Web application
Single-page apps, server-rendered apps, admin consoles. Authentication, authorization, business logic, file uploads, integrations. OWASP WSTG aligned.
offensive security · 01
Penetration testing, done by the person who scopes it.
Manual exploitation against the agreed scope across web apps, APIs, mobile, networks, cloud, and IoT. Senior engineers run every engagement end to end. Fixed fee, working PoCs, retest included.
01. pentest types
Six surfaces, one engineer per engagement.
Each surface gets its own deep methodology. Click through for what we test, how we test, and the deliverables per type.
API (REST + GraphQL)
Broken object-level authorization, mass assignment, batched query abuse, schema introspection, rate-limit bypass. OWASP API Top 10 aligned.
Mobile (iOS + Android)
Static analysis, Frida instrumentation, certificate pinning, secrets in storage, IPC abuse, biometric bypass. OWASP MASVS aligned.
Network (external + internal)
External perimeter, internal lateral movement, Active Directory, ADCS, kerberoasting, network segmentation. PTES + OSSTMM.
Cloud (AWS / GCP / Azure)
IAM blast radius, exposed object storage, metadata-service abuse via SSRF, cross-account chains, control-plane logging gaps.
IoT + embedded
Firmware extraction, hardware interfaces (JTAG/UART/SPI), radio protocols (BLE/Zigbee), companion app, cloud backend.
02. how we work
Five steps, one engineer, end to end.
The person scoping is the person testing. The person testing is the person writing the report. No team rotation, no junior pivot.
- Scoping call30 minutes. We learn the surface, the deadlines, and the question you need answered. Free.
- Written SOW + fixed feeScope, methodology, timeline, and price in writing before any work starts. No timesheet creep.
- EngagementManual exploitation against the agreed scope. Daily updates on critical findings; no waiting for the report.
- Report + readoutFindings with severity, exploit chain, fix steps, retest checklist. Engineer Q&A call included.
- RetestOne round of post-fix retest within 30 days. Each finding marked resolved, partially resolved, or open with notes.
03. deliverables
What you walk away with.
Standard across every pentest type. Markdown source on request.
Findings report
15 to 60 pages depending on scope. Executive summary, methodology, finding catalog with severity (CVSS 4.0), exploit chain, business impact, remediation, retest checklist.
Working PoCs
Reproducible exploit code or step-by-step. Your engineers verify every claim before they triage. No "trust us" findings.
Engineer readout
60 to 90 minute live walkthrough with your engineering team. Walk every finding, agree on remediation order before the call ends.
Retest within 30 days
One round of post-fix retest included. Each finding re-validated, marked resolved, partially resolved, or open with notes.
Attestation letter
Signed by the engineer who ran the test. For SOC 2, ISO 27001, PCI, customer security teams, insurance underwriters. One page.
Markdown source
On request. Drop into Notion, Confluence, Linear, Jira, ServiceNow. One finding per file with stable IDs and frontmatter.
04. when
When teams hire us for a pentest.
Common patterns we see in scoping calls.
Before SOC 2 or ISO 27001
You need findings, evidence, and a remediation track auditors accept. We deliver the format they expect, on the timeline you committed to.
After an incident
Something happened. You need to know what else is exposed, what was missed, and where to invest the next quarter of engineering time.
Before a release or M&A
A major launch or a buyer asking for a third-party security signal. You need a clean report before the deal or the press release.
Annual cadence or insurance
Your broker asks for one, or your enterprise customer contract requires it. We make this year not look like last year with the date changed.
05. faq
Questions before the call.
Common questions during scoping calls.
How long does a typical engagement take?
Two to four weeks of testing for most web app and API scopes, plus a week for the report and readout. Network and cloud engagements run two to six weeks. IoT engagements run four to eight weeks because hardware lab work takes longer.
Production or staging?
Production by default for read-only checks; staging for anything that could damage data. We agree the line in writing before testing starts. For data-handling engagements, a production-like staging environment is required.
Black-box, gray-box, or white-box?
Gray-box (some context, some credentials) is the default. Covers more surface than black-box in the same budget. We do black-box for time-to-detection exercises and white-box for design reviews paired with testing.
How is this different from a vulnerability scanner?
A scanner finds known patterns and stops. We chain findings end-to-end and demonstrate impact. The output is exploit code and a fix track, not a CVE list.
Can you sign our MSA / NDA?
Yes. We sign before the scoping call if you want; otherwise after, before any technical detail flows.
→ compliance pentest
Pentest built for your audit framework.
Compliance auditors expect a named methodology, CVSS severity mapping, retest evidence, and a signed attestation letter. Each page covers what your specific framework requires.
SOC 2 penetration test
TSC CC6.1, CC6.6, CC7.1, CC8.1. Named methodology, CVSS 4.0 severity, retest evidence, attestation letter in the format auditors accept in 2026.
PCI DSS penetration test
Req 11.3.1 (internal) and 11.3.2 (external). CDE scoping, network segmentation validation, QSA-ready deliverables.
HIPAA penetration test
Security Rule §164.308(a)(8). ePHI system scope, BAA execution before testing, findings structured for OCR audit readiness.
ISO 27001 penetration test
Annex A.8.8 and A.8.29. ISMS boundary alignment, 2022 control mapping, certification-body evidence format.
FedRAMP penetration test
CA-8 and NIST SP 800-115. Rules of engagement, 3PAO-compatible deliverables, Moderate and High baseline requirements.
→ by industry
Pentest scoped to your industry's attack surface.
Each industry has specific regulations, unique attack vectors, and compliance evidence requirements. These pages cover what that means for your pentest.
Penetration testing for SaaS
Tenant isolation, multi-tenant data layer, SSO and OAuth2 flows, API authorization, and SOC 2 / ISO 27001 evidence.
Penetration testing for fintech
Payment API abuse, business logic flaws, PCI DSS Req 11.3, NY DFS Part 500, and Open Banking / PSD2 API security.
Penetration testing for healthcare
HIPAA §164.308(a)(8), ePHI system scope, FHIR and HL7 API security, BAA signed before testing starts.
Penetration testing for gov contractors
FedRAMP CA-8, CMMC Level 2 and 3, NIST SP 800-115 methodology, POA&M-ready findings, authorization letter.
Ready to scope an engagement?
A 30-minute call gets you a fixed-fee proposal in writing. No NDA needed for the first call.