When planning a penetration test, one of the most common questions organizations face is whether to choose between external vs internal penetration testing. This post will help you understand the key differences between the two approaches and how to choose the one that provides the most value to your organization. While the obvious answer might […]
A question we often receive when scoping an engagement is, “Can my external penetration test be conducted after hours?” The short answer is yes, but there are some trade-offs that not everyone is aware of. In some cases, it could mean paying more for something you may not actually need. We’re always happy to talk […]
What are DNS Zone Transfers? While DNS zone transfers may seem like a relic of the past, they remain a relevant and potentially serious vulnerability in today’s cybersecurity landscape. Although many organizations addressed this issue decades ago, misconfigurations still occur, often due to legacy systems or oversight. As headlines have repeatedly shown, even widely known […]
Many organizations either skip incident response tabletop exercises entirely or settle for off-the-shelf scenarios that lack relevance to their environment. As a result, these exercises become little more than a “check-the-box” activity—minimally valuable and often poorly attended. To truly strengthen incident response and organizational resilience, tabletop exercises must be designed with purpose, realism, and customization. Why Traditional Incident […]
One of the most common and important questions we get from prospective customers is about our external penetration testing methodology. It’s a sign they’re doing their homework, which makes sense: if you’re going to let someone try to break into your network, you should know exactly how they plan to do it. We also love […]
One question we still hear from time to time is: Does an external penetration test include web application testing? It’s a fair question and one that often confuses people, because the answer is, “kind of, but not exactly.” Let’s break it down further. What types of web application penetration testing are generally included in an […]
When organizations bring in a third party to perform an external penetration test, the expectation is a smooth, well-orchestrated engagement that yields actionable results. And in most cases—around 95% of the time—that’s exactly what happens. However, it’s important to recognize that penetration testing is not without risk or complexity, and things can go wrong on […]
An external penetration test evaluates the perimeter security of your organization by simulating an attacker on the internet. The goal is to identify vulnerabilities in internet-facing systems, attempt to breach internal networks, or uncover publicly exposed information that could harm your reputation. (For more details, see our complete external penetration test guide.) Because it closely […]
At the onset of any engagement, Triaxiom Security engineers will begin with research, often called Open Source Intelligence Gathering, or OSINT for short. OSINT is the process of gathering publicly available information from the internet to gain a deeper understanding of an organization, its technology stack, and any potential vulnerabilities. Security engineers often conduct this […]
After passing the eWPT, I was looking for another web application certification that might help to elevate my skills and help me to review web application penetration testing exploits and methodologies. I stumbled upon Hack the Box (HTB) Academy, which offered a Certified Bug Bounty Hunting (CBBH) course and exam. I looked over a couple […]
