Frequently Asked Questions

Will my data be at risk?

All data submitted to us will be encrypted at rest and securely stored. We will take every care possible to make sure that your data is protected.

Can you tell me how each test was performed?

We will give an overview of what type of test was being performed and the tools used to perform it, but this is as far as details will go.

Am I entitled to a retest?

Retests can be performed and charged as a standard test, although in some cases a discount will be applied.

Does payment need to be made before or after a test?

Either will be honoured. Part payment will need to be made before a Medium or Deep test starts. Report will be released after full payment has been made.
If a Critical (or High, if requested) vulnerability is found, and full payment has not been made, then the customer will be alerted with a standard email letting them know that a Critical (or High) vulnerability has been found without details of the vulnerability. Details and/or the report of such vulnerabilities will be released on full payment.

If a test is scheduled, and then cancelled, will my payment be refunded?

A scheduled test takes up resources for the planned dates. If a test is cancelled less than seven calendar days before the test is due to commence, then a full refund cannot be issued. A test can, however, be replanned for the next available date without charge.

Will I be informed of vulnerabilities found before the end of test?

If any vulnerabilities are found that are deemed “Critical”, then you will be immediately informed by telephone and email. Sensitive data will not be included in any emails.
Vulnerabilities deemed as “High” are notified on request.
“Medium”, “Low” and “Information” vulnerabilities will be disclosed in the final report.

How do you "score" vulnerabilities?

The NIST CVSS (Common Vulnerability Scoring System) (v3.0) Base scores will be used to score vulnerabilities based on information available about the vulnerability. More details on NIST CVSS can be found here:

How will my report be delivered to me?

For added security, the report will be encrypted and emailed to the email address on the initial request.
A password will follow in a separate email.
Plans are being made to allow for access to a dedicated encrypted area for clients to use to send and receive files.

What happens if I disagree with results of the report?

That is totally fine, everybody is entitled to their own opinion.

If we fix a vulnerability during the test before the final report is due, can it be omitted from the report?

No. All vulnerabilities will be reported. If an vulnerability is fixed during a test, then the report will state that the vulnerability is now fixed. It is against company policy that a vulnerability will not be reported whether fixed or not.

What happens if you notice that we are currently being/have been hacked?

If there are signs of a previous attack, or an attack taking place then all testing will be ceased immediately and you will be notified straight away.

Is it illegal to pentest?

To perform the type of testing without consent is totally illegal and can lead to problems with the law.

Can you get me into my girlfriend's Facebook account?

No. Although it is possible to get into social media accounts using devious techniques, we will not do this. It is immoral, can be illegal, and totally against company policy.

Can you modify the websites of our competitors or redirect its traffic to ours?

No. Our aim is to help businesses by making them secure, not by destroying their competitors.