FAQ

No — and anyone who claims they do isn’t being honest. Even the most thorough assessment can’t guarantee to find 100% of vulnerabilities.

Our job is to uncover as many real, exploitable weaknesses as possible — and we’re very good at that. But in security, proving something isn’t there is almost impossible. What we can do is give you deep insights, reduce your risk, and strengthen your defenses, step by step.

These terms simply describe how much information we get from you before we start testing.

Black box: We start with zero knowledge — just like a real attacker would.

White box: We get full access and documentation — so we can dig deep and fast.

Grey box: A mix of both. You share just enough to make the test efficient, realistic, and focused.

We’ll help you choose the most efficient approach based on your goals — whether it’s simulating an external threat or getting the most in-depth code review possible.

The process can vary a lot depending on the type of assessment.

You’ll find the full breakdown on the individual service pages. Or, for a quick overview of how we work in general, just scroll down. We’ve laid out the key steps so you know exactly what to expect.

It depends — every system is different, and so is the effort required to properly test it.

A simple static website takes far less time than a complex e-commerce platform with tons of functionality. That’s why we don’t do one-size-fits-all pricing.

The best next step? Reach out to us for a free initial consultation. We’ll talk about your needs, define the scope together and send you a tailored non-binding offer — no strings attached. We’re just an email away: hello@lutrasecurity.com.

Ideally, we perform assessments in a dedicated test environment. This avoids any impact on your live data or system availability and lets us work without extra restrictions.

That being said, the test environment should closely match your production setup: no debug modes or shortcuts. This makes sure the results are realistic and reliable.

If a test environment isn’t available, we can carefully test on production after a thorough risk assessment to keep things safe. In those cases, we recommend having backups or snapshots in place so everything can be quickly restored if needed.

After our assessment, your security journey can begin! We give you clear, actionable insights so you know exactly where to focus. No guesswork, no fluff. You’ll know what matters, why it matters, and how to fix it.

And since attackers prefer vulnerabilities that they can easily find and exploit, they will likelu move on to an easier target.–>

With us, you don’t just get a report — you get the momentum to secure your app in the moment and get in the mindset to stay ahead of threats.

Lutra lutra is the scientific name of the Eurasian otter.

This clever, agile animal inspires us in two ways: As a near-threatened species, it reflects our commitment to sustainability in our philosophy. And as a skilled hunter and swimmer, it represents our work as penetration testers and mirrors how we hunt down vulnerabilities — precise, persistent, and adaptable.

Process

What does a typical service at Lutra Security look like?

  • Initial Consultation During an initial consultation, your specific or less specific problem will be discussed. We first clarify how we can help you and whether you need us at all.
  • Effort Estimation

    After the initial meeting, you will present the system in a scoping meeting. The underlying technology and the technical basis are explained in order to enable a well-founded effort estimation.

    Following this, you will receive a quote from us with our estimate of the effort required.

  • Kickoff In the kickoff, the tester’s final questions about the system are cleared up. In addition, we will discuss what the tester needs to be able to perform the assessment as efficiently as possible. In the case of a web application assessment, for example, this could be different user accounts as well as whitelisting us in the firewall.
  • Assessment You usually do not need to contribute during the actual assessment. However, a contact person should be made available for specific questions from the tester.
  • Reporting Each of our services includes a comprehensive report detailing the weaknesses and misconfigurations found and providing specific recommendations for action.
  • Debriefing & Remediation

    Of course, we don’t leave you on your own after our service is complete. We always offer a free debriefing session to discuss the results and clarify any questions.

    And naturally, we’re still there for you afterwards and are happy to answer your questions.

Get in touch

Curious? Any more questions? Call us, write a mail or book an initial meeting with one of our consultants right away! Free of charge, no strings attached!

Newsletter

Would you like to stay up to date? Sign up for our newsletter: