“As a SaaS solution for risk management, you need to set a good example”
- Case Study

Perium is a leading online platform for information security and privacy risk management. It’s a company that knows very well that confidential information must remain well protected. The solution that Perium offers to customers is so versatile that, in addition to information security and privacy, it can also be applied to strategic and operational risk management. As a SaaS product, Perium can greatly reduce costs for the end user (such as consultancy hours).
Perium target customers are companies that are intrinsically exposed to risks surrounding privacy and information security. To ensure the security of their own platform, Perium enlisted the services of Hacksclusive.
Strong need for framed pentests
Perium approached Hacksclusive with a view to targeted and limited pentests. The basis of the platform already existed, and during development several questions arose about the security of a number of elements. "Because my partner, and co-founder of Perium, Jasper de Vries already has the necessary experience with pentesting, we were able to indicate where our needs lay. Hacksclusive was therefore able to test very purposefully," says Arjan.
It's easy to imagine that pentests are urgently needed in an organization that identifies security risks. Especially when it comes to a product in a cloud environment. Qualitative pentests in which thorough testing is carried out and findings are quickly translated into solutions is therefore very important.
Perium eventually came to Hacksclusive as a pentest partner. Arjan and Jasper had two reasons for this:
-
Hacksclusive has a good track record. Martijn Baalman is an internationally renowned pentester with a strong reputation.
-
Communication for Perium was particularly important. It was possible for Hacksclusive to communicate instantly with Perium and their soft devs. No fluffy reports - just straight to the point with interim findings.

Online environment instead of fuzzy PDFs
What particularly appeals to Perium about Hacksclusive's approach is the use of an online environment. The dashboard explains precisely what has been tested and what the findings are. A chat function enables immediate communication between the client and the ethical hacker who performs the pentests. This contrasts with many companies where you only receive a full report after a number of weeks have already passed.
The added value of Hacksclusive for Perium was primarily a result of the speed of the process. "I don't want to wait two weeks for a report if a critical error has been found - I want to know immediately, so that we can act on it quickly."
“The biggest compliment I can give to Hacksclusive is that I can't think of anything they could do better'.
Arjan Kremer, Founder Perium
.png?width=300&height=300&name=Ontwerp%20zonder%20titel%20(12).png)
No red flags
“There were certainly some surprising results from the pentests, otherwise we would have been able to find and fix it ourselves in advance,” says Arjan. “It is especially important that at the start of the pentest process we discussed what requirements our platform must meet, a list of security specifications based on the OAS (openAPI Specification) and OWASP (Open Web Application Security Project). If a finding is non-critical, then it is not an immediate priority. Fortunately, there were few red flags from the test, a nice confirmation that we are on the right track.”
"Pentesting has yielded many benefits for Perium. We can now present ourselves as being even more secure. We have a platform that makes the world a bit safer, so you must set a good example yourself. We do that with our ISO27001 certification and now also with pentesting".
Not 'done' after first results
Arjan is aware that pentesting is an ongoing process. "You're not done after you've received the results. We act on any findings that have been found and these must be retested by Hacksclusive. In addition, we must continue to test and validate, and continue doing this with every software update". If it's up to Arjan, there will be a role for Hacksclusive in this ongoing pentest proces.
Related stories
-
blog posts
Understanding the nuances: comparing vulnerability scanning and pentesting
When talking with our customers, we often notice that some terms are used interchangeably. Often borrowed from English or used incorrectly over time, the distinction between a vulnerability scan and a pentest becomes blurry. In this article, we aim to provide clarity on these two important aspects of improving cyber security. Because there is a significant difference between the two. And not knowing the difference could have an impact on your cybersecurity policy.Read more -
blog posts
Comply or explain: European and Dutch regulations regarding information security
In the last couple of years, the importance of information security is recognized by businesses worldwide. Both the European Union and the Dutch state have introduced strict regulations to ensure the protection of personal data and sensitive, business critical, information. These measures can also mitigate the risk of cyber threats to your organization.
In this article, we discuss the importance of information security, basic measures you have to implement and the most important European and Dutch security laws and regulations, such as NIS2, Wbp, Wbni, NEN7510 and BIO. Moreover, we discuss how you can effectively comply with them -
blog posts
How pentesting in the cloud brings you closer to a 100% safe cyber security cloud environment
You might be familiar with this situation: you have a tip for your colleagues, but you struggle to explain it clearly. So, you quickly record a video to illustrate your point, right? At Dichterbij, they also value learning from each other, but these videos were usually shared via WhatsApp. Not entirely privacy-friendly and highly susceptible to data breaches. While WhatsApp provides end-to-end encryption, organizations have limited control over what happens to the information on their employees' mobile devices. Fortunately, Dichterbij found a solution in the form of an external tool that shares videos in a centralized cloud. However, CISO of Dichterbij, Patrick Thijssen, saw a risk in this approach: "By centralizing your information in a cloud, you become a 'honeypot' for cybercriminals." Hacksclusive was tasked to test any vulnerabilities in the system.