Capability.01

Testing & Assessment

Find the paths in before attackers do. Every finding is reproduced by hand, prioritized by real business impact, and written so both your board and your engineers can act on it.

Scope an assessment Read the FAQ
01 What's included

Offensive engagements, engineered for real outcomes.

We scope every engagement to your environment. No cookie-cutter packages. Below are the individual services we pull from.

01

External Penetration Testing

We model a realistic external attacker targeting your internet-exposed systems. DNS, mail, web apps, remote access, and anything else advertised publicly.

  • OSINT & external reconnaissance
  • Service enumeration & fingerprinting
  • Authenticated & unauthenticated vulnerability validation
  • Credential attacks (password spraying, leaked creds)
  • Post-exploitation within scope
Typical duration2–3 weeks DeliverablesExec summary + technical report + retest
02

Internal Penetration Testing

We simulate an attacker who's already through the front door to map lateral movement and privilege escalation paths.

  • Active Directory enumeration & abuse
  • Kerberos-based attacks (Kerberoasting, AS-REP roasting)
  • Network protocol poisoning (LLMNR, NBT-NS)
  • Lateral movement & domain dominance paths
  • Data exfiltration simulation
Typical duration2–4 weeks DeliverablesAttack path narrative + remediation priorities
03

Web Application Testing

OWASP-aligned testing of your web apps and APIs. We go beyond the scanner. Authentication logic, authorization boundaries, business logic flaws, and chained exploits are where the real risk lives.

  • OWASP Top 10 & ASVS-aligned coverage
  • Authentication & session management
  • Authorization & access control (IDOR, privilege escalation)
  • Business logic testing
  • REST/GraphQL API assessment
Typical duration1–3 weeks DeliverablesPer-finding reproduction steps + remediation guidance
04

PCI DSS Scanning & Pen Testing

Scoped specifically for PCI DSS v4.0 requirements 11.3 and 11.4, both the quarterly external vulnerability scans and the annual internal and external penetration tests of your CDE.

  • Internal & external PCI penetration testing
  • Segmentation controls testing
  • Quarterly internal vulnerability scans
  • Evidence packaging for your QSA
  • Retest after remediation (included)
Typical duration2–3 weeks DeliverablesQSA-ready report + attestation narrative
05

Cloud Security Review

Configuration review of your AWS, Azure, or GCP environment against CIS benchmarks and provider best practices.

  • IAM & identity posture (over-permissioned roles, stale keys)
  • Network & storage exposure review
  • Logging, monitoring, & detection gaps
  • Secrets management review
  • Attack-path chaining across findings
Typical duration1–2 weeks DeliverablesPrioritized remediation roadmap
06

Vulnerability Assessments

Broader-scope, lower-cost alternative to penetration testing when you need a baseline across many systems. Every finding is still manually validated. No raw scanner output in your inbox.

  • Authenticated & unauthenticated scanning
  • Manual validation of critical and high findings
  • False-positive removal
  • Risk-based prioritization
  • Trending across quarterly engagements
Typical duration1 week DeliverablesValidated findings report
02 Our methodology

Frameworks aligned. Engagements tailored.

We borrow the structure from industry frameworks and the judgment from 20+ years of combined field experience.

OWASPTop 10, ASVS, WSTG for every web app test.
NIST SP 800-115Our technical testing backbone.
PTESPre-engagement through reporting.
MITRE ATT&CKFindings mapped to adversary tactics.
CIS BenchmarksCloud & system hardening review.
PCI DSS v4.0Scoped testing for CDE compliance.
03 Frequently asked

Questions we get before every engagement.

How is a penetration test different from a vulnerability scan?

A vulnerability scan runs automated tools against your systems and produces a list of potential issues, many of which are false positives or low-impact. A penetration test uses those scans as a starting point, then a human practitioner manually exploits findings, chains them together, and demonstrates real business impact. We offer both, and we're clear about which one you actually need.

Will testing disrupt our production environment?

Our default posture is non-disruptive. We agree on rules of engagement before kickoff — including testing windows, emergency contacts, and any systems that are off-limits for active exploitation. Critical findings are reported in real time so your team can act immediately; destructive testing only happens with explicit written approval.

How long does a typical engagement take?

External pen tests typically run 2–3 weeks from kickoff to final report. Internal tests run 2–4 weeks. Web app tests depend on complexity — a single app with a few dozen endpoints is usually 1–2 weeks. We'll give you a firm timeline during scoping, and we hit it.

Do you retest findings after we remediate?

Yes, and it's included in the original engagement price. We give you 30–90 days (depending on scope) to remediate, then we retest the specific findings and update the report. No surprise invoices.

Can you help us prepare for a SOC 2 or PCI DSS audit?

Yes. Our reports are written to be audit-ready: executive summaries, methodology attestations, finding narratives, and evidence that an assessor can drop directly into their workpapers. For PCI DSS specifically, we scope testing against v4.0 requirements and can package evidence for your QSA.

Keep exploring

Our other capabilities.

Capability.02

Advisory & Strategy

Senior security leadership on call. Roadmaps, frameworks, board reporting.

Read more
Capability.03

Training & Education

Turn your team into a competitive advantage with training that sticks.

Read more

Ready to see your environment the way an attacker would?

Tell us about your scope and we'll reply within one business day with next steps.

Start the conversation