Penetration Testing

What is a penetration test?

A penetration test - pentest for short - is a controlled attack on your IT environment. We break in, document how, and show you what a real attacker could have done. Not a theoretical risk matrix, but proven attack paths with proof-of-concept.

The difference with a vulnerability scan? A scanner runs Nessus or Qualys, delivers a PDF with CVEs and calls it done. We go further. Our pentesters combine tools like Burp Suite, BloodHound and Nuclei with manual investigation and years of offensive experience. We find the business-logic flaws, chained exploits and configuration issues that scanners structurally miss.

Zolder is a CCV Keurmerk Pentesten certified penetration testing company. This certification guarantees competence, independence and reporting quality. For organisations subject to NIS2 or ISO 27001, this is often a requirement.

Types of penetration tests

We offer three variants:

• Blackbox: we know nothing upfront and work as an external attacker.
• Greybox: we receive limited information - an account, some architecture docs - and simulate an insider threat.
• Whitebox: full access to source code and configuration. The most thorough, and our recommendation if you want maximum value.

Which type fits, we discuss during the scoping call. You sit directly with the pentester who will perform the test - not with an account manager.

Why should you get a penetration test?

Dutch organisations are actively targeted. Ransomware in manufacturing, credential-stuffing against SaaS platforms, supply chain attacks via vendors - we see it daily in our work. A pentest gives you:

• Proven attack paths: not theoretical lists, but concrete exploits with screenshots and commands.
• Compliance: NIS2, BIO, ISO 27001 and PCI-DSS require periodic pentests.
• Trust: more and more clients and partners demand pentest reports in tenders.
• Honest picture: we do not inflate findings to justify the engagement. If something is secure, the report says so.

Our approach

Short lines, direct action. That is how we work.

• Scoping & threat modelling - you speak directly with the pentester. Together we determine scope, objectives and rules of engagement. What are your crown jewels?
• Reconnaissance - OSINT, port scanning, service fingerprinting, subdomain enumeration.
• Vulnerability analysis & exploitation - systematic testing, followed by controlled exploitation. We demonstrate real impact.
• Post-exploitation - lateral movement, privilege escalation, persistence. How far can an attacker get?
• Reporting - clear report with management summary, technical details including reproduction steps, and concrete recommendations. No consultancy jargon.
• Retest - after your fixes we can verify whether vulnerabilities have actually been resolved.

During the test we share critical findings with you immediately - not three weeks later in a report. You get a Slack channel or Signal group with the researcher. That is what we mean by short lines.

What does a penetration test cost?

Our hourly rate is €175 per hour (excl. VAT). Total costs depend on scope, test type and complexity:

• Scope: a web application versus a full infrastructure with hundreds of hosts.
• Test type: blackbox requires more reconnaissance hours than whitebox.
• Complexity: custom applications, proprietary protocols or legacy systems take more time.
• Compliance requirements: OWASP ASVS or PTES may require additional test cases.

An average web application pentest amounts to €5,000 - €15,000. Infrastructure tests are higher. We always provide a fixed quote after a free scoping call - no surprises afterwards.