PENETRATION TESTING SERVICES

What Is Penetration Testing

Oxford Systems Penetration Testing services are a proactive exercise to help identify vulnerabilities impacting our customers’ assets and infrastructure. Our reports provide advice on approaches to fixing the issues identified. Each finding in our reports demonstrates the severity and business impact the vulnerability presents. Our aim is to provide our customers clear information and guidance that helps our customers meet their cyber security goals.

A Penetration Test (sometimes called a “pentest” or “pen test” for short) is more than a vulnerability scan. Our experts manually review the agreed scope and carefully validate findings to eliminate false positives from our findings. This helps us to provide our customers accurate severity ratings to help with understanding how to prioritise remediation. Pen Testing results are vital in order to properly ascertain an organisation’s risk and plan risk management strategies in order to better defend against a cyber attack.

Manual and Automated Testing

Identifies Obscure Vulnerabilities

Provides a Comprehensive Report

Get Advice from an Expert

Get a No-Obligation Quote

Read about our Privacy Policy

Penetration Testing Services We Offer

Oxford Systems perform Penetration Tests against almost any type of asset or environment. Below is some information about a few of the more common Penetration Testing services we deliver. If you are looking for something not listed below or a bit more unusual let us know and we’ll be able to find something that will work for you.

Web Application Penetration Testing

This should be considered when a organisation exposes a web application containing sensitive data or connected with internal systems to untrusted users or networks. Even web applications on the local internal network of the organisation should be considered as a strong candidate for web application penetration testing if it contains customer data / Personally Identifiable Information (PII).

Web applications account for a large portion of breaches and 2023 – 2024 saw a 180% increase in the amount of incidents originating from exploitation of vulnerabilities, for which web applications make up a majority share (https://www.verizon.com/business/en-gb/resources/reports/dbir/2024/summary-of-findings/).

All organisations should be strongly considering Web Application Penetration Testing on a regular (quarterly / annual) basis depending on the criticality of the web application and the nature of the data it houses.

Oxford Systems follow the OWASP Top 10 methodology for identifying the most common and dangerous web application vulnerabilities. Our consultants are experts in Web Application security and have experience with development and secure code review.

External Infrastructure Penetration Testing

This service assesses the external perimeter of an organisation’s environment. This would be typically be against services being exposed to the internet such as mail servers, web servers or services being used for third-party integration. Unlike Web Application Penetration Testing which assesses at the application level, External focuses on service level vulnerabilities and misconfigurations.

An organisation should consider External Infrastructure Penetration Testing after any changes to the perimeter (such as exposing a new service) and on a periodic basis to detect new and emerging vulnerabilities.

Penetration testing helps identify weaknesses, improve security measures, ensure compliance, and reduce the risk of external threats.

Internal Infrastructure Penetration Testing

An assessment of your organisation’s internal network to identify vulnerabilities and misconfigurations. While the main objective is to locate security issues, our consultants will also try and escalate privileges during the test. This typically means starting with no account at all to try and reach the highest level of privilege in the environment. This approach helps to demonstrate impact to the organisation’s cyber security owners and allows our experts to uncover vulnerabilities at a much deeper level.

Internal Infrastrucutre Penetration Testing should ideally be conducted on a regular basis such as annually. Improving a large environment can take a great deal of time and so periodic testing helps to ensure that progress is steadily heading in the right direction.

Oxford Systems can perform configuration reviews on certain components of Internal Infrastructure such as Active Directory. This activity is more passive and might provide an  alternative if you are concerned about disruption and want to start small.

Thick Client Penetration Testing

This service is designed to assess the security of desktop applications that connect both directly or indirectly to a database and process company data. Thick Clients are very commonly used in larger organisations and can often be overlooked in terms of security. In many cases, they can provide a direct route to access backend connected databases. Should this be the case, it leaves a low barrier of entry for an attacker to gain access to important data from where the Thick Client is installed.

Thick Client Penetration Testing will identify security considerations with the application which your organisation can use to remediate vulnerabilities. If remediation is not possible for any reason, we can provide guidence around risk management strategies to avoid potential compromise.

Understanding the risk around Thick Clients is not always straightforward, but we can help to advise you on what you can do to understand and manage the risk posed by these applications.

FAQ

Frequently Asked Questions

The vast majority of Penetration Tests do not cause any significant disruption or damage. However, Penetration Testing is by its nature a destructive exercise and there can never be any concrete guarantee that disruption or damage will not occur. Our experts are well-versed in how to safely manage testing in a wide range of client environments. Oxford Systems expert security consultants take as much care as possible to avoid disruption and follow a risk managed approach where if we believe an action may have a negative consequence we seek approval before carrying out the activity.

Our approach to Penetration Testing is open and collaborative, we believe this is the best way we can provide value to our clients and avoid potential damage and disruption. We are always happy to talk about ways in which we can tailor our service to give you the most peace of mind. Why not reach out and see how we can help?

Oxford Systems do not perform any Denial of Service testing as part of our Penetration Testing unless explicitly authorised. There is a small risk of an unintentional Denial of Service event which is always present with any Penetration Testing activity. However, this will never intentionally be performed.

This really will depend on the nature of the environment you are looking to assess and the risk appetite of your organisation. Annual testing is often enough for most typical environments and applications. However, high risk environments may warrant semi-annual or even quarterly testing. Many such environments may have regulations or compliance requiring regular Penetration Tests as part of an audit. If you need a helping hand to determine what would work best for you give us a call!

© 2025 | Oxford Systems

Address

5 Minton Place, Victoria Road, Bicester, Oxfordshire, OX26 6QB, United Kingdom

Email

cyber@oxfordsystems.co.uk

×
Cookies
We serve cookies. If you think that's ok, just click "Accept all". You can also choose what kind of cookies you want by clicking "Settings". Read our cookie policy
Settings Refuse all Accept all
Cookies
Choose what kind of cookies to accept. Your choice will be saved for one year. Read our cookie policy
Save Refuse all Accept all