No, even our assessments do not find all vulnerabilities. Finding every vulnerability is a false promise that we cannot make to our customers.

In principle, only the existence of weak points can be proven; the opposite is not possible in most cases.

This can vary greatly from service to service. On the respective service page, the procedure is explained in detail.

For a general overview of our process, you can simply scroll down.

Ideally, the assessment takes place on a suitable test environment. This eliminates data and availability losses on the production environment and allows the test to be performed without special precautions. However, it should be noted that the test environment should be as close as possible to the production environment. Specifically, this means that debug settings, for example, should be turned off.

If this is not possible, testing can also be performed on a production environment after a risk assessment.

Lutra lutra is the scientific name of the Eurasian otter.

As a near-threatened species, the otter represents our sustainability philosophy; as an agile hunter and swimmer, it represents our work as penetration testers.

These terms describe how much information is available to the tester at the beginning of the assessment. If we do not receive any information, this is referred to as a black box assessment. The counterpart to this is the white-box assessment, in which the tester receives all available information.

The grey-box assessment represents a hybrid approach. Here, the information needed to make the test as efficient as possible is discussed with the tester before the assessment.

Since we work on an effort basis, it is difficult to give a general answer. For example, a vulnerability assessment of a complex shop system is much more time-consuming than testing a static web application.

Therefore, please feel free to contact us for an initial meeting where we can define a possible scope together: [email protected]

An assessment is not a guarantee for a secure application. Rather, it should be seen as a tool to help understand existing risks and continuously increase the level of security.

Additionally, attackers prefer vulnerabilities that they can easily find and exploit. With a high level of security, you thus reduce the risk of a successful attack.


What does a typical service at Lutra Security look like?

  • Initial meeting

    During an initial consultation, your specific or less specific problem will be discussed. We first clarify how we can help you and whether you need us at all.

  • Effort estimate

    After the initial meeting, you will present the system in a scoping meeting. The underlying technology and the technical basis are explained in order to enable a well-founded effort estimation.

    Following this, you will receive a quote from us with our estimate of the effort required.

  • Kickoff

    In the kickoff, the tester’s final questions about the system are cleared up. In addition, we will discuss what the tester needs to be able to perform the assessment as efficiently as possible. In the case of a web application assessment, for example, this could be different user accounts as well as whitelisting us in the firewall.

  • Assessment

    You usually do not need to contribute during the actual assessment. However, a contact person should be made available for specific questions from the tester.

  • Reporting

    Each of our services includes a comprehensive report detailing the weaknesses and misconfigurations found and providing specific recommendations for action.