cyber security services
We are a team of cybersecurity professionals from Ukraine. Our consulting services include the assessment and implementation of information security, as well as training and workshops.
We cover all stages of the system life cycle – from planning and engineering to security management and incident investigations. Our experience includes both security governance and deep technical skills, including software reverse engineering, 0-day vulnerability research, manual security review of source code, Red Team exercises, etc.
The highest qualification, flexibility and reliability are our main distinctions:
- Experience in information security. We work in cyber security since 2001, in different sectors. Late in 2015, we initiated the H-X project.
- International security certifications. We earned and keep up-to-date international security certifications (CISSP, CISA, CEH, OSCP, CLPTP, etc.).
- Absolute legitimacy and confidentiality. The employees of H-X technologies strictly adhere to laws, regulations, corporate Code of Ethics and Penetration Testing Code of Ethics. We are ethical, white-hat hackers. Our specialists sign your commitment forms personally, just like your employees.
- The highest customization and flexibility. Our approach allows the customer to understand more accurately what they pay for. This is our know-how and our main distinction from competitors.
- The highest quality. H-X uses modern comprehensive methodologies and tools. In every project, we develop suggestions for continuous improvement and track changes in the security of our customers over the years.
Focus
Portfolio
IT companies (both product and outsourcing ones), as well as construction, automotive, e-commerce, industrial, medical, pharmaceutical, telecommunication, retail, insurance companies, banks and governmental organizations, etc. Any company that values its information, online services, compliance, privacy and business continuity is our potential client. We negotiate with the company owners, directors, CEO, CIO, CSO, CISO, CTO, CAE, CFO, IT and security specialists, or similar roles.
Security incident response. Forensic investigations
It is always wiser and cheaper to prevent than to ‘cure’ or to ‘make an autopsy’, but if you are under attack now or require a cyber security incident investigation, you can get help here.
Our experts help mitigate and cease cyber attacks and other computer incidents, restore data and normal operations. Specialists of H-X Technologies take into account your business goals to choose the right incident response strategy and give corresponding priorities to your data integrity or confidentiality, your business continuity, identification of the attackers or their prosecution.
We provide detailed forensic examination and analysis of computers, hard drives, mobile devices and digital media. We know how to investigate difficult cases and employ cutting-edge techniques such as analysis of Random-Access Memory (RAM), registry, shadow volumes, timeline analysis and other methods.
Last few years, we have witnessed the increase of computer crimes. Criminals are becoming more aware of digital forensic and investigation capabilities, therefore use more sophisticated methods to commit their crimes without leaving usual evidences. To identify, respond, examine, analyze and report on the computer security incidents, computer forensics and digital investigation methods are constantly evolving.
Our skills include but not limited to:
- Acquiring Data and Evidence
- Live Incident Response and Volatile Evidence Collection
- Advanced Forensic Evidence Acquisition and Imaging
- File System Timeline Analysis
- Advanced File & Registry Analysis including Unallocated Metadata and File Content Types
- Discovering Malware on a Host
- Recovering Files
- Application Footprinting and Software Forensics
- Data Preservation
- System Media and Artifact Analysis
- Database Forensic
- Mobile Forensic
Managed Security and Compliance: ISO 27001, etc.
The international standard ISO/IEC 27001:2013 “Information technology – Security techniques – Information security management systems – Requirements” is the most recognized worldwide framework for building modern Information Security Management Systems (ISMS) and their official certification.
Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management.
When building an ISMS or security controls, we rely not only on ISO 27001/27002 or PCI DSS, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, ISF SoGP (Information Security Forum Standard of Good Practice for Information Security), COBIT (Control Objectives for Information & Associated Technologies), VDA ISA (Verband der Automobilindustrie - Association of the Automotive Industry - Information Security Assessment), TISAX (Trusted Information Security Assessment Exchange), ISO/TS 16949, ASPICE (Automotive Software Performance Improvement and Capability dEtermination), HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Privacy Regulation), and so on.
Our approach to implementation begins with simple steps in order to give you the first value for free, to introduce you to the process and to allow you to understand clearly the essence of the implementation works and your role in them.
Audit of Smart Contracts
We review and verify project specifications and the source code of smart contracts to assess their overall security, with a focus on weaknesses and potential vulnerabilities. We complement our findings with solutions that mitigate the risk of future attacks or loopholes.
