bcsec

NOT JUST REPORTS. CONCRETE SOLUTIONS.
VAPT THAT TESTS YOUR DEFENSES FOR REAL.

Do You Really Know How Secure Your Company Is?

Laws, regulations, certifications, and insurance
do they truly protect your business, or just drain resources with nothing measurable to show?

VAPT (Vulnerability Assessment & Penetration Testing)
is the most effective way to find out!

Call +39 0185 799079

Email [email protected]

We are trusted ethical hackers, ready to collaborate with top management and decision-makers. We identify security gaps in your IT infrastructure, assess your employees’ awareness, and test your company’s defenses. All in a safe, controlled, and risk-free manner, thanks to our professionalism and proven offensive capabilities, always guided by ethical values and maximum responsibility towards our clients.

When is the right time for a VAPT?

Annually, to monitor IT security. When implementing major technological changes or infrastructure updates. To comply with regulatory and compliance deadlines, addressing any gaps not covered in previous audits. After a security incident or suspected cyber attack.

Why is our VAPT different?

We don't need any inside information. A signed contract, an NDA, and a defined scope are enough. Then, we act like real attackers, conducting reconnaissance and real attack campaigns to identify vulnerabilities exactly as a malicious actor would.

Why is it essential for national or multinational companies listed on the stock market or supported by investment funds?

Reducing reputational risk and protecting stock value. A cyber attack can directly impact investor confidence, cause stock value drops, and damage corporate reputation. VAPT helps prevent targeted attacks, ensuring operational continuity and brand protection before vulnerabilities are exploited.

Our Expertise

Advanced technical skills in cybersecurity

Trusted by companies operating in:

Methodology

Tested Technologies & Environments

Remediation Effectiveness

We do not stop at vulnerability identification.

Our assessments include practical remediation guidance, exploit validation, configuration hardening, attack chain analysis and post-remediation verification focused on reducing real-world attack surface and improving operational resilience.

Research & Innovation

DeepSec Vienna 2025

∞ Day at Scale: Hijacking Registrars, Defeating 2FA and Spoofing 17,000+ Domains Even with DMARC
Alessandro Bertoldi (Bertoldi Cybersecurity)
Co-author: Enrico Bertoldi (Bertoldi Cybersecurity)

What happens when a registrar is the weakest link in your security chain? This talk reveals how systemic failures in credential recovery, 2FA bypass, and email spoofing allow persistent exploitation even when domains have SPF, DKIM, and DMARC p=reject properly configured.

Based on real-world research conducted between 2018 and 2025, we present ∞-day (forever-day) vulnerabilities affecting over 17,000 domains, including cross-tenant spoofing in N-Able Mail Assure and flaws in Register.it's identity recovery procedures. We’ll demonstrate full control over customer panels with zero credentials, using only PDF forms and social engineering.

We'll also propose a concrete solution: a Reliability Scoring System for registrars and a “Green Check” trust mark for end users, integrated with RDAP and aligned with the NIS2 directive. This talk challenges assumptions about authentication, identity, and trust in Internet infrastructure, and offers both attack and defense insights.

NOT JUST REPORTS. CONCRETE SOLUTIONS.VAPT THAT TESTS YOUR DEFENSES FOR REAL.

Frequently Asked Questions About VAPT