
Home / IT Security / Penetration Testing
Find out what an attacker would find. Before one does.
Authorized, scoped, human-driven testing of your applications, networks and cloud — with a report you can act on and a retest included.
And, just as important, what it is not.
A vulnerability scan tells you what is open. A penetration test tells you what is reachable from it — and what it costs you.
Scanners enumerate known weaknesses. A tester chains them: the low-severity information leak that reveals the admin panel, the reused password that opens it, the misconfigured service account behind it. Chains are what real attackers use, and no scanner reports them.
Every test runs under a written scope and authorization, signed before the first packet. Testing without that document is not a service anyone should sell you — it is a crime with an invoice.
Scoped individually or combined. Methodologies named per target type.
- Web applications
- Authentication, authorization, session handling, injection, business-logic abuse — tested against the OWASP Web Security Testing Guide, reported against ASVS.
- APIs
- REST and GraphQL: broken object-level authorization, mass assignment, rate limiting, token handling — the OWASP API Top 10, tested with the documentation you give us and the traffic you didn't.
- External network
- Your internet-facing footprint: exposed services, VPN endpoints, mail, forgotten hosts. What opportunistic attackers try first, run to NIST SP 800-115 discipline.
- Internal network
- Assumed breach: one foothold, then lateral movement, privilege escalation, and the path to your most critical data. Answers the only question that matters — how far does one compromise go?
- Cloud & Microsoft 365
- AWS, Azure, GCP and M365 tenants: IAM misconfigurations, public storage, conditional-access gaps, consent abuse — checked against CIS Benchmarks and provider security guidance.
- Wi-Fi
- Wireless authentication, segmentation from the corporate network, rogue access point exposure — on site.
- Phishing (measured)
- Credential-capture campaigns against agreed groups, run as measurement with your knowledge and written approval — results feed training, never discipline.
Four stages, all in writing.
Scope & authorization
Targets, exclusions, testing windows, data-handling rules, emergency stop contact. Signed by someone entitled to sign it.
Execution
Manual testing supported by tools — not the other way round. Critical findings are reported the day we confirm them, not held for the report.
Findings that read
Reproduction steps, evidence, realistic impact, and fixes your team can execute. One page of it written for management.
Verification
After you remediate, we re-verify every finding rated medium or higher and issue the updated report. Included, not upsold.
The deliverable you are actually buying. Ours contains:
- Executive summary in business language, one to two pages
- Attack narrative: the chains, not just the links
- Each finding: evidence, affected assets, CVSS score plus our honest severity
- Reproduction steps a competent engineer can follow
- Concrete remediation per finding, with effort noted
- What we tried that did not work — absence of findings is a finding
- Scope, methodology and limitations, stated plainly
- Retest annex: what was fixed, what remains
Raw tool output available as an appendix on request. We deliver reports encrypted, and we delete client data on the schedule written into the engagement — see our privacy policy.
Named standards, so you can compare us honestly.
Asked by almost everyone. Fair enough.
Is the retest included?
Yes. After you remediate, we re-verify every finding rated medium or higher and update the report. A finding is closed when the fix is confirmed, not when a ticket says so.
Will testing take our systems down?
The rules of engagement define what is in scope, what is excluded, testing windows, and an emergency stop contact. Denial-of-service testing is excluded unless you explicitly request it in writing.
Do we get raw scanner output?
You get it as an appendix if you want it, but the report itself is written by the person who did the testing: verified findings, realistic impact, and reproduction steps — not paste from a tool.
What would you least like us to reach?
That is usually the right first target. Tell us what you run and what worries you; we will propose a scope and a fixed price.
Contact us- info@bstedge.com
- Response
- Within one business day
- Includes
- Written authorization, report, retest