One question we still hear from time to time is: Does an external penetration test include web application testing? It’s a fair question and one that often confuses people, because the answer is, “kind of, but not exactly.” Let’s break it down further. What types of web application penetration testing are generally included in an […]
When organizations bring in a third party to perform an external penetration test, the expectation is a smooth, well-orchestrated engagement that yields actionable results. And in most cases—around 95% of the time—that’s exactly what happens. However, it’s important to recognize that penetration testing is not without risk or complexity, and things can go wrong on […]
An external penetration test evaluates the perimeter security of your organization by simulating an attacker on the internet. The goal is to identify vulnerabilities in internet-facing systems, attempt to breach internal networks, or uncover publicly exposed information that could harm your reputation. (For more details, see our complete external penetration test guide.) Because it closely […]
At the onset of any engagement, Triaxiom Security engineers will begin with research, often called Open Source Intelligence Gathering, or OSINT for short. OSINT is the process of gathering publicly available information from the internet to gain a deeper understanding of an organization, its technology stack, and any potential vulnerabilities. Security engineers often conduct this […]
After passing the eWPT, I was looking for another web application certification that might help to elevate my skills and help me to review web application penetration testing exploits and methodologies. I stumbled upon Hack the Box (HTB) Academy, which offered a Certified Bug Bounty Hunting (CBBH) course and exam. I looked over a couple […]
In this blog we are going to take a look at an often overlooked or under-appreciated method to bypass Duo MFA for RDP. As long as the attacker has administrative rights on the computer, this blog will demonstrate how it is possible to enable restricted admin mode, and subsequently bypass the multi-factor authentication (MFA) requirement […]
