Next-Gen
Cyber Security Solutions

JA

/

CONTACT US

[SERVICES]

Vulnerability Assessment
Penetration Test

Vulnerability Assessment

Swiftly identify vulnerabilities that could serve as entry points for attack through white-hat hacker assessments. We also offer customization of assessment scope and depth, as well as remediation support for discovered vulnerabilities.

  • 01

    Website/
    Application Diagnosis

    Simulate attacks against target websites and applications, including parameter tampering and submission of malicious input values. By analyzing system response behavior, vulnerabilities are comprehensively identified and visualized as security risks.

  • 02

    Network/
    Platform Diagnostics

    Comprehensively identify vulnerabilities across servers, network devices, and terminals, including the OS and middleware running on them. Detection results are visualized as security risks, clearly pinpointing areas that require countermeasures.

    Project Flow

    • 01

      Hearing

      Verification of target information (domain names, feature names, and account credentials)

    • 02

      Requirements Definition

      Based on the results of our initial consultation, we define the assessment targets and scope, and present a cost estimate.

    • 03

      Vulnerability Assessment

      Vulnerability assessment conducted by certified specialists with deep expertise in attacker perspectives.

    • 04

      Reporting

      Creation of a detailed report covering explanations, reproduction methods, and remediation steps for all discovered vulnerabilities, followed by a debriefing session led by the assigned specialist.

[CASE STUDY] 01

Major Manufacturing Company

Vulnerability Assessment

  • Implementation Period

    Consultation to Diagnosis:
    1 week

    Diagnosis Completion to Report Submission:
    2 weeks

  • Background of the Request

    A ransomware infection has occurred at an overseas group company.

  • Number of items

    7 domains

Diagnosis Results

  • High-severity vulnerability

    02

    ・Risks of Remote Server Operation
    Potential attacks on other servers and computers originating from the internal network.

  • Critical Vulnerability

    10

    ・Risks of Database Operations
    Potential exfiltration of personal data, as well as unauthorized modification, tampering, or deletion.
    ・Risks of Code Execution in WebApplications
    Possibility of malicious scripts executing in end users’ browsers.

We attach annotations and explanations to technical terms in the report to ensure clarity. By detailing “how to reproduce the vulnerability” and “recommended mitigations,” we enable thorough preventive measures that avert future incidents.

[CASE STUDY] 02

Major Manufacturing Company

Vulnerability Assessment

  • Implementation Period

    Consultation to assessment: 1 week
    Assessment: 1 week
    Assessment completion to report submission: 1 week

  • Background of the Request

    A proactive assessment of key public-facing web services, triggered by a security incident. The first step toward phased security enhancement, with lateral deployment across similar systems in view.

  • Number of items

    1 domain (static web page)

Diagnosis Results

  • High-severity vulnerability

    03

    ・Unauthorized remote server operations (remote code execution)
    ・Potential for lateral movement from a compromised server to other servers and terminals within the internal network

  • Critical Vulnerability

    04

    ・Inadequate access control: risk of content not intended for public access being viewable externally due to insufficient access restrictions

Reporting delivered in both Japanese and English. Global support enables immediate security strengthening for overseas group companies.

Penetration Test

Attempt system penetration using the same techniques as real-world attackers, based on anticipated attack scenarios. This is a combat-proven security verification that exploits defensive weaknesses to determine whether predefined target objectives can be reached in practice.

Test Method

Depending on the degree of prior disclosure and assumptions, it can be conducted at three levels.

  • 01

    White box test

    • Overview

      Provide information about the test target (including items such as source code and network configuration).

    • Feature

      Because the system is fully transparent to the testers, attack paths that are normally difficult to detect can also be discovered.

  • 02

    Gray box test

    • Overview

      Please provide the information that testers would ordinarily collect during the test period (e.g., system architecture and deployed products).

    • Feature

      Because the information that would normally be collected during the test is provided in advance, the overall execution period can be shortened.

  • 03

    Black box test

    • Overview

      No prior information about the internal systems is provided.

    • Feature

      Because testing is conducted under the same conditions as real attackers, it enables a realistic assessment of threats.

Project Flow

  • 01

    Hearing

    Verification of target information (execution location, scope, and intended test objectives).

  • 02

    Requirements Definition

    Definition of attack scenarios based on consultation findings, along with cost estimate explanation.

  • 03

    Pre-test verification

    For on-site assessments or tests in specialized environments, we thoroughly verify on-site conditions and refine the attack scenarios accordingly.

  • 04

    Execution of
    penetration testing

    Penetration testing conducted by testers deeply versed in the attacker’s perspective.

  • 05

    Reporting

    Preparation and delivery of a detailed report covering the compromise routes to the objective, the exploited vulnerabilities, and their remediation methods.

[CASE STUDY] 01

Financial institution

Penetration Test

  • Test Overview

    Grey Box Testing / On-site (Offline) Implementation

  • Implementation Period

    Testing: 15 business days
    Testing completion to report submission: 10 business days

  • Scope

    Active Directory environment (approximately 300 client terminals and servers)

Diagnosis Results

  • Goal 1

    Acquisition of Domain Admins privileges, the highest-level authority within Active Directory

    Achievement
    Rate    100%

    ・Obtained credentials for Domain Admin, the highest-level privilege

  • Goal 2

    Removal of acquired data to external locations

    Achievement
    Rate    100%

    ・Successfully exfiltrated data to an external server on the internet by escaping from an environment assumed to be a closed network
    ・Disabled and bypassed deployed security products to save data to a USB device

Demonstrated the possibility of reaching the highest-level privileges and achieving complete data exfiltration. By concretely visualizing intrusion paths and data leakage risks, we exposed the limitations of existing defenses and guided the organization toward highly effective, fundamental security enhancements.

[CASE STUDY] 02

Pharmaceutical company

Penetration Test

  • Test Overview

    Gray Box Testing / Employee Device Loan

  • Implementation Period

    Testing: 20 business days
    Testing completion to report submission: 10 business days

  • Scope

    Active Directory environment (approximately 250 client terminals and servers)

Diagnosis Results

  • Obtained credentials for Domain Admin, the highest-level privilege

    Achievement
    Rate    100%

    ・Obtained credentials for Domain Admin (5 accounts), each through a separate attack path

Demonstrated complete penetration from an employee terminal to core servers, including the Domain Controller. Specifically identified the attack paths leading to the compromise of five administrator accounts, contributing to a fundamental review of privileged ID management and monitoring frameworks to prevent further intrusion spread.

We never
cease

our pursuit
to realize
true security.