We’re an Ethical Hacking and Pentesting company offering services to identify cybersecurity vulnerabilities. Find here what differentiates us from competitors. To this end, we present the following comparative table:

Table 1. Comparative table Pentesting Vs Vulnerability Analysis


Fluid Attacks



yes We do security risk hacking only. All day, all the time.

no Only from time to time, because they do other things besides hacking.


yes We don’t install, maintain, operate or sell other security products. With no hidden agendas, you can have confidence in the independence and impartiality of our report 1 2.

no Since other providers develop, maintain, install or operate security controls such as SOC, NAC, Firewalls etc, they may not be truly impartial nor independent.


yes We verify the basic security attributes:

  • Confidentiality.

  • Integrity.

  • Availability.

Additionally we also verify extended attributes such as:

  • Privacy.

  • Non-repudiation.

  • Traceability (logs and errors management).

no They only verify:

  • Confidentiality.

  • Integrity.

  • Availability.


yes Automated tools + hands-on expert review (Hybrid).

no Static (Automated tools only).


yes Our hackers are certified in practical hacking in real scenarios 3:

  • OSCP.

  • OSWP.

  • CRTE.

Additionally they are selected and trained through the most demanding process in the industry, guaranteeing their ability to program their own tools and audit code in multiple languages, that is to say, they are programmer-hackers.

no They are certified in theoretical hacking through questions and answers:

  • CEH.


Red Team 4 5.

Vulnerability Analysis with selective exploitation.


  • Web applications.

  • Mobile applications (iPhone, Android).

  • Desktop applications (GUI).

  • Mainframe applications (AS400).

  • Embedded applications (POS, ATM).

  • APIs (SOAP, REST, GraphQL).

  • Servers.

  • Networks.

  • IoT Devices.

  • Industrial Control Systems (ICS).

  • Security Operations Centers (SOC).

  • Web applications.

  • Servers.

  • Networks.


yes 1 service, all the techniques 6 7 8 9:

  • Fuzzing.

  • Dynamic (DAST), Static (SAST) and Interactive (IAST) Security Testing.

  • SCA(Software Composition Analysis).

  • Manual code review.

  • Reversing (if source is not provided).

  • False positive elimination.

  • Exploitation with public, private and custom exploits.

  • User enumeration.

  • Password guessing and cracking.

  • Trojan infection.

no Only 1 technique per product.

yes Precision and granularity in the attack surface 10 11:

  • For infrastructure (networks, servers, etc), according to TCP and UDP open ports.

  • For applications, according to inputs (visible fields, hidden fields, headers and function parameters).

  • For source code, according to strictly effectives lines of code (LoC).

  • For binaries, according to the size in MiB of the software previously installed.

no Ambiguity or lack of detail in the attack surface:

  • For infrastructure, according to IP addresses.

  • For applications, according to the number of screens and forms of the application.

Legacy Languages

yes We hack legacy applications coded in old-established languages, such as:

  • COBOL.

  • RPG.

  • PL1.

  • TAL.

no No support.

Development Method

yes Integrable with any development method, such as:

  • Waterfall.

  • Agile.

  • DevOps.

Continuous Hacking,


and Asserts

fit perfect for the last 2 use cases.

no Integrable with a single development method:

  • Waterfall.


  • Staging.

  • Production.


yes In the Continuous Hacking service environments:

  • Can constantly change.

  • Are not necessarily frozen.

  • Windows are not required for hacking.

no Frozen environments and test windows are required.


yes Known 16 17:

  • In fixed scopes the exact part of the attack surface to be verified, and its proportion with respect to the total, is agreed upon in advance.

  • In variable scopes, the exact part of the attack surface that was verified and its proportion with respect to the total is reported at the end.

no Unknown, because they may not accurately report what was tested and what was not.


yes You decide the security requirements that we will check during the hacking service through our product Rules.

no Non-parameterizable.


yes You will know the exact strictness of the hacking (for inspected and non-inspected profiled requirements) 18 19.

no Unknown.

Finding Types

  • Of a specific business impact.

  • Insecure programming practices.

  • Alignment with security standards and regulations.

  • Based on signatures.

  • Syntax-based.

Type of Evidence

yes Some of the most relevant evidence is:

  • Images of the attack with explanatory annotations.

  • Animated GIFs of the attack.

no In the case of other suppliers:

  • Images without annotations.

  • Copy-paste of test outcomes which may include false positives.

Zero Day Vulnerabilities

yes Yes 20

no No

False Positives

yes 0%

no ~20%


yes Yes, as long as we have 21 22:

  • An available environment.

  • The appropriate authorization.

no No

Custom Exploits

yes Using our own exploitation engine Asserts.

no Unable to create and execute exploits.

yes By combining vulnerabilities A and B we are able to find a new vulnerability C of greater impact which may compromise more registers.

no Only detects vulnerabilities A and B but it’s not able to correlate them.


yes In our One shot hacking service we infect stations and critical servers using cyberweapons.

no Don’t infect or dispose of cyberweapons.

Compromised Records

yes After discovering a vulnerability and exploiting it, we extract the critical business information which indicates a high impact level. This allows us to show the severity of any individual vulnerability on:

  • Users.

  • Passwords.

  • Wages.

  • Personal IDs.

  • Credit card numbers.

  • Files in hard disk.

  • Central repositories without password.

no No record extraction


yes Multiple cycles in our service:

Continuous Hacking 23.

no Only 1.

yes 0% on the agreed scope.

no ~65% on the agreed scope.


  • During the project you can request clarifications directly from our hackers via Integrates. 24 25.

no No support during remediation phase.


yes Real-time documentation web system Integrates which allows our customers to auto generate and supervise every system since day 1 of the project 26 27:

  • Executive report in PDF.

  • Technical report in XLS.

  • Technical report in PDF.

  • Graphics on the security of the system.

  • Metrics on the security of the system.

no Available only at the end of the project because it is manually generated.

  • Word document.

  • Tool reports without discarding false positives.


yes Our service ends when the agreed upon scope is completed, without any increase in cost to you. 28 29

no The service ends when a prior agreed upon time limit for the project runs out. Therefore, the scope and coverage was not defined and is unknown.


yes Fixed, according to the previously agreed upon scope.

no Variable, depending on time and materials.

Do you want more information about our services? Do not hesitate to contact us.

Copyright © 2020 Fluid Attacks, We hack your software. All rights reserved.

Service status - Terms of Use - Privacy Policy - Cookie Policy