FAQ - Forus-P Cyber Security

Thuiswinkel Scans

Will the website remain operational during the scan?

Yes it can. The scanner will cause higher traffic than normal, but this is only noticeable if you are using a low capacity (shared) server.

Will the scanner place orders?

The scanner could place orders, but not if we need to pay for them directly. Afterpay orders can be placed automatically for example, but orders that need to be paid for outside the domain or need manual actions (such as Ideal or Paypal) will not be completed. You can recognise the scanner’s orders (usually large and strange orders) by the account veiligheidsscan using the email address “veiligheidsscan@forus-p.nl”.

Will the scanner collect, store or ask for personal details?

No it does not but further information can be found on our privacy policy.

Why is my website shown as unsafe with Magento V1?

Magento 1 has reached end-of-life and is no longer officially supported. Because of this, security scanners automatically identify Magento 1 websites as a high-risk finding based on the platform version itself.

This also applies to websites running OpenMage or Mage-One. Although these solutions provide ongoing support and security updates, they are still based on the Magento 1 platform and will therefore be flagged by automated scans.

For Thuiswinkel certification, Magento 1, OpenMage and Mage-One websites require an alternative assessment instead of the standard automated scan. Please contact Thuiswinkel directly for the specific requirements and conditions that apply to your website.

Why do I have to whitelist you? My site is safe because my protection measures blocked you!

To perform a comprehensive security assessment, we ask that you whitelist our scanner. Security tools such as firewalls, bot protection, and web application firewalls (WAFs) often identify vulnerability scanners as automated traffic and may block or restrict our requests.

A blocked scan does not necessarily mean your website is secure. It only indicates that automated scanning activity has been prevented. In many cases, vulnerabilities can still be discovered and exploited by an attacker using manual techniques, even when protective measures such as firewalls are in place.

While security controls are an important layer of defence, they should not be relied upon as the sole protection for your website. It is essential that the application itself is secure and free from exploitable vulnerabilities. Our scanner is designed to assess the security of the application and identify weaknesses that could potentially be abused by an attacker.

Our scanner needs to be able to log in automatically. This will allow us to scan everything behind the login. It is important, especially since this is usually where personal data is stored. Any Captchas on forms can remain in place, just not the Captcha used for the login. You can either disable this specific reCaptcha for the duration of the scan (max. 25 hours) or you can whitelist the IP addresses of our scanner for that specific Captcha (144.24.249.196 and 132.226.222.205 and 154.16.73.227).

Why did I receive so many emails (or orders) and what can I do to prevent this?

During the scan our scanner will try to fill out all forms (including order forms). This test can cause an extreme amount of email traffic. This means your website allows this without limitation. And if we can cause this much traffic, so can someone else!

To prevent these so called “mail bombs” you can take the following precautions before the scan takes place:

Any emails/orders from the email address “veiligheidsscan@forus-p.nl” can be deleted or blocked on your mail server, for instance by blacklisting this email address.
We recommend placing additional security on all available forms. Google reCaptcha is the most commonly used solution for this.

Why are vulnerabilities found in this scan and not in the previous one?

If the previous scan was a while ago, it could happen that a new scan reports new issues. This may be because changes have been made in the meantime, for example by updating a plugin. Hackers are also continuously developing new ways to attack websites. These new vulnerabilities are regularly added to our scanner.

Which user-agents does the scanner use?

Our user agent can be recognised by the word “ForusP”.

Which IP-addresses does the scanner use?

The scanner uses one of the following IP addresses:

144.24.249.196

132.226.222.205

154.16.73.227

What is the estimated Peak Traffic value (in RPS) during the scan?

Our scanner sends a maximum of 4 requests at a time with 400 milliseconds artificial sleep time before issuing the next request. If you are using a low capacity shared server we can decrease the scan intensity.

My report is unsafe, what do I have to solve?

