DWA Services

Vulnerability Assessing and Penetration Testing (VA-PT)

Standalone or Complementary-Supplementary Engagements Available

DWA’s Vulnerability Assessing and Penetration Testing Engagement (VA-PT) is designed to help high-trust organizations understand how attackers could realistically compromise systems and data, and what to fix first. The engagement aligns with the expectation that effective security comes from layers of controls, monitoring, and independent testing, and that testing should be planned, risk-based, and followed by prompt corrective action.

This service uses vulnerability assessing to find and prioritize weaknesses, and penetration testing to validate exploitability where it is appropriate and feasible - so leadership receives evidence-based results, not guesses.

How DWA approaches testing

Vulnerability Assessing and Penetration Testing activities can use similar tools, but they are not the same thing:

Vulnerability Assessing identifies security vulnerabilities and corrective actions, typically with tester access to systems being assessed.
Penetration Testing performs real world attack techniques to determine how far a system can be compromised before detection and how effective the response mechanisms are.

Because penetration testing is not usually comprehensive by itself, it should be combined with other control and monitoring methods - which is exactly how we position it within the broader risk and control environment.

What we cover

A standard VAE PTE engagement may include:

External website and internet presence vulnerability assessments (public facing sites, discoverability, and exposure points).
External network vulnerability assessments (public IP ranges and externally reachable services).
Internal network vulnerability assessments (internal subnets, systems, and configurations).
Targeted penetration tests that attempt exploitation of discovered vulnerabilities, as approved and as feasible at time of discovery.

Testing methods combine automated and manual techniques and may include widely used security testing utilities for web applications and network vulnerability discovery.

What you receive

The VA-PT Report is the written deliverable that documents:

what was assessed and tested;
what vulnerabilities were identified;
which issues were confirmed as exploitable (when testing is performed);
and what actions will reduce risk the fastest.

It is structured to support both technical remediation and management decision making, with clear prioritization and practical recommendations.

It includes:

A clear Engagement Description explaining what was assessed, where testing occurred, and the overall approach.
A Findings Summary that prioritizes issues using a Criticality / Exploitability Matrix by category (for example: external websites, external network, internal network).
Detailed Findings, Interpretations, and Recommendations, organized by area (websites/internet presence, external network, internal network) so your team can remediate efficiently.
Appendices for traceability and transparency, including:
- Evidence document listings (typically supported by accompanying evidence files);
- Reference resources (regulatory and standards references commonly used in financial services security oversight);
- Acronym definitions for readability.

We also conduct an exit meeting to walk through results, answer questions, and ensure findings and next steps are understood before you move into remediation planning.

The outcome: prioritized fixes, validated risk

The point of this engagement isn’t to generate a long list of issues - it’s to help you quickly answer:

What matters most?
What is actually exploitable?
What should we remediate first to reduce risk fast?