Penetration Testing Services in India — คู่มือบริการทดสอบเจาะระบบ 2026
Penetration Testing (Pentest) คือการทดสอบความปลอดภัยของระบบ IT โดยจำลองการโจมตีจริง เพื่อค้นหา vulnerabilities ก่อนที่ hacker จะใช้ประโยชน์ได้ อินเดียเป็นตลาด cybersecurity ที่เติบโตเร็วที่สุดในเอเชีย มีบริษัท pentest มากมายที่ให้บริการทั้งในประเทศและ international clients ด้วยต้นทุนที่แข่งขันได้ บทความนี้รวบรวมข้อมูลเกี่ยวกับ penetration testing services ในอินเดีย ประเภทของ pentest frameworks ที่ใช้ และ Python tools สำหรับ automated testing
ประเภทของ Penetration Testing
# pentest_types.py — Types of penetration testing
import json
class PentestTypes:
TYPES = {
"network": {
"name": "Network Penetration Testing",
"description": "ทดสอบ network infrastructure — routers, switches, firewalls, servers",
"targets": "IP ranges, open ports, network services, VPN, Wi-Fi",
"tools": "Nmap, Metasploit, Wireshark, Responder",
},
"web_app": {
"name": "Web Application Penetration Testing",
"description": "ทดสอบ web applications — OWASP Top 10 vulnerabilities",
"targets": "Web apps, APIs, authentication, session management",
"tools": "Burp Suite, OWASP ZAP, SQLMap, Nikto",
},
"mobile": {
"name": "Mobile Application Penetration Testing",
"description": "ทดสอบ Android/iOS apps — reverse engineering, API security",
"targets": "Mobile apps, local storage, API endpoints, certificates",
"tools": "Frida, MobSF, Objection, APKTool",
},
"cloud": {
"name": "Cloud Penetration Testing",
"description": "ทดสอบ cloud infrastructure — AWS, Azure, GCP misconfigurations",
"targets": "IAM policies, S3 buckets, VPCs, serverless functions",
"tools": "ScoutSuite, Prowler, CloudSploit, Pacu",
},
"social": {
"name": "Social Engineering Testing",
"description": "ทดสอบ human factor — phishing, vishing, physical access",
"targets": "Employees, email security, physical security",
"tools": "Gophish, SET (Social Engineering Toolkit), King Phisher",
},
"red_team": {
"name": "Red Team Assessment",
"description": "จำลองการโจมตีแบบเต็มรูปแบบ — ใช้เทคนิคหลากหลาย ไม่จำกัด scope",
"targets": "ทั้งองค์กร — network, apps, people, physical",
"tools": "Cobalt Strike, C2 frameworks, custom tools",
},
}
APPROACHES = {
"black_box": "ไม่มีข้อมูลเกี่ยวกับ target — เหมือน hacker จริง",
"white_box": "มีข้อมูลทั้งหมด (source code, architecture, credentials) — ทดสอบลึกที่สุด",
"gray_box": "มีข้อมูลบางส่วน (user credentials, partial documentation) — สมดุล",
}
def show_types(self):
print("=== Pentest Types ===\n")
for key, pt in self.TYPES.items():
print(f"[{pt['name']}]")
print(f" {pt['description']}")
print(f" Tools: {pt['tools']}")
print()
def show_approaches(self):
print("=== Testing Approaches ===")
for approach, desc in self.APPROACHES.items():
print(f" [{approach}] {desc}")
types = PentestTypes()
types.show_types()
types.show_approaches()Pentest Frameworks & Standards
# frameworks.py — Penetration testing frameworks
import json
class PentestFrameworks:
FRAMEWORKS = {
"owasp": {
"name": "OWASP Testing Guide (OTG)",
"description": "มาตรฐานสำหรับ web application testing — OWASP Top 10",
"phases": "Information Gathering → Configuration Testing → Authentication → Authorization → Session → Input Validation → Error Handling → Cryptography → Business Logic",
},
"ptes": {
"name": "PTES (Penetration Testing Execution Standard)",
"description": "Framework ครบสำหรับ pentest ทุกประเภท",
"phases": "Pre-engagement → Intelligence Gathering → Threat Modeling → Vulnerability Analysis → Exploitation → Post-Exploitation → Reporting",