Only issues marked as high-risk (in red) need to be fixed for the certification. We advise fixing medium and low risk issues as well, but it is not necesary for the certification.

Is a rescan necessary after solving vulnerabilities or can we check it ourselves?

Yes the website must be scanned again. New vulnerabilities may have emerged in the meantime. If we do not run the scan again, we will never be able to give a safe result.

I received a blacklisting mail, what do i do?

If we sent you a blacklisting mail, it means you are somehow blocking the scan. Ask your developer to check for any security software in the application itself and check with the hosting company if they have fully whitelisted us. Usually, it’s enough to forward our email.

How long will the scan take?

The scan can run up to 25 hours, depending on the size and complexity of your website.

How do I prepare for a scan?

To make sure the scan will run without issues, the following needs to have been arranged:

To prevent our scanner from getting blocked during the scan, our IP-addresses need to be whitelisted: 144.24.249.196 and 132.226.222.205 and 154.16.73.227. Additionally, our user agent can be recognised by the word “ForusP” if you want to whitelist for this combination only.
If you have pages behind a login that is protected by a Captcha, you will need to disable this Captcha during the scan (max. 25 hours) or you can whitelist the IP-addresses for our scanner. Any other Captchas do not need to be disabled. It is extremely important for us to be able to scan behind the login, especially when personal data is stored.
Lots of emails and/or orders from our email account veiligheidsscan@forus-p.nl means your website will allow this without restriction. And if we can cause this, anyone else can as well! A Captcha on all forms and/or a redirect/blacklisting on your mail server can help prevent this.

We will perform the security scan on the entire website. The login is important as vulnerabilities are often found behind the login and can be abused by hackers. It is mandatory to scan for the Thuiswinkel Certification.

Can you exclude a subdomain?

We will perform the security scan on the entire website. It is important to include subdomains, especially if there is a direct link from the main website. Vulnerabilities can be found just as easily on subdomains. Customers visiting your website expect the whole site to be safe and cannot distinguish between different platforms within the same domain.

Can the scan only run at night or between specific hours?

The short answer is: no

The scan needs up to 25 hours to complete. We will not stop the scan before it is done, so the scan can run the full 25 hours. Sometimes an additional scan is even needed to complete the results. Some scans complete a lot quicker; we have no control over the amount of needed to scan your website.

Can the scan be performed on a test environment?

For Thuiswinkel members we will only scan live environments. If this is not possible, please contact Thuiswinkel.

Can I use the Forus-P Secure Badge on my website?

Websites we only scan for the Thuiswinkel certification are not eligible for our Secure Badge. Our secure logo can inspire more trust among your (potential) customers and achieve a higher conversion rate. We feel 1 basic scan per year is not enough to be secure. Feel free to contact us for more extensive and more frequents scan.

Detailed information can be found on here.

Web Application Scans

Will the scanner collect, store or ask for personal details?

No it does not but further information can be found on our privacy policy.

Will a web application scan affect my website?

Web application scans are generally safe and non-intrusive. However, in some cases they may generate high traffic or interact with vulnerable functionality, which is why we carefully control scan settings.

Which tools do you use for web application scans?

We use industry-standard tools such as Qualys and Burp Suite to perform detailed security scans of web applications and APIs.

Which IP-addresses does the scanner use?

The scanner uses one of the following IP addresses:

144.24.249.196

132.226.222.205

154.16.73.227

What is a web application scan?

A web application scan is an automated security assessment that checks your website or application for known vulnerabilities, misconfigurations, and security weaknesses using tools such as Qualys or Burp Suite.

How is a web application scan different from a penetration test?

A web application scan is mainly automated, altough we prepare the scan manually and check to make sure the results are complete after finishing. It focuses on identifying known issues. A penetration test includes manual testing, validation, and deeper analysis of how vulnerabilities can be exploited in real-world scenarios.

Developer Scans

Why should developers use security scanning in their workflow?

