Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

Differentiators

Our Ethical Hacking and Pentesting services seek to find and report all the present security vulnerabilities in your application. It is important to distinguish between a penetration testing performed by Fluid Attacks and a vulnerability analysis using automated tools. To this end, we present the following comparative table:

Table 1. Comparative table Pentesting Vs Vulnerability Analysis

Aspect

Fluid Attacks

Others

Focus

yes We do security risk hacking only. All day, all the time.

no Only from time to time, because they do other things besides hacking.

Independence

yes We don’t install, maintain, operate or sell other security products. With no hidden agendas, you can have confidence in the independence and impartiality of our report 1 2.

no Since other providers develop, maintain, install or operate security controls such as SOC, NAC, Firewalls etc, they may not be truly impartial nor independent.

Attributes

yes We verify the basic security attributes:

  • Confidentiality.

  • Integrity.

  • Availability.

Additionally we also verify extended attributes such as:

  • Privacy.

  • Non-repudiation.

  • Traceability (logs and errors management).

no They only verify:

  • Confidentiality.

  • Integrity.

  • Availability.

Method

yes Automated tools + hands-on expert review (Hybrid).

no Static (Automated tools only).

Team

yes Our hackers are certified in practical hacking in real scenarios 3 4:

  • OSCP.

  • OSWP.

Additionally they are selected and trained through the most demanding process in the industry, guaranteeing their ability to program their own tools and audit code in multiple languages, that is to say they are programmer-hackers

no They are certified in theoretical hacking through questions and answers:

  • CEH.

Model

Red Team 5 6.

Vulnerability Analysis with selective exploitation.

Targets

  • Web applications.

  • Mobile applications (iPhone, Android).

  • Desktop applications (GUI).

  • Mainframe applications (AS400).

  • Embedded applications (POS, ATM).

  • APIs (SOAP, REST, GraphQL).

  • Servers.

  • Networks.

  • IoT Devices.

  • Industrial Control Systems (ICS).

  • Security Operations Centers (SOC).

  • Web applications.

  • Servers.

  • Networks.

Techniques

yes 1 service, all the techniques 7 8 9 10:

  • Fuzzing.

  • Dynamic (DAST), Static (SAST) and Interactive (IAST) Security Testing.

  • SCA(Software Composition Analysis).

  • Manual code review.

  • Reversing (if source is not provided).

  • False positive elimination.

  • Exploitation with public, private and custom exploits.

  • User enumeration.

  • Password guessing and cracking.

  • Trojan infection.

no Only 1 technique per product.

yes Precision and granularity in the attack surface 11 12:

  • For infrastructure (networks, servers, etc), according to TCP and UDP open ports.

  • For applications, according to inputs (visible fields, hidden fields, headers and function parameters).

  • For source code, according to strictly effectives lines of code (LoC).

  • For binaries, according to the size in MiB of the software previously installed.

no Ambiguity or lack of detail in the attack surface:

  • For infrastructure, according to IP addresses.

  • For applications, according to the number of screens and forms of the application.

Legacy Languages

yes We hack legacy applications coded in old-established languages, such as:

  • COBOL.

  • RPG.

  • PL1.

  • TAL.

no No support.

Development Method

yes Integrable with any development method, such as:

  • Waterfall.

  • Agile.

  • DevOps.

Continuous Hacking, Integrates and Asserts fit perfect for the last 2 use cases.

no Integrable with a single development method:

  • Waterfall.

Environments

  • Staging.

  • Production.

Windows

yes In the Continuous Hacking service environments:

  • Can constantly change.

  • Are not necessarily frozen.

  • Windows are not required for hacking.

no Frozen environments and test windows are required.

Coverage

yes Known 15 16:

  • In fixed scopes, it is agreed the exact part of the attack surface that will be verified and its proportion with respect to the total.

  • In variable scopes, the exact part of the attack surface that was verified and its proportion with respect to the total is reported at the end.

no Unknown, because they may not accurately report what was tested and what was not.

Profiling

yes You decide the security requirements that we will check during the hacking service through our product Rules.

no Non-parameterizable.

Strictness

yes You will know the exact strictness of the hacking (for inspected and non-inspected profiled requirements) 17 18.

no Unknown.

Finding Types

  • Of a specific business impact.

  • Insecure programming practices.

  • Alignment with security standards and regulations.

  • Based on signatures.

  • Syntax-based.

Type of Evidence

yes Some of the most relevant evidence is:

  • Images of the attack with explanatory annotations.

  • Animated GIFs of the attack (example).

no In the case of other suppliers:

  • Images without annotations.

  • Copy-paste of test outcomes which may include false positives.

Zero Day Vulnerabilities

yes Yes 19

no No

False Positives

yes 0%

no ~20%

Exploitation

yes Yes, as long as we have 20 21:

  • An available environment.

  • The appropriate authorization.

no No

Custom Exploits

yes Using our own exploitation engine Asserts (example).

no Unable to create and execute exploits.

yes By combining vulnerabilities A and B we are able to find a new vulnerability C of greater impact which may compromise more registers.

no Only detects vulnerabilities A and B but it’s not able to correlate them.

Infection

yes In our One shot hacking service we infect stations and critical servers using our custom cyberweapon Commands 22.

no Don’t infect or dispose of custom cyberweapons.

Compromised Records

yes After discovering a vulnerability and exploiting it, we extract the critical business information which indicates a high impact level. This allows us to show the severity of any individual vulnerability on:

  • Users.

  • Passwords.

  • Wages.

  • Personal IDs.

  • Credit card numbers.

  • Files in hard disk.

  • Central repositories without password.

no No record extraction

Cycles

yes Multiple cycles in our service Continuous Hacking 23.

no Only 1.

yes 0% on the agreed scope.

no ~65% on the agreed scope.

Remediation

  • During the project you can request clarifications directly from our hackers via Integrates (example).

  • You can use our detailed remediation guides via Defends 24 25.

no No support during remediation phase.

Deliverables

yes Real-time documentation web system Integrates which allows our customers to auto generate and supervise every system since day 1 of the project 26 27:

  • Executive report in PDF (example).

  • Technical report in XLS.

  • Technical report in PDF (example).

  • Graphics on the security of the system (example).

  • Metrics on the security of the system (example).

no Available only at the end of the project because it is manually generated.

  • Word document.

  • Tool reports without discarding false positives.

End

yes Our service ends when the agreed upon scope is completed, without any increase in cost to you. 28 29

no The service ends when a prior agreed upon time limit for the project runs out. Therefore, the scope and coverage was not defined and is unknown.

Pricing

yes Fixed, according to the previously agreed upon scope.

no Variable, depending on time and materials.


Service status - Terms of Use