},
"osstmm": {
"name": "OSSTMM (Open Source Security Testing Methodology Manual)",
"description": "Methodology สำหรับ security testing ครอบคลุม — network, physical, human",
"focus": "Quantitative security metrics — วัดผลเป็นตัวเลข",
},
"nist": {
"name": "NIST SP 800-115",
"description": "Technical Guide to Information Security Testing — US government standard",
"focus": "Planning, execution, reporting — compliance-focused",
},
}
COMPLIANCE = {
"pci_dss": "PCI DSS — บังคับ pentest ทุกปี + หลังทุก significant change สำหรับ payment processing",
"iso_27001": "ISO 27001 — แนะนำ regular penetration testing เป็นส่วนของ ISMS",
"hipaa": "HIPAA — ต้อง security assessment (pentest recommended) สำหรับ healthcare data",
"rbi": "RBI Guidelines (India) — ธนาคารในอินเดียต้อง pentest ทุก 6 เดือน",
"cert_in": "CERT-In (India) — รายงาน security incidents ภายใน 6 ชั่วโมง",
}
def show_frameworks(self):
print("=== Pentest Frameworks ===\n")
for key, fw in self.FRAMEWORKS.items():
print(f"[{fw['name']}]")
print(f" {fw['description']}")
print()
def show_compliance(self):
print("=== Compliance Requirements ===")
for std, desc in self.COMPLIANCE.items():
print(f" [{std}] {desc}")
fw = PentestFrameworks()
fw.show_frameworks()
fw.show_compliance()Python Automated Testing
# automation.py — Python penetration testing automation
import json
class PentestAutomation:
CODE = """
# pentest_scanner.py — Automated penetration testing tools
import subprocess
import json
import socket
import ssl
import requests
from datetime import datetime
from urllib.parse import urlparse
class WebAppScanner:
def __init__(self, target_url):
self.target = target_url
self.findings = []
def check_headers(self):
'''Check security headers'''
try:
resp = requests.get(self.target, timeout=10, verify=False)
headers = resp.headers
security_headers = {
'Strict-Transport-Security': headers.get('Strict-Transport-Security'),
'X-Content-Type-Options': headers.get('X-Content-Type-Options'),
'X-Frame-Options': headers.get('X-Frame-Options'),
'Content-Security-Policy': headers.get('Content-Security-Policy'),
'X-XSS-Protection': headers.get('X-XSS-Protection'),
'Referrer-Policy': headers.get('Referrer-Policy'),
'Permissions-Policy': headers.get('Permissions-Policy'),
}
missing = [h for h, v in security_headers.items() if v is None]
if missing:
self.findings.append({
'type': 'missing_headers',
'severity': 'medium',
'details': f"Missing security headers: {', '.join(missing)}",
})
# Check server info leakage
server = headers.get('Server', '')
x_powered = headers.get('X-Powered-By', '')
if server or x_powered:
self.findings.append({
'type': 'info_disclosure',
'severity': 'low',
'details': f"Server: {server}, X-Powered-By: {x_powered}",
})
return security_headers
except Exception as e:
return {'error': str(e)}
def check_ssl(self):
'''Check SSL/TLS configuration'''
parsed = urlparse(self.target)
hostname = parsed.hostname
port = parsed.port or 443
try:
ctx = ssl.create_default_context()
with ctx.wrap_socket(socket.socket(), server_hostname=hostname) as s:
s.connect((hostname, port))
cert = s.getpeercert()
protocol = s.version()
cipher = s.cipher()
# Check certificate expiry
not_after = datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
days_left = (not_after - datetime.utcnow()).days
if days_left < 30:
self.findings.append({
'type': 'ssl_expiring',
'severity': 'high',
'details': f"SSL certificate expires in {days_left} days",
