Why Does TSE Certification Matter in Penetration Testing?
Penetration testing (pentest) is a technical security discipline that evaluates an organization's digital assets through real-world attack scenarios. However, not all penetration tests are equivalent in terms of legal and corporate validity. The Turkish Standards Institution (TSE) approves cybersecurity firms that meet specific methodology and quality criteria through its accreditation programme. A test report obtained from a TSE-certified firm carries the status of an official standards document, beyond being merely a technical output.
This distinction becomes decisive in situations requiring documented evidence — such as public procurement processes, banking regulatory audits, critical infrastructure projects, and insurance contracts. Auditors and procurement authorities frequently accept only reports obtained from firms holding TSE or equivalent national standard accreditation.
TSE accreditation requires independent auditing of the test methodology, scope documentation, personnel qualifications, and reporting format. The completion of this process provides the client with an additional layer of quality assurance.
Test Scope and Methodology
TUGAY's TSE-certified penetration tests are conducted within a methodology that blends international standards — PTES (Penetration Testing Execution Standard) and the OWASP Testing Guide — with TSE accreditation requirements. Although the test scope is customized to the client's infrastructure and application architecture, it covers the following components:
- External network infrastructure and attack surface analysis
- Web application security tests (OWASP Top 10, API security)
- Internal network segmentation and privilege escalation scenarios
- Authentication and session management vulnerabilities
- Social engineering and phishing resistance measurement
- Access control and data exfiltration scenarios
Testing Process
The test process begins with scope and confidentiality agreements signed with the client. Each phase is documented in accordance with TSE accreditation requirements.
- Scope Definition: IP ranges, applications, test type (black/grey/white box), and authorization boundaries are established in writing.
- Reconnaissance and OSINT: Open-source intelligence is gathered about the target systems; open ports, services, and potential vulnerabilities are mapped.
- Active Scanning and Vulnerability Detection: System vulnerabilities are identified using automated tools and manual techniques.
- Exploitation Attempts: Discovered vulnerabilities are exploited in a controlled manner to verify real threat potential.
- Post-Exploitation Analysis: Lateral movement and privilege escalation scenarios are tested on compromised systems.
- Reporting: A TSE-formatted report with technical findings and an executive summary is prepared; findings are classified by criticality level.
Report Deliverables and Documentation
At the conclusion of the TSE-certified test process, two core deliverables are provided: an Executive Summary and a Technical Report. The executive summary is prepared for decision-makers who need to assess risk, while the technical report contains step-by-step remediation guidance for the team.
- Criticality-classified vulnerability list (CVSS scoring)
- Reproduction steps and technical evidence for each finding
- Remediation recommendations and prioritization matrix
- TSE-approved signed test certificate
- Retest service option
TUGAY specialists are senior test engineers holding active TSE accreditation; every test is managed through a quality assurance process accountable to the accreditation authority.