PROBLEMS OF SMART CONTRACTS
- Inconsistency between specification and implementation
- Flawed design, logic, or access control
- Arithmetic overflow operations (integer overflow and underflow)
- Reentrancy attacks, code injection attacks, and Denial of Service attacks
- Exceeded limits on bytecode and gas usage
- Miner attacks on timestamp and ordering, transaction-ordering dependence (TOD)
- Race conditions, other known attacks and access control violations
METHODS AND TOOLS
Our audits of smart contracts comply with the following requirements:
- The goal of the smart-contract audit is a meticulous code analysis to find security flaws and vulnerabilities.
- The security audit is performed using a combination of manual and automated tools and techniques to identify vulnerabilities within the target environment and to model their exploitation.
- The smart contract audit includes the following stages:
- The tests are conducted by a team of specialists with more than 17 years experience in different IT security domains; CISSP, OSCP, CISA and CEH certification holders.
- In general, the code review follows the best practices: Solidity Style Guide and Ethereum Smart Contract Security Best Practices.
The tools we use: Slither, securify, Mythril, Sūrya, Solgraph, Truffle, Geth, Ganache, Mist, Metamask, solhint, mythx, etc.
VDA ISA and TISAX implementation
International information security standard VDA ISA was developed by the German Association of the Automotive Industry VDA (Verband der Automobilindustrie) based on ISO/IEC 27001 and 27002 standards.
Our certifications (CISSP, ISO 27001 Lead Auditor, CISA, OSCP, CEH, etc.) allow us to cover both formal and practical aspects of security compliance and security management.
The standard VDA ISA (Information Security Assessment) contains strictly structured information security assessment criteria, KPIs and additional optional modules:
- Connection to 3rd parties
- Data protection
- Prototype protection
TISAX (Trusted Information Security Assessment Exchange) is a framework for VDA ISA which allows independent vendors to share their certification and assessment results with their customers (usually from the automotive industry).
When building an Information Security Management System (ISMS) and security controls, we rely not only on ISO 27001/27002, VDA ISA and TISAX requirements, but also actively use other standards and frameworks, when this is appropriate or explicitly required by our customers or their partners. For example, ISO/TS 16949, ASPICE (Automotive Software Performance Improvement and Capability dEtermination), GDPR (General Data Privacy Regulation), and so on.
Our approach to implementation begins with simple steps so that you receive the first results for free. That would also introduce you to the process and help you understand how the implementation works and your role in it.
Security audit and Penetration testing
Penetration testing (pentest, pen-test) — is a security assessment of IT systems, personnel or the whole organization, using ethical hacking methods ("white hat"). Security experts simulate the behavior of computer criminals to assess whether unauthorized access, leakage of confidential information, interruption of service, physical intrusion, or other security incidents are possible. Pentest is not only an automated vulnerability scan, but mostly manual work. Depending on your preferences, the pentest may include interaction with your staff (social engineering).
We have a wide, deep and unique experience and competence in IT and corporate security. Both in GRC (Governance, Risk management and Compliance), and in technical security. Both in Defensive Security and Offensive Security.
We are highly qualified, flexible and reliable:
- Experience in information security
- International security certificates
- Absolute legitimacy and confidentiality
- Highest customization and flexibility
- Highest quality
Our pentests are at the highest level: reverse engineering, 0-day vulnerability research, Red Team, etc.
- We participate in and win CTF and bug bounty.
- We effectively do security analysis of source code and find vulnerabilities and problems that even commercial static security scanners cannot find.
- We have rare competencies, such as the auditing of smart contracts.
- We teach software architects, developers and testers how to program securely.
- We have decades of experience in large international corporations.
Security of industrial information technology (IT) and operational technology (OT)
Security of industrial information technology (IT) and operational technology (OT): Industrial Control System (ICS) and Supervisory Control And Data Acquisition (SCADA)
We provide Industrial IT/OT Security audit, implementation and training services together with our partners AT Engineering (ATE). This is a team of software, electrical and industrial process engineers who specialize in the field of industrial automation. The experience in industrial automation and software of ATE's staff begins in 1995, and they have completed more than 120 projects. Since 2005, they have completed more than 80 projects with an average capacity of 500 man-hours each.
Our international certifications in industrial IT/OT security are ISA CFS and CRS. Our international certifications in general information security are ISC2 CISSP and SSCP, ISACA CISA, Offensive Security OSCP, EC-Council CEH, ISO 27001 Audit/Implementation and others.
To show the level of our competence and erudition, the methods and tools that we use in everyday work are listed below.