})
# Check protocol version
if protocol in ['TLSv1', 'TLSv1.1']:
self.findings.append({
'type': 'weak_ssl',
'severity': 'high',
'details': f"Weak TLS version: {protocol}",
})
return {
'protocol': protocol,
'cipher': cipher,
'cert_days_left': days_left,
'issuer': dict(x[0] for x in cert.get('issuer', [])),
}
except Exception as e:
return {'error': str(e)}
def check_sqli(self):
'''Basic SQL injection check'''
payloads = ["'", "1' OR '1'='1", "1; DROP TABLE users--", "' UNION SELECT NULL--"]
for payload in payloads:
try:
resp = requests.get(
self.target, params={'id': payload},
timeout=10, verify=False,
)
error_indicators = ['sql', 'mysql', 'syntax', 'oracle', 'postgresql']
body_lower = resp.text.lower()
for indicator in error_indicators:
if indicator in body_lower:
self.findings.append({
'type': 'potential_sqli',
'severity': 'critical',
'details': f"SQL error indicator '{indicator}' found with payload: {payload}",
})
break
except:
pass
def generate_report(self):
'''Generate pentest report'''
critical = [f for f in self.findings if f['severity'] == 'critical']
high = [f for f in self.findings if f['severity'] == 'high']
medium = [f for f in self.findings if f['severity'] == 'medium']
low = [f for f in self.findings if f['severity'] == 'low']
return {
'target': self.target,
'scan_date': datetime.utcnow().isoformat(),
'summary': {
'critical': len(critical),
'high': len(high),
'medium': len(medium),
'low': len(low),
'total': len(self.findings),
},
'findings': self.findings,
}
# scanner = WebAppScanner("https://example.com")
# scanner.check_headers()
# scanner.check_ssl()
# scanner.check_sqli()
# report = scanner.generate_report()
"""
def show_code(self):
print("=== Web App Scanner ===")
print(self.CODE[:600])
auto = PentestAutomation()
auto.show_code()India Market Overview
# market.py — India penetration testing market
import json
class IndiaMarket:
MARKET = {
"size": "India cybersecurity market: $5+ billion USD (2026), growing 15-20%/year",
"demand": "ธนาคาร, fintech, IT services, healthcare, e-commerce — ต้อง pentest ตาม compliance",
"talent": "India มี cybersecurity professionals มากที่สุดในเอเชีย — CEH, OSCP, CREST certified",
"cost_advantage": "ราคาถูกกว่า US/EU 50-70% — $5,000-25,000 per engagement vs $15,000-100,000+",
}
PRICING = {
"web_app_basic": "$2,000-5,000 (5-10 pages, basic OWASP testing)",
"web_app_comprehensive": "$5,000-15,000 (full OWASP, API testing, business logic)",
"network_small": "$3,000-8,000 (< 50 IPs, internal + external)",
"network_large": "$10,000-30,000 (50-500 IPs, comprehensive)",
"mobile_app": "$3,000-10,000 (Android/iOS, API backend)",
"cloud_assessment": "$5,000-20,000 (AWS/Azure/GCP, IAM, config review)",
"red_team": "$15,000-50,000+ (full scope, 2-4 weeks)",
}
CERTIFICATIONS = {
"CEH": "Certified Ethical Hacker — entry-level, widely recognized in India",
"OSCP": "Offensive Security Certified Professional — hands-on, highly respected",
"CREST": "CREST Certified — UK standard, accepted globally",
"CISSP": "Certified Information Systems Security Professional — management-level",
"CPSA": "CREST Practitioner Security Analyst — foundational pentest cert",
}
def show_market(self):
print("=== India Pentest Market ===\n")
for key, val in self.MARKET.items():
print(f" [{key}] {val}")
def show_pricing(self):
print(f"\n=== Typical Pricing (India) ===")
for service, price in self.PRICING.items():
print(f" [{service}] {price}")
def show_certs(self):
