web applications and APIs, NEWORDER finds what automated scanners miss.