General Data Protection Regulation

GDPR Overview

The European Union (EU) General Data Protection Regulation (GDPR) impacts businesses across a multitude of industries such as finance, retail, healthcare, pharmaceutical, communications, and others consisting of organizations that collect, handle, process and store personal data of EU citizens. All organizations arround the world that host or possess the personal consumer data of EU citizens must comply with this regulation, irrespective of where the equipment or services are hosted, even if a non EU-based business has no employees or offices within the boundaries of the EU, the GDPR may still apply.

GDPR protects any information that can be linked to an identifiable individual such as name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. This even includes IP addresses, cookie strings, social media posts, online contacts and mobile device IDs. The information can be in any format (structured or unstructured) and can be transferred in any medium including online, offline, or backup storage.

GDPR demands organizations to maintain a plan to detect a data breach, regularly evaluate the effectiveness of security practices, and document evidence of compliance. Instead of specific technical direction, the regulation puts the onus on organizations to maintain best practices for data security.

Data breaches must be disclosed 72 hours after the company becomes aware.
Breach penalties include fines of up to 4% of the company’s annual revenue or 20 million euros depending on which of the two is greater!

What the regulation says

Article 5

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

Article 32

The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.’ ‘A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of data processing.’

Article 33

Robust procedures in place to detect and investigate personal data breaches as well as report them within 72 hours to a relevant authority.

Article 35

A Data Processing Impact Assessment (DPIA) of processing operations on the protection of personal data.


Penetration testing is a valuable first step in identifying current vulnerabilities, while demonstrating how attackers can significantly impact the client’s business.
Our penetration testing services mimic an attacker’s intent on initiating unauthorized business transactions, accessing critical corporate client information, financial records and other sensitive information. By simulating technical and logical attacks to systems, networks and applications our experts provide an in-depth understanding of the security threats and methods of compromise.
The result is a detailed roadmap that helps our clients prioritize areas of weakness in their network perimeter or web applications.

Internal Penetration Test

Executed in the premises for the client with either physical or virtual presence, any attack scenario may be covered. An exhaustive set of attacks is performed, depending on the amount of knowledge and authorization. Extreme care is taken in order to respect the availability of productive IT environments, but without compromising results and risk impact. Extra focus is given on bruteforce attacks of all kinds as well as man-in-the-middle attacks, with extreme care too, due to the increasing effectiveness of the aforementioned attacks nowadays.

External BlackBox Penetration Test

Executed remotely on internet facing systems from within our premises, various BlackBox scenarios are covered including systems, applications, Firewall, WAF and/or IPS evasion techniques. Advanced reconnaissance techniques are used as well as an exhaustive set of attacks against the systems and/or applications (including web services) in scope. Bruteforce attacks of all kinds (authentication, web files/directory discovery, virtual host etc) are also honored during External BlackBox Penetration Tests due to their increasing effectiveness nowadays.

Web Application (and Services) Penetration Test

We understands that web applications and services are amongst the most common attack surfaces used by attackers in order to compromise an IT environment and thus one of the most needed of Penetration Testing services. In this regard, all kinds of web application and services Penetration Tests are performed, following our proprietary methodology, and include mainly manual, but automated tests too. Injection attacks, including but not limited to SQL, OS commands, LDAP and XML are honored here, along with attacks on Authentication and Session mechanisms due to their impact and effectiveness.

Mobile Application Penetration Test

There is no doubt that Mobile application development is one of the most rapidly growing fields of IT nowadays. This has caused great increase in Mobile Application Penetration Test demand during the last 5 years. We understand that fact and we have also gained solid experience and excellence on Mobile Application Penetration Testing during these years. Tests are performed on both Mobile OS level tests and of course on the application itself both including client and server side application tests. Emphasis is given on credentials exposure on the device itself and also on the server-side of the application, which is treated as a separate Web Service Penetration Test.

Wireless Penetration Test

Wireless networks are widely used nowadays in order to accommodate needs of corporate devices, BYOD and “guest” devices. The aforementioned and the fact that wireless networks by design allow remote access, which may exceed the limits of the owner’s premises make this kind of networks a very likely attack surface. We perform Penetration Tests on wireless networks following a holistic approach and different attack scenarios tailored to the needs of our clients. Emphasis is given on encryption mechanisms key attacks (including bruteforce) and man-in-the-middle attacks.


Regarding GDPR we offer a special service.

Instead of paying for a penetration testing and receive an overpriced PDF reports, with our SPECIAL GDPR AUDITING SERVICE you don't pay forward for the service, you only pay if we find security flaws that allow us to retrieve PII (Personally Identifiable Information), SPI (Sensitive Personal Information) or FPI (Financial Personal Information).

If we don't find any PII, SPI or FPI, you don't have to pay us anything!

And after reporting a vulnerability that we successfully exploit, we will re-test it FOR FREE, to make sure that the vulnerability has been fixed!

  • Personally Identifiable Information
  • 500
    per vulnerability breach
  • Examples are Full Name, Home Address, Email Address, Date of birth, Telephone number and Login name.
  • Sensitive Personal Information
  • 1250
    per vulnerability breach
  • Examples are Users Passwords, National identification number, Social Security number, Passport number, Vehicle registration plate number, Driver's license number, Racial or Ethnic origin, Political Party preference, Religious or Philosophical beliefs, Genetic data, Biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
  • Financial Personal Information
  • 2500
    per vulnerability breach
  • Credit card numbers, orders history or other relevant payments details

Prices are valid for vulnerabilities that allow us to retrieve information of massive individuals without the use of brute force!

We Keep Your Business In Business

The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements. So, for example, if a company fails to report a breach to a data regulator within 72 hours, as required under Article 33 of the GDPR, it could pay a fine of the greater of 2% of its global revenue or €10 million.