Compass Security offers penetration testing services covering external infrastructure, internal networks, applications, specialized systems, and social engineering. The service follows a scoping, execution, and reporting process, with a concluding discussion for each engagement. External Penetration Testing: Involves scanning and manually testing exposed services, exploiting identified attack vectors, and pivoting into internal systems. Activities include host/service discovery, hostname enumeration, vulnerability assessment, exploitation, and pivoting. Internal Penetration Testing: Simulates attacks from within a network, including on-site visits. Activities include vulnerability assessment, exploitation, privilege escalation (local and domain), password/key material searches, network segregation verification, and Active Directory abuse analysis using tools such as BloodHound and PingCastle. Application Penetration Testing: Covers web applications, web services, RESTful APIs, mobile apps (Android and iOS), and client/server architectures. Testing is tailored to the target architecture and references standards such as OWASP Top 10 and ASVS. Specialized Testing: Covers cloud environments, IoT, and proprietary hardware devices. Social Engineering: Includes phishing campaigns, vishing (phone calls), and physical social engineering (attempting to access facilities). Yearly phishing subscriptions, live hacking presentations, and security awareness training are also offered. Compass Security holds CREST accreditation for penetration testing and conducts ongoing research in cooperation with Swiss universities.