For audits, consultations and implementations in the field of security of technological processes, operations, equipment and software of industrial IT/OT, we use the following standards, frameworks and methodologies:
- ISO/IEC 27001, VDA/TISAX
- ISA99, ISA/IEC 62443
- North American Electric Reliability Corporation (NERC) Reliability and Security Guidelines
- NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security, NIST Framework for Improving Critical Infrastructure Cybersecurity
- DHS guidelines for critical infrastructure protection and the Critical Infrastructure Protection framework
In the field of assessment and implementation of OT security, we work at the level of specific vendors. For example, we work with Siemens PLCs using Step7 and TIA Portal, with Schneider Electric equipment using Concept, UnityPro and SoMachine, with Mitsubishi using GX Works, with Omron using CXOne, with Carel using 1tool and with Wago using CoDeSys.
In urgent cases, when it comes to preventing great material damage from a security incident, we are able to reverse engineer not only industrial software code, but also proprietary industrial protocols.
We assess the security of SCADA computers and switches using common automatic and semi-automatic tools (vulnerability databases and scanners, exploits, IDS, IPS, EDR, SIEM, SOAR, etc.) with special configurations, and we also do manual analysis of SCADA scripts and other source code in white box mode.
Security analysis of source code
Get an outstanding level of security with our automated and manual analysis of source code of your applications, smart contracts, services and software components!
You never get such level of assurance with penetration testing, solely automated code review or any other security activities. This service can be delivered as a separate project, in combination with white-box penetration testing or as a part of Application Security or Security Assessment services.
Check out our business cases of security analysis of source code.
The objective of this analysis is security assessment of the source code of your systems or applications: checking integrity and consistency of your code, secure coding principles, finding unsafe or deprecated functions, hidden logical bombs and traps, backdoors, undocumented features, non-optimal coding practices and OWASP top 10 vulnerabilities.
We support the following languages:
- .Net/ASP.Net
- Java EE (JBoss, Tomcat, etc.)
- Java Android
- Objective-C/Swift iOS/MacOS
- PHP
- Javascript
- Python
- C/C++/Assembler
- Solidity
- Golang
- Lua
- your language or platform.
To achieve the objectives, the auditors use two methods:
- SAST (Static Application Security Testing), which allows analyzing source code for known vulnerabilities using automated tools.
- Manual source code review and analysis, in order to reveal unsafe and non-optimal coding practices, hidden logical bombs and traps, backdoors and undocumented features.
Reviews
the project
ISO Certification Consulting for Collaboration App
"They’re efficient and show a sense of urgency."
the reviewer
the review
A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.
Introduce your business and what you do there.
I’m the operations director at a software company. Our main product is a project planning and collaboration application.
What challenges were you trying to address with H-X Technologies?
We wanted to become ISO certified.
What was the scope of their involvement?
Initially, they provided application testing and network testing services. They’re currently acting as a consultant by helping us plan and implement the requirements for being ISO certified.
What is the team composition?
I work with two people, including the CEO.
How did you come to work with H-X Technologies?
I researched a lot of different companies and scheduled some interviews. We also reached out to our network to see if we knew anyone that had worked with the companies we were considering. H-X Technologies came highly recommended.
How much have you invested in them?
We spent about €6,000–€8,00 (approximately $7,222–$9,630 USD).
What is the status of this engagement?
We started working together in August 2020. The initial testing project was done by the end of September 2020. However, we currently have them on retainer.
What evidence can you share that demonstrates the impact of the engagement?
We’re happy with the work that they’ve provided. We turned over H-X Technologies’ reports to some of our customers, and they were impressed. Feedback has been positive. Our customers feel confident that our product is secure.
How did H-X Technologies perform from a project management standpoint?
They do very well. They move quickly and deliver on time. We also have them work within our project management platform to keep things streamlined and organized.
What did you find most impressive about them?
They’re efficient and show a sense of urgency. Even under tight deadlines, they don’t compromise the quality of their work.
Are there any areas they could improve?
They could set up electronic signature capabilities for important documents.
Do you have any advice for potential customers?
Have phone calls or Zoom calls with them. It’s better than email.
the project
White & Grey Box Penetration Testing for IT Services Firm
"H-X stood out in terms of price relative to the impressive work they delivered."
the reviewer
the review
A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.
Introduce your business and what you do there.
I’m the CTO of astarios. We’re specialized in nearshore IT services and originally worked in the area of software development. We expanded to cybersecurity as of 12–18 months ago. I'm responsible for the technical aspects of customer projects.
What challenge were you trying to address with H-X Technologies?
