There are many types of penetration testing. The best thing to do is call! We will be glad to discuss the type of testing that is right for you.  We require that a security letter is completed by a company officer prior to initiating any scan.  All scans can be scheduled to minimize impact.  Scans can be done remotely or on-site.

There are four basic levels of penetration testing. The number of tests, vulnerabilities found and the level of application intrusion increase with each level.

Level 1) Common Web Vulnerabilities - This is the minimum. These tests are sometimes referred to as "Known Vulnerabilities" as the tests are drawn from published sources like BugTraq, Mitre's CVE and NIST's NVD attack databases. All sites should be able to handle these tests. There is no login nor any application input required.

Most freeware runs at this level and they will rarely find a limited set of XSS and SQL Injection based attacks. It is our experience that higher level scans are required to find most XSS and SQL injection attacks.

Level 2) Authenticated/Non-transactional - This is what Google (or any search engine) would do to your site if you gave them an account. Zero value transactions and scans that may not go beyond the surface.

Level 3) Unauthenticated/Transactional - Most sites should handle this level. Think of it as anything an anonymous user could do within your site.  Mutations of application requests begin at this level.

Level 4) Unrestricted -  This level is fully transactional and authenticated. Unrestricted use of the site plus about 50 mutated requests per parameter. This level has the potential to generate a lot of application activity.  For this reason, this level scanning should be run against a staging or QA environment prior to executing in a production environment to determine impact on the application's resources.