Engineer typing at a keyboard in a dark workspace

Home / IT Security / Penetration Testing

Find out what an attacker would find. Before one does.

Authorized, scoped, human-driven testing of your applications, networks and cloud — with a report you can act on and a retest included.

What this is

And, just as important, what it is not.

A vulnerability scan tells you what is open. A penetration test tells you what is reachable from it — and what it costs you.

Scanners enumerate known weaknesses. A tester chains them: the low-severity information leak that reveals the admin panel, the reused password that opens it, the misconfigured service account behind it. Chains are what real attackers use, and no scanner reports them.

Every test runs under a written scope and authorization, signed before the first packet. Testing without that document is not a service anyone should sell you — it is a crime with an invoice.


What we test

Scoped individually or combined. Methodologies named per target type.

Web applications
Authentication, authorization, session handling, injection, business-logic abuse — tested against the OWASP Web Security Testing Guide, reported against ASVS.
APIs
REST and GraphQL: broken object-level authorization, mass assignment, rate limiting, token handling — the OWASP API Top 10, tested with the documentation you give us and the traffic you didn't.
External network
Your internet-facing footprint: exposed services, VPN endpoints, mail, forgotten hosts. What opportunistic attackers try first, run to NIST SP 800-115 discipline.
Internal network
Assumed breach: one foothold, then lateral movement, privilege escalation, and the path to your most critical data. Answers the only question that matters — how far does one compromise go?
Cloud & Microsoft 365
AWS, Azure, GCP and M365 tenants: IAM misconfigurations, public storage, conditional-access gaps, consent abuse — checked against CIS Benchmarks and provider security guidance.
Wi-Fi
Wireless authentication, segmentation from the corporate network, rogue access point exposure — on site.
Phishing (measured)
Credential-capture campaigns against agreed groups, run as measurement with your knowledge and written approval — results feed training, never discipline.
How an engagement runs

Four stages, all in writing.

01 — RULES

Scope & authorization

Targets, exclusions, testing windows, data-handling rules, emergency stop contact. Signed by someone entitled to sign it.

02 — TEST

Execution

Manual testing supported by tools — not the other way round. Critical findings are reported the day we confirm them, not held for the report.

03 — REPORT

Findings that read

Reproduction steps, evidence, realistic impact, and fixes your team can execute. One page of it written for management.

04 — RETEST

Verification

After you remediate, we re-verify every finding rated medium or higher and issue the updated report. Included, not upsold.


The report

The deliverable you are actually buying. Ours contains:

  • Executive summary in business language, one to two pages
  • Attack narrative: the chains, not just the links
  • Each finding: evidence, affected assets, CVSS score plus our honest severity
  • Reproduction steps a competent engineer can follow
  • Concrete remediation per finding, with effort noted
  • What we tried that did not work — absence of findings is a finding
  • Scope, methodology and limitations, stated plainly
  • Retest annex: what was fixed, what remains

Raw tool output available as an appendix on request. We deliver reports encrypted, and we delete client data on the schedule written into the engagement — see our privacy policy.

Method

Named standards, so you can compare us honestly.

OWASP WSTGOWASP ASVSOWASP API Top 10NIST SP 800-115PTESCVSS v4.0MITRE ATT&CKCIS Benchmarks

Common questions

Asked by almost everyone. Fair enough.

Is the retest included?

Yes. After you remediate, we re-verify every finding rated medium or higher and update the report. A finding is closed when the fix is confirmed, not when a ticket says so.

Will testing take our systems down?

The rules of engagement define what is in scope, what is excluded, testing windows, and an emergency stop contact. Denial-of-service testing is excluded unless you explicitly request it in writing.

Do we get raw scanner output?

You get it as an appendix if you want it, but the report itself is written by the person who did the testing: verified findings, realistic impact, and reproduction steps — not paste from a tool.

What would you least like us to reach?

That is usually the right first target. Tell us what you run and what worries you; we will propose a scope and a fixed price.

Contact us
Response
Within one business day
Includes
Written authorization, report, retest