We had a customer in the med-tech field who’d created a couple of online contact services for the first time. The main focus of the project was doing a penetration test on those new services.
What was the scope of their involvement?
We had two scopes of work: a white-box penetration test on the client’s new case registration form, and a gray-box text on their 3CX VoIP system. This is what H-X Technologies did for us on this project.
What is the team composition?
I worked directly with their CEO and the white-hat penetration tester in charge of the team.
How did you come to work with H-X Technologies?
I’d known their CEO for a couple of years, but this was the first project we did together. I picked H-X because I’d monitored their work and liked the results. They also had a good price point. I didn’t really bother comparing them to competitors.
How much have you invested with them?
The cost of their work was around €6,000 ($7,000 USD).
What is the status of this engagement?
The project ran between August–October 2020. We’re building on this initial success, and we plan to continue the collaboration with H-X.
What evidence can you share that demonstrates the impact of the engagement?
We originally planned one penetration test, but the customer was so happy with the results that they initiated the second one. H-X Tech’s timing and quality of deliverables were excellent. They delivered a huge report, which was impressive to our client.
How did H-X Technologies perform from a project management standpoint?
We communicated using Telegram, and they were very responsive. Any questions we had were answered within 15–30 minutes. We had a lot of questions and overall communication, and I can’t say anything bad on this front. The statement of work was 1–2 pages, and it was quite clear on what should be delivered so we didn’t need any project management tools. A penetration test takes 5–7 days, so it was a pretty short project. It wasn’t something that needed heavy management.
What did you find most impressive about them?
I come from Switzerland, which is a very expensive country. H-X stood out in terms of price relative to the impressive work they delivered. There is nothing negative to be said.
Are there any areas they could improve?
In the context of this engagement, I really have no advice for them.
Do you have any advice for future clients of theirs?
Thinking of the work I did with H-X, there’s really nothing to watch out for. It was all pretty straightforward and detailed, and we got reports at the end of the day. It exceeded my expectations.
the project
Gray Box Testing for Cybersecurity Assessment Software Firm
"They step into negotiations easily and are confident with their knowledge."
the reviewer
the review
A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.
Introduce your business and what you do there.
I’m a core product owner at a cybersecurity assessment software firm. We’ve been in the market for about 18 years. I’m responsible for all the analytics, networking, architectural solutions, and product security.
What challenge were you trying to address with H-X Technologies?
We had an internal and external obligation to perform the security assessment on our software and publish the public available report to outside. The vendor we used to work with for penetration testing didn’t match our criteria and we weren’t too happy with the results. I started to look for a replacement.
What was the scope of their involvement?
We outlined the scope quite sharply. I gave them the exact amount of applications and the web pages they needed to test. We gave them all the required users with the privileges that they asked for. It was gray box testing. They knew partial information about our system and tested three web applications, the platforms, some internal components, and the REST API.
We are giving them some time for the security assessment. Then we’ll take the report and findings and fix everything. We have outlined timeframes to do this. Then we will install the environment for them to retest. After the retest, our partnership may be considered closed. Then we will start another one.
In our particular case, we weren’t purchasing a single service. We were purchasing a cyclic relationship to use twice a year. They started with the security assessment. They fixed everything and retested it. Everything goes in a time frame of half a year. Immediately, they start an additional cycle. In our case, we needed someone who knew the job.
What is the team composition?
I have direct contact with their CEO. He was and always is available for me. The day we started the assessments, the project manager stepped into the picture.
How did you come to work with H-X Technologies?
I did a Google search and picked out four different candidates, engaging in negotiations with each of them one-by-one. They did demos and sessions and we chose H-X Technologies. They matched our criteria for the clarity of the report, their availability, and the structure of their project management. I did some research and asked for some recommendation context from them. They gave me two information security managers from the other companies they performed similar services for. I talked to each one and it was okay. I gave them my requirements to be fulfilled and they agreed on it.
How much have you invested with them?
They are much cheaper than their competitors.
What is the status of this engagement?
We started working together in August 2019 and the work is ongoing.
What evidence can you share that demonstrates the impact of the engagement?
The impact on our organization is huge. I’ve chosen them because I found them to be a perfect combination of their professionalism, price, and simple negotiations.
How did H-X Technologies perform from a project management standpoint?
