Penetration Testing &
Vulnerability Assessments
Don’t pay an IT company to do what ComplyAuto already does for you.
Included with our Privacy platform, we offer the ONLY dealer compliance platform to perform a true integrated penetration test.
Compliance is Complicated.
We Make It Easy.
The average cost for full internal penetration testing is upwards of $20K in value.
Let us do the hard work for you. By leveraging a true penetration test, you can stay compliant and gain peace-of-mind.
FTC Safeguards & GLBA Compliant
Maintain compliance with the revised FTC Safeguards Rule (and GLBA).
Automate Processes
Reduce manual tasks and the risk of error with effective automation.
A True Penetration Test
The only penetration test that uses the Mitre Attack Framework to protect your data.
On-Demand Penetration Testing
Traditional pentesting methods only give you a snapshot of your security at one point in time and that’s not enough to keep up with a constantly changing threat landscape and your own digital footprint.
Device Attack Capabilities
A true penetration test uses the Mitre Attack Framework to protect your business.
ComplyAuto delivers the only penetration test on the market that exceeds every expectation.
Read the descriptions below of our attack phases to understand how they protect your data.
Scanning
Probing a given network to identify active IP addresses, ports and topology details and discovery of all related hosts, servers and devices
Enumeration
Extracting machine data, user data, hostnames, network resources/shares, file system and other services by creating an active connection to a given system
Vulnerability Assessment
Scanning the active hosts for known vulnerabilities
Sniffing Credentials
Intercepting network traffic and host-related data to extract user credentials with a focus on privileged users, including AD domain accounts and local accounts
Passwords Cracking
Using multiple measures to recover cleartext passwords of users, hosts and servers by cracking password hashes from data stored in – or transported from – a system using a combination of brute-force and dictionary techniques
Relay
Intercepting communications between two parties and relaying the data to another (third party) device including MITM network-based techniques
Remote Code Execution (RCE) and Defense Evasion
Utilizing multiple methods for remote code execution on a given system by using defense evasion capabilities to bypass AV/EDR detection mechanisms and open a Command and Control (C&C) channel to control the attack on the targeted device
Data Gathering
Gathering additional data from the endpoint, including security products, network access details, domain/ local credentials, browser credentials/history, Security Account Manager (SAM) file, and access to cloud/on-premise critical services and apps
Lateral Movement
Managing a dedicated extraction procedure of authentication material to be able to pivot laterally to new endpoints across the network
Privilege Escalation
Using remote and local techniques to escalate permissions from a non-privileged user to being able to execute code with high permissions
Data Exfiltration & CC
Transferring data from a targeted endpoint triggered by takeover of a device
Impact
Disrupting availability or compromising integrity by manipulating business and operational processes ComplyAuto emulates adversary impact techniques while ensuring 100% safety of operation
Web Application Assessment
Running comprehensive assessments on web applications to detect vulnerabilities with a focus on exploitable vulnerabilities, mapped to the OWASP Top 10 list
Cleanup
Removing residues and forensic artifacts created by ComplyAuto’s ethical attacks
ComplyAuto Penetration Testing Capabilities Mapped to the MITRE Attack Matrix
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command & Control | Exfiltration |
|---|---|---|---|---|---|---|---|---|---|---|
| Exploit Public- Facing Application | Command and Scripting Interprete | Create Account | Abuse Elevation Control Mechanism | Access Token Manipulation | Brute Force | Account Discovery | Exploitation of Remote Services | Automated Collection | Application Layer Protocol | Automated Exfiltration |
| Trusted Relationship | Exploitation for Client Execution | Scheduled Task/Job | Access Token Manipulation | BITS Jobs | Credentials from Password Stores | Cloud Infrastructure Discovery | Lateral Tool Transfer | Clipboard Data | Data Encoding | Exfiltration Over C2 Channel |
| Valid Accounts | Inter-Process Communication | BITS Jobs | Exploitation for Privilege Escalation | De-obfuscate/ Decode Files or Information | Exploitation for Credential Acces | Cloud Service Discovery | Remote Services | Data from Information Repositories | Data Obfuscation | Exfiltration Over Alternative Protocol |
| Native API | Valid Accounts | Group Policy Modification | Direct Volume Access | Forced Authentication | Domain Trust Discovery | Software Deployment Tools | Data from Local System | Dynamic Resolution | ||
| Scheduled Task/Job | Create or Modify System Process | Process Injection | Exploitation for Defense Evasion | Man-in-the-Middle | File and Directory Discovery | Taint Shared Content | Data from Network Shared Drive | Encrypted Channel | ||
| Software Deployment Tools | Hijack Execution Flow | Scheduled Task/Job | Group Policy Modification | Modify Authentication Process | Network Service Scanning | Use Alternate Authentication Material | Data from Removable Media | Fallback Channels | ||
| System Services | Valid Accounts | Hide Artifacts | Network Sniffing | Network Share Discovery | Internal Spear Phishing | Man-in-the-Middle | Ingress Tool Transfer | |||
| Windows Management Instrumentation | Indicator removal on Host | OS Credential Dumping | Network Sniffing | Screen Capture | Multi-Change Channels | |||||
| Indirect Command Execution | Unsecured Credentials | Password Policy Discovery | Email Collection | Non- Application Layer Protocol | ||||||
| Masquerading | Input Capture | Permission Groups Recovery | Data Staged | Non-Standard Port | ||||||
| Modify Authentication Process | Process Discovery | Protocol Tunneling | ||||||||
| Modify Registry | Query Registry | Proxy | ||||||||
| Network Boundary Bridging | Remote System Discovery | |||||||||
| Obfuscated Files or Information | Software Discovery | |||||||||
| Process Injection | System Information Discovery | |||||||||
| Rogue Domain Controller | System Network Configuration Discovery | |||||||||
| Signed Binary Proxy Execution | System Network Connections Discovery | |||||||||
| Trusted Developer Utilities Proxy Execution | System Owner/User Discovery | |||||||||
| Use Alternate Authentication Method | System Service Discovery | |||||||||
| Valid Accounts | ||||||||||
| XSL Script Processing |
Vulnerability Scanning
Regularly challenge your network and identify exploitable vulnerabilities on your internal network, web-facing assets, and cloud environment.
Reduce Cyber Risk Exposure
Surgically identify and eliminate critical gaps with algorithm-based automated security validation.
Cut Third-Party Testing Costs
Test your security posture on-demand without relying on manual audits and outsourced services.
Increase Team Productivity
Provide your team with a clear roadmap to remediation, prioritized based on business impact.
Privacy & Penetration Testing Overview
Learn how ComplyAuto can provide the #1 most widely used software for dealership consumer privacy and data security compliance.
Ready to get started?
Don’t wait any longer. Take action today and request a free demo to speak with an expert about our latest innovations.
Company Footprint
#1
Recommended Compliance Solution
10,000+
Active Dealers Nationwide
43/50
State Dealer Association Endorsements
200+
Years of Combined Automotive and Legal Experience