The following list gives a brief overview of our core competences.

Application Pentesting

Pentests of web and mobile applications as well as the backend aim to identify existing vulnerabilities and their targeted mitigation. This is done either as classic white-box test with code audits or as black-box test (zero-knowledge).

Cloud Pentesting

Complex cloud infrastructures in Amazon Web Services (AWS), Microsoft Azure or Google Cloud Platform (GCP) are often accompanied by new and sometimes still unknown security challenges. We identify issues that lead to significant security implications, by analyzing not only specific subcomponents, but also how services and applications interact within the entire architecture.

This is accomplished through various approaches. For example, by examining the configuration of Identity and Access Management (IAM), revealing privilege and/or authorization misconfigurations within or across multiple tenants. Issues in external public facing web and network services are identified, which may unintentionally expose sensitive information or vulnerable applications. Additionally, internal network threats are assessed that would allow an attacker to advance and escalate privileges.

Red Teaming

Red team assessments (or: adversarial attack simulations, red teaming or red team exercises) simulate real-world cyber attacks (e.g., ransomware) and give you the chance to evaluate your defensive and monitoring capabilities. Once the assessment is concluded, conceptual and systematic weaknesses as well as suitably recommended countermeasures are laid out in our detailed report to help you to understand and address them and to improve the system’s resiliance.

Contrary to vulnerability assessments or typical pentests, red teaming does not focus on finding as many vulnerabilities and misconfigurations as possible. It rather focuses on gaining the highest level of access within an organization in a given time or achieving specific flags or targets. Understanding the attack path chosen by our security analysts in the attack is the critical learning element for an organizations’ security team and allows them to gain a better understanding of their security posture.

The red team assessment starts with an attack surface analysis that is followed by external and internal network penetration testing. Once access to the network is gained, different techniques are used for lateral movement within the network to reach the critical assets of an organization. During this process, the red team tries to bypass existing firewall and AV / EDR solutions and persist their access within the network. In addition to classical attacks via the network, red team assessments can in consultation with the client also include physical attacks on an organization. Interesting targets are hereby e.g., the wireless networks of an organization or their physical door security system. It is also possible to limit the scope of a red team exercise to a specific subcomponent of the system that should be tested.

Hardware Review

Due to the increasing level of interconnectedness through the Internet of Things (IoT), formerly isolated systems have become more vulnerable to cyber threats. In order to ensure the security and safety of consumers, businesses and industrial plants, it is important that hardware systems are checked for potential attack surfaces and weaknesses in an early stage.

We examine your own and third-party developed products for typical security issues between hardware and software. For example by assessing the resilience against hardware-specific attacks using side-channel and fault-injection techniques, as well as the integrity of communication protocols, data protection and boot processes. We support customers from various industries, such as consumer electronics, medical technology and mechanical engineering.

Software Review

Regular code reviews, integrated into the development proccess, are an important measure to guarantee a high quality and security level in your software systems. We examine your products with an experienced external eye to both uncover issues that could lead to security issues and recommend appropriate remediations. A code review might also be effective and desirable, if you plan to integrate third-party or open source products into your systems. In case the source code is not available, we use reverse engineering techniques to analyze the binary data.

Design & Concept Advisory

Security advice focuses on an analysis of existing designs, concepts and structures and can help to identify potential vulnerabilities and develop solutions at an early stage – before a pentest even takes place. Our threat modeling gives an overview of potential threats which then can be taken into account accordingly in the development process. On top of this we develop efficient, specific and appropriate countermeasures and support you with the evaluation and design of protection mechanisms.

We can also develop methods or tools to prove i.e. demonstrate particularly new forms of vulnerabilities, if a better understanding is required. Such “Proof of Concept” tools can be software-only solutions; however, the development of dedicated hardware tools is also possible.

Other Expertise

Even if the expertise you’re looking for is not mentioned as our core competence, modzero can refer to other expert partners due to its decade long standing in the industry. We are also able to adapt and learn or give advice on highly complex or tailored solutions that you have developed.


All news →