The project manager was supposed to put all the things together and connect between us, the customer, and their professional team. Everything is clear. They don’t miss any details. The project manager asked what platform was most preferable for me and I chose WhatsApp. She created a group and put all the testers, security guys, and the CEO in it. All the communication was through this channel. I didn’t ever need to ask for anything. Everything was smooth and transparent. She sent me the intermediate reports week by week. Every week, she sends me a draft so we could prepare for our part of the job from our end. We also use Zoom and email.
What did you find most impressive about them?
All of their professionals have a high degree from university. They’re not just taking three-month courses. All of them have huge experience in this industry. They step into negotiations easily and are confident with their knowledge. All these small things are actually bringing in customers.
Are there any areas they could improve?
I can’t think of anything. I feel comfortable with everything I got from them.
Do you have any advice for potential customers?
They’re extremely professional. The potential customer must outline exactly what their expectations and needs are.
the project
Information Security Testing for Stock Exchange Company
“Their skills were very good, and they also have integrity.”
the reviewer
the review
A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.
Introduce your business and what you do there.
I’m an information security officer at a stock exchange company.
What challenge were you trying to address with H-X Technologies?
In our company, we follow strict policies. Before going live, we needed help doing security assessments, which included penetration testing as well as other information security tests.
What was the scope of their involvement?
They did the security assessment testing. In short, they did gray box testing, which means they performed static analysis, dynamic testing, and static testing. That includes fuzzing testing and penetration tests. They also performed a partial code review as well.
What is the team composition?
There are people responsible for different tasks on the team. We had a project manager and we had other people who had different roles.
How did you come to work with H-X Technologies?
We conducted a procurement process, and H-X Technologies was the winner of the bid. Before distributing an RFP, we did a market analysis. We of course looked at the skills the company has. Security assessment is very highly dependent on skills, and we invited several companies. We chose H-X because we had a good reference from other companies and their team’s skills were among the best. Their price was reasonable, and their approach to security testing met our requirements.
How much have you invested in them?
We spent between $5,000–$10,000.
What is the status of this engagement?
We began working with them in January 2020, and it is ongoing as we haven’t finished yet.
What evidence can you share that demonstrates the impact of the engagement?
Since I am an information security officer, I understand the work they are doing. They would provide us with reports, and I checked the progress.
How did H-X Technologies perform from a project management standpoint?
They’re good. We had weekly calls, and everything was on time. We were behind by a week, but that was because we hadn’t prepared the environment on time, and wasn't from their side.
If I had any concerns or we needed to make any changes in their methodology I would let them know. We didn’t have much to change, and they were very good and very quick to respond. They also provided us with recommendations as well which helped us save time.
What did you find most impressive about them?
Their skills are impressive and they have a very good team. For example, when comparing them to a local company here which only has one team member with a certain certification, on their team, each person has this certification. Their skills were very good, and they also have integrity.
Are there any areas they could improve?
They are located in a different country so we do have a time difference between us. If they had an office in our city, it would be excellent. There were times when we didn’t get a quick response but that was because they were sleeping when we were working.
Do you have any advice for potential customers?
If you have a clear statement of work, everything will go smoothly.
the project
Cybersecurity for Cloud IT Solutions Company
"They know what they're doing."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
I’m managing director of Germany IT / product company AMERIA AG in Ukraine.
For what projects/services did your company hire H-X Technologies?
We develop a product Connected Experience and we had to get to another level of security and get automotive related ISO certificate called TISAX. Then we also orders back and grey box Pentest and still working on monthly fee to have permanent security officer from UA side.
What were your goals for this project?
We had to get a new level of official automotive certification TISAX
How did you select this vendor?
The company did security training for us in the past. We decided to go with them. But we made analysis of couple of other companies also from Germany.
Describe the project in detail.
We’ve got a full time person for TISAX preparation and constant consulting from the company. We planned many activities by flying to Germany to HQ many times and got on to the level to make an exam.
What was the team composition?
We had one full time employee from the company, me - accountable and then doing the exam, German security officer and couple of background people helped from both sides.
Can you share any outcomes from the project that demonstrate progress or success?
We are TISAX certified, also made pentests, improved security of our software
How effective was the workflow between your team and theirs?
All was fine, liked response time and permanent cooperation
What did you find most impressive about this company?
They know what they're doing; they are great consultants.
Are there any areas for improvement?
Can’t say so at the moment
the project
Audit & Penetration Testing for Construction Company
"We are completely satisfied with the work of H-X Technologies. Their colleagues fulfilled all our expectations."
the reviewer
the review
The client submitted this review online.
Please describe your company and your position there.
Our company is one of the biggest build company in Kazakhstan.
For what projects/services did your company hire H-X Technologies?