print(f"\n=== Key Certifications ===")
for cert, desc in self.CERTIFICATIONS.items():
print(f" [{cert}] {desc}")
market = IndiaMarket()
market.show_market()
market.show_pricing()Choosing a Pentest Provider
# choosing.py — How to choose a pentest provider
import json
class ChoosingProvider:
CRITERIA = {
"certifications": {
"name": "Certifications",
"description": "ดู certifications ของ team: OSCP, CREST, CEH, GPEN",
"importance": "High — certifications ยืนยันความสามารถ",
},
"methodology": {
"name": "Testing Methodology",
"description": "ใช้ framework ไหน: OWASP, PTES, OSSTMM",
"importance": "High — ต้องมี systematic approach ไม่ใช่แค่ run tools",
},
"reporting": {
"name": "Report Quality",
"description": "รายงานต้องมี: executive summary, technical details, remediation, risk rating",
"importance": "High — ค่าจ้าง pentest = ค่าของ report",
},
"experience": {
"name": "Industry Experience",
"description": "เคยทำ pentest ในอุตสาหกรรมเดียวกันไหม (banking, healthcare, e-commerce)",
"importance": "Medium — domain knowledge ช่วยหา business logic flaws",
},
"communication": {
"name": "Communication & Support",
"description": "Communication ระหว่าง engagement, retest support, Q&A",
"importance": "Medium — ต้องสื่อสารได้ดี โดยเฉพาะ findings ที่ critical",
},
}
RED_FLAGS = [
"ใช้แค่ automated tools (Nessus, Acunetix) โดยไม่มี manual testing",
"ไม่มี certifications (OSCP, CREST) ในทีม",
"ราคาถูกผิดปกติ (< $1,000 สำหรับ web app pentest)",
"ไม่มี sample report ให้ดูก่อน",
"ไม่เสนอ retest หลัง remediation",
]
def show_criteria(self):
print("=== Selection Criteria ===\n")
for key, c in self.CRITERIA.items():
print(f"[{c['name']}] ({c['importance']})")
print(f" {c['description']}")
print()
def show_red_flags(self):
print("=== Red Flags ===")
for flag in self.RED_FLAGS:
print(f" ⚠️ {flag}")
choosing = ChoosingProvider()
choosing.show_criteria()
choosing.show_red_flags()FAQ - คำถามที่พบบ่อย
Q: Pentest กับ Vulnerability Assessment ต่างกันอย่างไร?
A: Vulnerability Assessment (VA): scan หา vulnerabilities ด้วย automated tools — รายงานรายการ vulnerabilities Penetration Testing: ทดสอบ exploit vulnerabilities จริง — พิสูจน์ว่า attack ได้จริง VA: breadth (ครอบคลุมกว้าง, automated), Pentest: depth (เจาะลึก, manual + automated) ทั้งสองสำคัญ: VA ทำบ่อย (monthly), Pentest ทำทุกปีหรือหลัง major changes
Q: Pentest ต้องทำบ่อยแค่ไหน?
A: PCI DSS: ทุกปี + หลังทุก significant change RBI (India banking): ทุก 6 เดือน Best practice: ทุกปี (annual pentest) + หลัง major release + หลัง infrastructure change Continuous: bug bounty program ทำงานตลอด — เสริม annual pentest สำหรับ high-risk systems: ทุก 6 เดือน หรือ quarterly
Q: ทำไมเลือก India-based pentest provider?
A: ราคา: ถูกกว่า US/EU 50-70% — คุณภาพเทียบเท่า Talent pool: India มี cybersecurity talent pool ใหญ่ — OSCP, CREST certified Timezone: เหมาะกับ APAC clients, overlap กับ EU morning Experience: บริษัท IT ชั้นนำของ India มี global clients หลายร้อยราย ข้อควรระวัง: ตรวจสอบ certifications, ดู sample reports, เลือกบริษัทที่มี track record
Q: ต้องเตรียมอะไรก่อน pentest?
A: Scope: กำหนดชัดเจนว่าจะ test อะไร (IP ranges, web apps, APIs) Authorization: ได้ written permission จาก management + cloud provider (ถ้าใช้ cloud) Credentials: เตรียม test accounts (ถ้า gray/white box) Communication: กำหนด contact persons, escalation procedures, emergency contacts Timeline: กำหนด testing window + blackout periods (ช่วงห้าม test) Backup: backup systems ก่อน test — เผื่อมีปัญหา
