Author: Patrick Sauer

The binsec GmbH relies on PTDoc® for its penetration tests – a specialized tool for structured penetration testing and professional report generation. PTDoc was developed by binsec systems GmbH.

The idea for PTDoc emerged during the growth of the binsec team: How can quality remain consistently high when individual penetration testers have different personal focus areas? And how can we ensure that the outcome of a test is always identical – regardless of which senior penetration tester carries it out?

Before PTDoc, binsec faced the typical challenge: Should reports be written in Word or created with LaTeX? Initially, the decision was made for LaTeX, which produced technically clean but rather “typical” LaTeX documents in terms of design. With PTDoc, this changed fundamentally – today, it delivers professionally designed reports that are still powered by extensive LaTeX code in the background but managed through a user-friendly interface.

The core idea of the tool is to provide a uniform and standardized methodology for different targets – such as Active Directory, mobile applications (e.g., Android apps), or networks. The binsec team continuously maintains and extends this methodology, integrating well-established standards such as the OWASP Testing Guide, MASVS, and OSSTMM. This ensures consistently high quality and the exact repeatability of penetration tests.

In recent years, it has become clear that this structured approach regularly reveals vulnerabilities that were missed in previous tests. One client even stated that they no longer consider earlier assessments from other providers to have been “real” penetration tests.

PTDoc covers all three phases of pentest documentation:

• Execution of the test – systematically working through the defined methodology.
• Creation of findings – including management-level descriptions, detailed technical analysis, risk ratings (qualitatively via traffic-light system or quantitatively via CVSS), and management of screenshots and evidence.
• Report generation – automated creation of a consistent, audit-proof report.

Retesting is also integrated: Once a tester verifies that a client has fixed a vulnerability, they simply document the proof of fix in the finding. When rebuilding the report, the issue is automatically marked as remediated, and the management summary is updated accordingly.

In addition, PTDoc supports the creation of both German and English reports, making it easy to provide clients with deliverables in either language – or even in both.

Conclusion: With PTDoc, penetration testers can fully focus on their actual work – conducting the test. At the same time, report creation becomes quick and efficient, ensuring that clients receive their results shortly after the test is completed.

On 11th of February 2025 binsec GmbH received an “Invitation to Tender With Emirates Group” from vendor.registration@theemirategroup.com:

Dear Valued Vendor,
Greetings from Emirates Group,
We invite you to register as a vendor with Emirates Group. A leading aviation company in UAE. Our goal is to build a diverse and qualified vendor base to support our business needs. This will open up opportunities to provide goods and services to our projects and developments.
Our projects are open for all companies. And this is a special consideration towards your participation for the ongoing registration
To register, Kindly confirm your interest by requesting for Vendor Questionnaire and EOI.
We look forward to potentially working with you!
Best Regards
Mr. Sameh Bakier
Vendor Coordinator Group Procurement & Contract
Shared Services Center of The Emirates Group

After answering to that e-mail, claiming to be interested, one receive an e-mail with three pdf documents including the Emirates Vendor Assessment Policy for example. Truth told, that documents look good and authentic. The mail also includes a “Vendor Regisgtration Acceptance Form”:

So they request a payment of AED 57.850 (equivalent to 15.000€) to start the vendor process. The domain sending the e-mails is theemirategroup.com, the original domain of The Emirates Group is theemiratesgroup.com. Take a look at the missing “s” in the domain…

WebCompScan from binsec.tools enables you to identify the technologies used on websites and check whether they are outdated or vulnerable.

The technologies that the WebCompScan tool can detect include CMS systems, web servers, programming languages, JavaScript libraries, and also payment methods offered.

To detect the technologies, it uses open source databases with regex patterns. The website to be checked is automatically opend up in a browser and the patterns are used to check whether the various components of the website contain indications of known technologies. In addition to HTTP headers and the HTML source code of the website, the Document Object Model (DOM) and the JavaScript variables are also analyzed.

In some cases, version information on the software components used can also be obtained in this way. In the next step, these are checked against an open source database for known vulnerabilities. It is also checked whether the software components are still supported by the manufacturer or are already end of life.

In principle, all of this information is public, but binsec.tools combines it into one free pentest tool.

The binsec group launches binsec.tools:

https//binsec.tools | Online Tools for Penetration Testing

• SSLCheck: The SSLCheck module will show the available SSL/TLS protocols, ciphers and additional certificate information. The scan will run multiple SSL/TLS connections to the target domain.
• WebCompScan: WebCompScan will browse to the given URL and will try to find used technologies by different methods on the available information like DOM, headers and many more. This scan is not invasive as it will only browse the website once like any other browser. 
• DNSCheck: The DNSCheck will perform security and validation checks on the given DNS domain. This check is not invasive and will perform standard DNS lookups.