Integrating security scanning into development helps detect issues early, reduces risk before deployment, and increases client trust by showing that security is an active part of the development process.

What are Developer Scans?

Developer Scans are structured web application security scans designed for development teams and agencies to integrate security into their workflow. They help identify vulnerabilities early and demonstrate that security is part of the development process.

How do Developer Scan bundles work?

We offer scan bundles that can be used across multiple projects, including packages of 10, 30, 60, or 90 scans, as well as unlimited options. These can be used flexibly depending on your development and release cycle. All bundles expire after 1 year.

Do Developer Scans run on live or test environments?

Developer Scans are executed on staging or test environments only when you purchase a bundle. Live scanning is possible for a license to scan all (or certain) clients, depending on the setup and requirements of the project.

Can you scan all client websites for a development agency?

Yes. We can set up recurring scans for all client websites of a development agency, one or multiple times per year, depending on your needs.

Penetration testing

Will a penetration test disrupt my website or application?

Penetration testing is designed to be carefully controlled, but it can potentially cause disruption if serious security issues exist within the application. In some cases, vulnerable functionality or unstable systems may behave unexpectedly when tested.

For this reason, we prefer to carry out testing in a staging or pre-production environment wherever possible. This allows vulnerabilities to be safely identified and validated without impacting live users or production systems. If testing must be performed on a live environment, it is carefully scoped and conducted in a controlled manner to minimise risk.

What will I receive after the test?

You will receive a detailed report outlining identified vulnerabilities, their severity, technical details, evidence, potential impact, and practical remediation recommendations.

What types of pentesting can you offer?

We can perform a Vulnerability Pentest (according to PTES), Infrastructure Pentest (internal and external), WIFI and LAN access test, API test, App endpoint test, Phishing test, and Code review/App analysis. Together we determine your goals up front to maximise the information you gain from our tests.

We can perform a vulnerability pentest as a greybox (most common), blackbox or whitebox test.

For more information and pricing click here.

What is The Penetration Testing Execution Standard (PTES)?

The Penetration Testing Execution Standard (PTES) is a comprehensive framework of guidelines, procedures and techniques for conducting and managing penetration testing activities. This standard methodology was created to address the need for a consistent and structured approach to penetration testing, with the goal of producing consistent and reliable results.

The PTES standard consists of seven phases, including planning and scoping, information gathering, threat modelling, vulnerability identification, exploitation, post-exploitation, and reporting, all explained below.

Planning – The preparation phase for the pentest.
Information gathering – In this phase information about the target system is gathered.
Threat modelling – This is a procedure for optimising application, system or business process security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent or mitigate the effects of threats to the system.
Vulnerability analysis – This phase discovers and validates vulnerabilities.
Exploitation – In this phase they try to exploit the previously identified and validated vulnerabilities.
Post-exploitation – This phase maintains control over the target system and collects data.
Reporting – A detailed analysis of an organisation’s technical security risks that covers many facets of an organisation’s security posture, such as vulnerabilities, high-low priority concerns, and suggested remediations.

What is a penetration test?

For our penetration test (also called a pentest) we perform advanced automated Web Application and Network scans, as well as thorough manual checks. It simulates a cyber-attack to prove where a hacker might be able to exploit systems. Our ethical hackers use advanced automated and thorough manual tests as malicious hackers do to find dangerous vulnerabilities in web applications.

How is a penetration test different from a vulnerability scan?

A vulnerability scan is largely automated and identifies potential security issues. A penetration test goes further and includes manual verification, validation of findings, controlled exploitation where appropriate, and assessment of the actual risk to your organisation.

These tests are performed by an ethical hacker, who uses the same techniques as a malicious attacker but in a safe and controlled manner to identify weaknesses before they can be exploited in the real world. Unlike automated tools, an ethical hacker applies human logic, context, and experience to understand how vulnerabilities can be combined or abused in realistic attack scenarios.

Security Review

Why do I need a Security Review?

