
Penetration test
The supreme discipline
Red Teaming Penetration Test
But can all your security strategies withstand an attack? Many security concepts sound tempting in theory, but fail in practice. Which of them are actually effective can rarely be judged without a practical review.
Time to see if your security measures are paying off, too.
This gives you a realistic view of your company’s defense and response capabilities.
(applies to the EMEA economic area)
We test holistically:
Technology | We carry out attacks against your corporate IT. |
---|---|
People | We check how your employees react to actual hacker attacks. Is IT security really part of the corporate culture? |
Physical IT security | We check how your company building, server rooms as well as other relevant facilities of your company are secured. |
Recognized standards | We work according to recognized standards such as ISECOM OSSTMM, PTES, OWASP Testing Guide as well as the specifications and recommendations of the TIBER-EU Framework of the European Central Bank. Furthermore, all our security audits are based on the recommendations of the German Federal Office for Information Security. In addition, our projects are insured for financial loss as well as personal injury and property damage. |
Penetration test
The average cost per security incident was $3.86 million.
(global, year 2018)
What we know
Therefore KALWEIT ITS
As an independent consulting company specializing in the disciplines of IT security, performing penetration tests is one of our supreme disciplines. Our claim is the execution of low automated penetration tests with a transparent and comprehensible approach. Industry-specific requirements from the banking or healthcare sectors do not pose a challenge for us.
-
- We believe that IT security must be different today . Security means trust in independent solutions. Safety is not a product, but a continuous process. This is exactly why we work with holistic consulting methods and understand companies as holistic security factor - just as an attacker would . Because a concept does not make a system.
-
- We work according to recognized standards such as PTES, NIST, OWASP Testing Guide, PCI-DSS, Cyber Kill Chain as well as the implementation concept for penetration tests of the Federal Office for Information Security . In addition, our projects are insured for financial loss as well as personal injury and property damage.
We support you with any kind of penetration testing:
- Perimeter test
- Client test
- Inside offender test
- Testing of web applications/application software/mobile applications
- Testing of core banking systems and retail networks
- Security Review
- Engine control unit tests
- IoT device testing
- Tests in the cloud environment (AWS, Microsoft Azure or Google Cloud)
- Flutter solution testing
- Extensive projects with more than 400 project days per year
- Strong expertise in performing penetration testing in banking and finance, healthcare, critical infrastructure, and retail industries

Automotive Cybersecurity
The advancing process of digitalization does not stop at the automotive world.
The increasing number of ECUs in automobiles, as well as the greater networking of vehicles (C2X), also increases the risk of unauthorized access and manipulation of safety-critical systems.

However, advanced knowledge can also make use of information transmitted via the CAN bus to manipulate a wide variety of vehicle functions or to use it for function enhancement. The in-depth networking of a wide range of control units in the vehicle enables pioneering features such as autonomous driving, cruise control systems or even improved navigation.
A clear and present threat
IT Security Check
The IT Security Check offers small and medium-sized companies an initial assessment of the general IT security situation in their own company.
- Where are we particularly well positioned and where do we still need to catch up?
- Clarity, knowing exactly what still needs to be done
- Gaining insight into which measures are indispensable and which are of little relevance
-
- 2 days implementation with several consultants
- Review of technical & organizational IT security based on VdS 10000
- QuickCheck of corporate web presence and external IPs
- Recommendation catalog for the further procedure
- Management Report (PDF format)
- Final interview
-
- 3 days implementation with several consultants
- Review of technical & organizational IT security based on VdS 10000
- QuickCheck of corporate web presence and external IPs
- Recommendation catalog for the further procedure
- Management Report (PDF format)
- Final interview
-
- 4 days implementation with several consultants
- Review of technical & organizational IT security based on VdS 10000
- QuickCheck of corporate web presence and external IPs
- Recommendation catalog for the further procedure
- Management Report (PDF format)
- Final interview
OSINT research
Open Source Intelligence (OSINT) is a term from the intelligence application field and describes a research method that uses exclusively passive tools to examine freely available data with a specific application purpose in mind.
As part of OSINT research, we identify compromised data sets such as confidential documents, credentials, or useful technical information for specific cyber kill chain attack attempts. These provide a clear picture of how to assess your company’s current IT security situation. Since only passive tools are used, this type of security check can be easily performed without violating legal requirements (esp. §202a-c, §303a-b).
OSINT searches can be used, among other things, as a more detailed phase of information gathering as part of a penetration test.
Procedure of the tests
- Initial interview
- Conversation with all parties involved
- Implementation
- Documentation
- Risk assessment
- Results presentations
During the initial meeting, we get to know you and your company better. In the second round of the meeting, we discuss the next steps together with all decision-makers. The methodology of penetration testing to be applied is determined.
Once the penetration test has identified possible attack vectors and determined their probability of occurrence and potential damage, we present the results to you in a final report.
This includes a management summary, a detailed description of the inherent risks, and a proof of concept so that you can track the vulnerabilities internally with your own IT experts.
At the heart of the documentation are the comprehensive recommendations for action, which you can use to carry out independent remediation of the weak points in a simple and comprehensible manner.
Independently of a free debriefing to clarify open questions or ambiguities, we are also happy to provide you with a confirmation of the successful execution of a penetration test upon request. You can use this as proof for customers and business partners.
The final report contains the following components:
- Project frame data (project name, contact person, test period, scope)
- Management summary
- Description of the approach and methods used
- Summary and assessment of the identified vulnerabilities with regard to their criminality (incl. naming of CVSS values and CVE entries) as well as technical proof of concept
- Detailed technical description of the identified vulnerabilities / inherent risks.
- Recommendation of measures to eliminate the vulnerability as well as listing of all vulnerabilities in tabular form (Excel).
Your contact persons
You can always reach us personally. Because loyalty based on partnership is far more important to us than short-term success.

Dipl-Inf. George Koch
Senior Business Partner
+49 40 285 301 252

Philipp Kalweit
Managing Partner
+49 40 285 301 257