Penetration testing

elfGROUP Cyber Security Services focuses on improving corporate cyber security and on protecting sensitive digital assets. Our penetration testing and CyberSafe certification services support securing digital businesses and information assets, thereby strengthening the brand of your company or product and promoting trustworthiness in your customer relationships.

Assessment, testing and certification

Our penetration testing service, elfATTACK, is an ethical hacking service for assessing and testing the current level of security of either information systems or IT infrastructures.

Security testing engagements are usually combined with an overall architecture walkthrough, a security architecture review and, if necessary, a hosting platform (on-premise or cloud) configuration review from security hardening and software assurance point-of-views.

Application security testing

elfATTACK Application is a software security assessment and penetration testing service. Typical assessment targets include software centric systems such as:

  • web applications and web sites
  • intranet and extranet sites and other sites with login and access controls
  • online stores, subscription based services or other professional services, often with payment integrations
  • backend systems serving e.g. IoT devices or mobile applications
  • API endpoints and such programming and integration interfaces
  • distributed systems, often characterized by a decentralized deployment model, replicated data storages, clustered access points and strict system availability and data integrity and consistency requirements)

Our elfATTACK approach and deliverables support both development teams and organizations acquiring external development services.

IT infrastructure security testing

elfATTACK Infrastructure is an IT infrastructure security assessment and penetration testing service. Along the lines of a red team hacker penetration engagement, we work together with the customer's technical team to walkthrough the target IT infrastructure and it's current technical security controls to understand and document the starting point, defining the scope and agreeing on the allowed measures of penetration attempted.

The IT infrastructure penetration testing is suitable for verifying the security of and identifying security vulnerabilities of e.g. an on-premise or cloud hosted IT environments, WiFi networks, server environments, remote working or teleworking setups.

Infrastructure penetration testing can be combined with server configuration reviews (security hardening, reliability, auditability).

CyberSafe certification

elfGROUP CyberSafe is a hands-on cyber security certification for businesses, organizations and individual information systems. It is based on well-known and standardized reference frameworks and criteria such as ISO 27001, NIST, KATAKRI, VAHTI guidelines, OWASP and numerous other best practices. We wanted to bring an alternative to companies of all sizes who may not want, need or be able to get formal heavy duty certifications.

CyberSafe covers the most important areas of administrative and technical information security with an emphasis on practical cyber security, often eliminating unnecessary bureaucracy for SMEs and reducing the requirements for documentation and management models. still not forgetting the importance of administrative security policies and proper information security governance.

CyberSafe certification logos

CyberSafe certification is granted to elfATTACK Application and elfATTACK Infrastructure assessment targets that have no non-mitigated and exploitable critical or high vulnerabilities.


The primary goal of a security assessment is to verify whether the deployed (or planned, if security is considered before implementation, like it should be) security mechanisms provide adequate measures to guarantee cyber resilience and uninterrupted operations towards accidental and intentional disturbance.

The target system must support the required information security objectives and prevent any significant misconduct of its authorized and unauthorized users and clients, i.e. attempts towards data theft or corruption, bringing the system down or breaching backend corporate systems and networks.

Besides internal business interests of securing systems, customers and other third parties may present requirements for independent security audit or security assessment to be conducted against a software product, online service or, for example, to evaluate an organization's cyber security capabilities as part of a due diligence process.