258 days. That's how long it takes on average for companies to realize that they have long since been compromised. We talked about it - on a go-kart track.
Because anyone talking about points of attack, reaction speed and the right timing will find a more appropriate stage on a racetrack than in any conference room.
After the welcome, we started with a round of introductions: Name, role, company. What initially seemed like a formality had a concrete purpose. In a room that is about attack surfaces, digital vulnerabilities and the protection of company data, it is valuable to know who brings which perspective to the table. The atmosphere was open and informal right from the start.
The technical part was compact, but dense in content. The focus was on the question that we ask almost every customer: How realistic is the threat situation for SMEs - and do they even notice when something happens?
The answer is sobering: on average, it takes 258 days for an attack to be detected. Only one in eight is even noticed internally. At the same time, attackers today have access to critical systems after just a few minutes, sometimes with the help of AI tools.
A concrete example illustrated how directly the topic affects the reality of many companies: an IT service provider in Baden-Württemberg was compromised, with direct consequences for several connected hospitals. It was not the hospitals themselves that were the gateway, but the external partner. Supply chain attacks of this kind are no longer an exception.
One participant put it in a nutshell: "I always thought we were too small to be interesting. But I guess that's not true."
We pick up your whole team. Take part in our IT security basics seminar:
With this in mind, we have explained how we approach the topic at TestSolutions. Our pentesting approach follows a structured nine-step methodology: from initial coordination and scoping, through active reconnaissance and vulnerability analysis, to final reporting and optional continuous operation.
In the recon step, we rely on a self-developed AI tool that performs fully automated OSINT reconnaissance: digital footprints, exposed access data, publicly visible infrastructure - prepared in a structured manner, without manual effort. For technical vulnerability analysis, we use Tenable One, one of the leading platforms for continuous vulnerability management, which scans daily and brings new CVEs to the screen within hours.
Our aim is not to deliver the most comprehensive report, but to provide the right answers: What is really critical? What needs to be addressed immediately? And what does it cost to keep the security level at a reliable level in the long term?
We offer three packages specifically designed for SMEs: from solid basic protection with daily scanning and awareness training to an annual penetration test package and a comprehensive red team approach including compliance support for ISO 27001 and GDPR.
What followed the technical part could hardly be described as a classic Q&A. The discussions developed organically: participants described their own experiences, reported on specific incidents from their environment and asked where they themselves needed to take action. It was precisely this open format that had its own value.
The afternoon then belonged to the go-kart track. It started with a safety briefing from the track team - much more entertaining on a kart track than in a seminar room. During the warm-up phase, everyone had the opportunity to get to know the track at their own pace and try out the first cornering lines. What sounds like a leisurely warm-up was actually the first unofficial showdown for some of the participants.
Then it got serious: everyone drove their qualifying lap in two groups, each lasting ten minutes, and the times were recorded. The best lap times determined the starting grid for the subsequent race, also in two groups, each with twenty minutes on the clock.
On the track, neither job title nor company size counted, but reaction speed, line loyalty and the right moment to overtake. The parallels with the afternoon's theme were obvious: If you brake too late, you pay for it immediately. In the field of cyber security, the price of waiting is usually much higher - and much less visible.
After the award ceremony, the afternoon ended with a barbecue buffet. The conversations that ensued had little to do with formal follow-up. It was the natural conclusion to an afternoon that was designed from the outset for genuine exchange.
Cyber security doesn't have to be dry or abstract. An unusual setting can help to ensure that the topic really hits home, and the questions that were asked at the end of the go-kart track were at least as valuable as those asked during the presentation.
Enrico Ausborn sums it up: "The combination of technical safety analysis and the dynamics on the race track made the professional exchange noticeably more direct. The informal format showed how to translate theoretical risks into tangible needs for action."
Do you have any questions about our cyber security services or would you like to attend the next event?
Contact us now.