Many security issues are not caused by software vulnerabilities alone, but by gaps in processes, configuration, lack of staff awareness, or maintenance. A Security Review helps identify these weaknesses and provides a clear overview of what is working well and what needs improvement.

Who performs the Security Review?

The review is conducted by a cybersecurity expert who assesses your organisation’s security posture from both a technical and operational perspective. The focus is on identifying gaps, inconsistencies, and areas for improvement in your current security setup and processes.

What will I receive after a Security Review?

You will receive a clear report outlining strengths in your current setup, identified gaps or risks, and practical recommendations to improve your overall security posture. The goal is to give you actionable insights rather than technical exploit details.

What is a Security Review?

A Security Review is a structured assessment of your organisation’s security practices, processes, and technical controls. It focuses on how security is managed in practice, including procedures, system setup, update management, and how risks are monitored and addressed.

What does a Security Review include?

A Security Review evaluates how your organisation handles security in day-to-day operations. This includes system and hardware setup, patch and update management, policies, access control procedures, backup processes, monitoring, and whether regular security testing such as penetration tests or vulnerability scans are being performed.

Does a Security Review involve attacking my systems?

No. A Security Review does not involve exploitation or attack techniques. It is a non-intrusive assessment focused on understanding your security posture, processes, and controls rather than testing for exploitable vulnerabilities.

Am I eligible for a funded Security Review?

Eligible Irish companies that are Enterprise Ireland clients may qualify for the Enterprise Ireland Cyber Security Review, delivered in collaboration with the National Cyber Security Centre. This programme provides a co-funded security review to help companies assess and improve their cybersecurity posture.

Full eligibility criteria and application details are available here: https://www.enterprise-ireland.com/cybersecurityreview

Awareness Training

Why is Security Awareness Training important?

Most security incidents involve human error, such as clicking phishing links or using weak passwords. Training helps employees recognise threats and make safer decisions in daily work.

Who should follow Security Awareness Training?

Security Awareness Training is recommended for all employees, regardless of technical knowledge. Everyone who uses email, systems, or company data plays a role in cybersecurity.

What is Security Awareness Training?

Security Awareness Training helps employees recognise and respond to cybersecurity threats such as phishing, social engineering, and unsafe behaviour. The goal is to reduce human risk, which is one of the most common causes of security incidents.

Do you offer online awareness training?

Yes. In addition to on-site training, we also offer an online platform that allows employees to complete security awareness training at their own pace.

Do you offer on-site training?

Yes. We provide on-site security awareness training sessions tailored to your organisation. These sessions are interactive and focused on real-world examples relevant to your team.

I've been hacked

I think I’ve been hacked. What should I do first?

If you suspect a security incident, the first step is to stabilise your environment. This typically includes securing access credentials, checking for unauthorised changes, and ensuring critical systems are not actively being compromised. We can then help assess the situation and determine the next steps.

Do you recover lost data or remove malware?

We do not provide data recovery or malware removal services. Our focus is on security assessment, identifying vulnerabilities, and guiding you on how to secure the system properly moving forward.

Can you investigate exactly what happened?

Investigating what caused a hack is a specialised branch in cybersecurity. We highly recommend contacting a cyber forensics company if you want to investigate.
We can help you find how a hacker got in by doing a penetration test. If you want to know who attacked you, exactly when and so on, that’s forensics.

Can you fix everything after a hack?

Unfortunately, we cannot help you fix damage caused by a hack with the exception of WordPress websites.

However, we can help assess the current security state, and verify whether vulnerabilities are still present. We can help make sure you’ve checked everything and test if everything is safe after you’ve fixed the issue that caused the hack. Full remediation may also require changes within your application, hosting environment, or third-party systems.

Can you check if my website or application is safe now?

Yes. We can perform a targeted security assessment to determine whether known vulnerabilities or attack vectors are still present. This helps confirm whether the system is in a stable and secure state after an incident.