Testing is a way to identify **actual** areas for improvements, by identifying factual issues, whose
will help organisations to increase their competence in cybersecurity.
The objective of C3 is to cover for market's gaps and bootstrap an activity where it's currently
One of the key issues is that testing is perceived as non easily affordable by a significant number of
The purpose of testing is therefore to allow organisations to easily access a set of basic tools that will
them to become aware of their true areas of possible improvement in cybersecurity, based on facts.
It's aimed as much at systems as at users.
C3 intends to make it evolve through time and offer more tests to broaden the coverage of the platform and
C3's Testing Platform
The testing site is a gateway to the tools and services that will help organisations, and
specifically small ones, to perform tests on their email and web-exposed infrastructure. The core tool is
the Testing Platform, and more tools will be added through time to increase the coverage of available
How does this work?
A set of tools and standardized procedures, some of them automated, some not, is available to help
identify common weaknesses of their systems.
There are three domains at present :
Monitoring of the most common and exposed systems:
The first focus is on websites and email systems, as they are among the most used and targeted infrastructure. They
are very often instrumental in incidents, either by enabling an attacker to gain a bridgehead in a system, or by
being cause of unavailability of a service once they break.
C3 Testing Platform offers several tools to initiate a more active monitoring of such services (cf. description on
the platform itself). It's available to organisations based in Luxembourg, with a more specific focus on SMB's and
Some services are free. Somme are pay as you go, and others will require subscribing to a monthly fee.
Tests of specialised products or services
Some specific categories of IT devices are more and more widespread. But being heavily automated by design, and
having an intended usage that requires a minimal interaction with their users, if any, they tend to be
when systems are being secured, and certainly not managed as information systems.
The most prevalent category is commonly known as "IoT's" (Internet of Things).
These are devices such as temperature sensors, webcams, smartlocks, printers, or even fridges. They are most of
time embedding some aspect of Internet technology, often for maintenance and configuration purposes.
In order to enable organisations to be aware of what type of vulnerability or exposure they are adding to their
systems when deploying such devices, it is possible through the Testing Platform to test the firmware of the
common IoT's. A first partnership was established with one of the leading European companies for IoT assessments
Organisations from Luxembourg can register for a test of a given IoT firmware through the Testing Platform and
comprehensive report from our partner.
One of the key use cases of such testing is to strengthen the procurement process of IT devices and systems by
able to independently assess a so-called "smart device" prior to its acquisition and deployment.
C3 Testing Protocols
The last dimension of testing operations at C3 is more experimental. Its goal is to bridge the gap between
full-fledged PenTests and the present usage with amounts often to nothing. A significant number of SMB's are
concerned with the cost of a comprehensive Pen-Test. If the financial cost is obvious to understand, there is
the cost in attention time required from key employees. These resources would have to be involved in negotiating
the scope and conditions of a PenTest, and then monitoring its implementation, before having to deal with the
analysis of the results and the subsequent remediation.
C3 worked with some local Pen-Testing companies in the Country, in order to develop a set of standardized
tests that would have a preset price and duration. The aim is to have a price cap under 1000 € and a duration of
roughly one to two days. These tests would not qualify as full-fledged Penetration Tests, but would allow
organizations to initiate a first set of tests, without immobilizing excessive resources.
The second purpose is to permit local security providers to enter this market, and broaden the available offer
Luxembourg, making the ecosystem more mature and sustainable.