All Security Checks marked as Passive are launched on all your external attack surface (all your assets) by default. These security controls, as their name suggests, gather only passive information on targets such as : open ports, certificate exposed, technologies, HTTP Headers or information about main web page exposed.

These types of controls allow you to have a first overview and a first security analysis on all your external attack surface. Passive control are useful, for instance, for compliance purpose, to increase your grade from rating companies and ensure you keep a good External Cyber Hygiene.

Results of these controls could be easily found and processed in the “Risk Insights” menu.

This menu gathers all security information found by passive Security Checks and sorted in use cases scenario. It is important to note that Risk Insights are not verified manually by a Pentester as they are not considered as directly exploitable vulnerabilities.

Depending on your organisation and your needs for compliance, you can then create from this menu, specific rules that will create “qualified vulnerabilities” from specific Risk Insights.

Offensive controls, as their name suggest, reference all offensive operation carried out on your assets. This offensive operation are only performed when the “Pentested mod” is activated on the related asset.

These controls go way deeper in security analysis, and gather all operations performed during a manual Black box penetration testing in comprehensive use cases. All these controls have been automated and are continuously launched on all your Pentested asset by our Back-Office.

On top of that, this automation is supported and done by expert Pentesters to ensure that a very large panel of vulnerabilities or flaws will be found on your Pentested assets.

If one of our offensive controls reveals a vulnerability, it will be prior verified and dig by an expert. If the vulnerability is confirmed and exploitable, and only in that case, it will then be reported in your dashboard in the “Qualified Vulnerabilities” menu, with automatic retest capacities and all the follow-up capabilities offers by Patrowl.

If the vulnerability is not exploitable, nothing to worry about, you won’t even know that we have tried.

These offensive controls are of course, daily updated to include new exploitation technics, or new Trending Attacks (see link).