Skip Ribbon Commands
Skip to main content
Home > Services > Profiling > PCI External A&P


PCI External Attack & Penetration


A PCI Attack and Penetration Assessment attempts to breach the PCI network segment by using the vulnerabilities identified during the client’s ASV vulnerability scanning process. Vulnerability scan results are provided to SecureState from the client in advance of the testing. Once vulnerabilities have been identified, our staff will use Penetration Testing techniques to exploit these vulnerabilities in an attempt to gain privileged access to PCI network segment systems.

  • Smaller scope penetration test focused on the PCI network
  • SecureState attempts to gain access to PCI customer and card holder information from the internet
PCI Attack and Penetration Process


Providing SecureState with recent ASV vulnerability scan results removes the Discovery (Footprint) and Service Identification Phases of a typical Penetration Test; and allows the Profiling Team to immediately begin the Exploitation Phase of a Penetration Test. This process results in a more focused attack and a quicker turnaround of results. SecureState has developed an approach that is extremely effective in testing the security of PCI network segment systems. This program includes controlled tests in which SecureState will attempt to gain access to your PCI related resources and ultimately to PCI customer and card holder information by exploiting vulnerabilities and using other information gathered from the vulnerability analysis phase.


Over the years, SecureState has developed custom toolsets available that aid in Penetration Testing. Additionally, SecureState has published to the security community a wide variety of tools to help penetration testers in identifying potential exposures within their networks. Many of these tools have been integrated into popular attack frameworks such as Metasploit. During the Penetration Test, SecureState will demonstrate some of the proprietary tools used and how they work.

Did You Know?

  • PCI-DSS 11.3 requires Penetration Testing to be performed
  • Penetration Tests are not Vulnerability Assessments
  • Penetration Tests should be performed at least once a year and after any significant application has been modified or received a network upgrade
  • Penetration Tests should follow industry standard testing methodologies
  • Penetration Tests are an important part of any security program

Our Approach and Methodology

The SecureState Profiling Team is well known and highly regarded as experts in Penetration Testing. Our approach follows industry accepted testing methodologies such as PTES, NIST 800-115 and OSSTMM. By following these methodologies, our clients can accurately replicate the testing SecureState has performed in their own environment to accurately mitigate identified vulnerabilities. The  Profiling Team also helps identify strategic “root cause” issues through our Penetration Tests. Our Risk Management Team is uniquely positioned to work closely with the Profiling Team in order to assist clients with mitigating these strategic “root cause” issues.

Phase I – Pre-engagement Interactions:

In this phase, SecureState works with the client to establish the rules of engagement as well as the scope and exchange contact information for both parties. SecureState provides a detailed Project Charter which contains information on scope and everything that will be required to conduct the testing. The Project Charter is discussed during the kickoff call prior to the beginning of the engagement.

Phase II – Vulnerability Analysis:

SecureState will use the external ASV vulnerability scan results provided by the client to conduct this Vulnerability Analysis.

The ASV vulnerability scan results provide SecureState with not only vulnerability information, but also the exposed ports and services. SecureState will assess open ports and services from the scans to look for potential targets, such as accessible HTTP, Telnet, RDP, and other ports that allow remote access or web server functionality.

Vulnerability scanners are notorious for outputting numerous false positives that are not applicable to a given environment. Consultants manually review scanner outputs to ensure verified vulnerabilities are applicable to only your PCI environment.

Phase III – Web Application Black Box Testing:

During PCI Attack and Penetration Testing, the Profiling Team uses a limited Black Box level approach to test web applications that have been encountered. A Black-Box test design treats the system as a “black-box,” so it does not explicitly use knowledge of the internal structure. Black Box test design is usually described as focusing on testing functional requirements. Black Box testing will also help to identify many of the OWASP Top Ten vulnerabilities that are common to web applications. All tests will be made against the identified web applications. This phase meets the PCI-DSS requirement for application layer testing.

Phase IV – Exploitation:

First, SecureState will manually validate the results from the scan. Next, all identified vulnerabilities will be assessed as to the likelihood of exploitation. Communication will be made with the client’s Project Lead prior to any type of intrusive activity that could potentially impact network performance or system stability. Any high or critical risk exploit will also be communicated to the client upon discovery in order to initiate corrective actions.

Phase V – Locate Card Holder Data:

Once vulnerabilities have been exploited, SecureState will use any access obtained to locate card holder data. During this phase, we will also utilize multiple vulnerabilities and attack vectors to achieve a greater attack. This is called the SecureState Vulnerability Linkage Theory (VLT) and is provided to clients through visual representation in our report. Communication will be made with the client’s Project Lead once the card holder data is accessed so that corrective action may be implemented.

Phase VI – Post Exploitation:

The Post Exploitation Phase includes pillaging, penetrating further into the network, documenting and erasing any footsteps we may have left behind.

Phase VII – Reporting:

As part of the deliverable, SecureState provides a report which contains a short, graphical summary aimed at senior management; a narrative body which details major findings, and a detailed findings section aimed at the technical staff. SecureState also provides a closing call and high-level executive presentation to summarize the penetration test as well as provide an opportunity to ask questions about the engagement.


What Makes Us Different


  • Uses a team based approach for all Penetration Tests
  • Utilizes proprietary VLT to achieve a greater attack
  • Demonstrates proprietary tools to clients during Penetration Testing
  • Publishes our own Exploits, Zero Days and Tools to the Information Security Community
  • Profiling Team members are known as experts in Penetration Testing worldwide
  • Profiling Team members are frequent speakers at National and worldwide security and hacking conferences, such as DEFCON, Black Hat, OWASP AppSec, SANS, ShmooCon, THOTCON, DerbyCon, ToorCon and more
  • Conducts all external Penetration Tests from our state-of-the-art hacking facility in SecureState’s world headquarters; a DOD cleared facility
  • Has the capability to perform secure remote Internal Penetration Tests using the latest Penetration Testing technology
  • Provides a secure two-factor authentication web portal for access to Penetration Test results
  • Follows industry standard testing methodologies, vulnerability rating systems and uses real attack data collected by SecureState through years of assessments to compare your company to your industry peers from a security perspective