Penetration testing at application level with (grey-box) or without user accounts (black-box) included but not limited to:

• Web applications and APIs
• Mobile applications
• Binary applications
• SAP 

On top of the typical application security problems, these tests also cover the business logic and vertical/horizontal authorization issues to provide deep understanding of the cyber security status of the given application.

Infrastructure level testing of external perimeters, entire internal networks, including wireless systems.This also includes testing of various cloud-based setups, cloud-only or hybrid solutions.These tests can also focus on specific infrastructure elements, like remote access solutions (e.g., breakout tests in VDI environments), ATMs or HMIs in highly sensitive environments.

We assess the security configuration of an SAP deployment, including cryptographic practices and authorization structures. We also identify remote connections and interfaces, evaluating their security. Additionally, we conduct automated and semi-automated tests on custom ABAP code to detect vulnerabilities. The results from these steps will be used to create attack scenarios, which will be discussed and approved by the client before execution. The outcome will provide a comprehensive insight into the overall security posture of the SAP system

Threat-driven simulation of real-world cyber attack. The scenarios may include, but are not limited to, simulations of external or internal attackers, with or without access, targeting various system components (such as internal/external infrastructure and applications) or individuals through social engineering tactics (like spear phishing or physical intrusion) to achieve a predetermined goal.Our team is experienced in conducting Thread-Led Penetration Testing for TIBER EU or DORA TLPT based tests.

Testing and evaluation of self-developed or off-the-shelf electronics, IoT, automotive or healthcare devices. Typical projects include:

• Circuit level testing (hardware hacking)
• Firmware level assessment
• Bus and interface testing, including internal and external communication channels
• Application and backend testing
  

Specialized services focusing on the automotive industry's cyber security needs. Security testing on complete cars as well as individual ECUs. Testing activities address investigation on electronics and firmware level, in-vehicle automotive buses like CAN, Automotive Ethernet or FlexRay and the connected vehicle ecosystem. Supporting OEMs and TierNs regarding regulatory requirements of UN ECE R155 (WP29) with Cyber Security Management Services (in accordance with standard ISO/SAE 21434).

Todays connected automotive ecosystems require well designed multilayer cyber security protection, from the security of ECU to ECU communication in the vehicle through backend communication and to the various connected features. A typical automobile today contains a large number of computational systems running up to 100 million lines of programming code. As vehicles continue to expand in complexity, the attack surface of an automobile also expands. A single vulnerable device can leave an entire automotive ecosystem open to attack and the potential exposure ranges from inconvenience to massive safety breakdowns.This makes the connected automotive ecosystem a valuable target for attackers and consequently it is important to be aware of potential cybersecurity risks and vulnerabilities.Deloitte has developed its unique training and demonstration environments which are ideal for practicing automotive security testing tools and techniques.

Learn more about Automotive Cyber Security Training

We cover the security needs of complex industrial environments, from the shop floor to the product and its backend environment as well. The range of tests includes, but is not limited to:

• Penetration testing on application and network-level
• Shop floor infrastructure security assessment
• Network segmentation and configuration review
• Hardware-level security testing of Industrial IoT (IIoT) devices
• Simulation of ransomware and APT attacks