Information security was introduced not so long ago In our company, so it became necessary to conduct an external audit for vulnerabilities and weaknesses
What were your goals for this project?
We wanted to see our weaknesses in business processes, infrastructure and web applications being developed
How did you select this vendor?
We were looking for a company that would suit us according to the principle: price-quality. Compared the methods and tools of the audit, requested samples of reports at the exit. As a result, two companies remained and the choice was made by H-X Technologies.
Describe the project in detail.
A project plan was developed, and online meetings were organized every week throughout the project. To conduct an audit of ISO27001, auditors came to our office for 2 days, other work was done remotely
What was the team composition?
Roles and responsibilities in each area were identified. I contacted a senior auditor who came to our office in person. The project leader was contacted only via Skype
Can you share any outcomes from the project that demonstrate progress or success?
As a result, we received detailed reports in two areas of the project. Vulnerability report, process maturity assessment, general assessment of the information security status of our company. Recommendations for improving processes and enhancing protection against potential threats
How effective was the workflow between your team and theirs?
From the very beginning, the stages of the project were determined, all the work was done on time. Throughout the joint work, no conflicts arose.
What did you find most impressive about this company?
Colleagues showed a good and confident level of professionalism. All work was carried out clearly: from the start of negotiations to the presentation of the final report
Are there any areas for improvement?
We are completely satisfied with the work of H-X Technologies. Their colleagues fulfilled all our expectations.
the project
Cybersecurity Services for Migration Software Company
"H-X Technologies has proper security practices."
the reviewer
the review
A Clutch analyst personally interviewed this client over the phone. Below is an edited transcript.
Introduce your business and what you do there.
I’m an IT project manager for FluentPro. Our main office is located in Redmond, Washington, but we have a customer care team in Ukraine as well as a development team and other resources.
What challenge were you trying to address with H-X Technologies?
We have cloud-based applications and provide cloud services for project and portfolio management to customers working with Microsoft Project. One of our goals was to find a third-party enterprise that could do a penetration testing audit for us. Our cloud service provider is G Suite, and we identified H-X Technologies as an external provider for a security audit and penetration test for our service.
What was the scope of their involvement?
H-X Technologies conducted a security audit of our cloud infrastructure. This included an analysis of the kinds of security gaps we had on our cloud service and an external penetration testing of our application. Specifically, it was gray-box penetration testing. We provided them access to our cloud platform but without any login credentials or other details. We wanted to see how hackers from the outside world could enter our system.
I believe they tested the application for one month and provided us with a penetration test report with recommendations on what we should improve in our company and solutions. After some research and after following their recommendations, we mitigated the high-risk exposures and relaunched the website. They performed another brute-force and penetration test after we took those mitigation measures, and worked according to OWASP 10.
How did you come to work with H-X Technologies?
I assessed different providers in Ukraine and H-X Technologies had very good reviews from other companies. They also had a great price and quality according to those reviews. We had a call with them, and they satisfied our requirements for the basic security tests we needed.
How much have you invested with them?
We invested $4,000 on this project.
What is the status of this engagement?
The collaboration lasted for three months and ended six months ago, around April 2019. There was a pre-security assessment, the testing itself, and a retesting after following their recommendations.
What evidence can you share that demonstrates the impact of the engagement?
H-X Technologies was contracted for three months to look for various kinds of vulnerabilities, according to OWASP 10. In terms of success, they found vulnerabilities that were critical for our project. Every security company has its own approach for security testing, and we couldn’t know what kind of vulnerabilities H-X Technologies would find, so we didn’t track exact metrics.
How did H-X Technologies perform from a project management standpoint?
Project management was handled well. They sent us project status reports once a week and we always got effective communication from their side. They also sent us two kinds of reports that were agreed upon in the contract.
What did you find most impressive about them?
H-X Technologies has proper security practices. We checked a lot of things following the security assessment on our side as well and found the same vulnerabilities. Overall, H-X Technologies did an extensive assessment. They also provided an internal report for our company, along with a report we could show customers without confidential information around our vulnerabilities.
Are there any areas they could improve?
I haven’t dealt with other security companies, so I don’t have a something to H-X Technologies with. We had a really good experience.
Do you have any advice for future clients of theirs?
I’d definitely recommend them to others, and we plan to use some of their services in the future for an ISO 27001 certification and other security audits.
Both internal and external stakeholders are impressed with H-X Technologies’ work. They work quickly to meet deadlines, but they never compromise the quality of their work.