Pentests that go beyond the scanner.

A compliance checkbox pentest finds what it is designed to find. A real penetration test simulates how a determined adversary operates against your specific environment — chaining vulnerabilities, abusing business logic, pivoting across trust boundaries, and demonstrating concrete impact before an attacker does.

OWASP WSTGNIST SP 800-115MITRE ATT&CKCVSSv4PCI DSS 4.0 Req 11.xSOC 2ISO 27001HIPAA

We build custom attack chains informed by current threat intelligence, map every finding to MITRE ATT&CK, and deliver outputs that satisfy PCI DSS 4.0, SOC 2, ISO 27001, and HIPAA requirements while giving your engineers the reproduction evidence to fix what is actually broken.

WHAT WE TEST

Coverage across your full attack surface.

Web Applications & APIs

OWASP WSTG · NIST SP 800-115
  • Authentication & authorisation — IDOR, broken access control, privilege escalation, JWT and OAuth 2.0 flow attacks
  • Injection & server-side flaws — SQL, NoSQL, LDAP, OS command, SSTI, XXE, SSRF, and prototype pollution
  • Business logic — race conditions, payment and quota bypasses, workflow manipulation, and chained multi-step abuse
  • REST, GraphQL, and gRPC interfaces including introspection abuse and batch attacks
  • SPA and SSR attack surfaces: CORS misconfigurations, CSP bypass, and missing subresource integrity

Network & Infrastructure

NIST SP 800-115
  • Active Directory — Kerberoasting, AS-REP roasting, ACL abuse, DCSync, and domain compromise paths
  • Cloud — IAM privilege escalation, storage exposure, control plane misconfiguration, and cross-account trust
  • Perimeter — firewall rule analysis, VPN configuration, network segmentation validation, and DMZ penetration
  • Containers & Kubernetes — escape paths, RBAC misconfigurations, admission control bypass, and secret extraction
  • Wireless: 802.11 security, rogue AP detection, and credential capture scenarios

Mobile & Embedded

OWASP MASTG
  • iOS & Android — source and binary analysis, certificate pinning bypass, local data storage, and IPC attack surfaces
  • Mobile backend APIs tested in conjunction with app-layer review
  • Embedded & IoT — firmware extraction and analysis, UART/JTAG/SPI interface testing, bootloader bypass, and secure update verification
  • Desktop & drivers — Windows/macOS/Linux applications, DLL hijacking, privilege escalation via misconfigured services, and kernel module review
METHODOLOGY

Evidence-driven. Repeatable. Auditable.

Every engagement follows a process aligned to NIST SP 800-115. Attack chains map to MITRE ATT&CK. No finding is reported without reproduction evidence.

01

Scoping & Intelligence

  • Asset inventory and scope boundary definition
  • Threat actor profiling: adversaries most relevant to your industry and asset profile
  • Rules of engagement: test windows, off-limits systems, escalation contacts
  • OSINT baseline: external attack surface, credential exposure, supply chain footprint
02

Reconnaissance

  • Subdomain and service enumeration; passive and active fingerprinting
  • Trust relationship mapping: third-party integrations and supply chain entry points
  • Credential and secret exposure: paste sites, public repositories, breach data
  • Attack surface prioritisation by exposure and business impact
03

Exploitation & Chain Development

  • Initial access through identified weaknesses
  • Chaining lower-severity findings into high-impact attack paths
  • Lateral movement and privilege escalation toward engagement objectives
  • Business impact validation: data access, persistence, and operational disruption scenarios
04

Reporting & Retest

  • CVSSv4-scored findings with MITRE ATT&CK mapping and reproduction steps
  • Executive readout: risk narrative, business impact, and prioritised remediation
  • Remediation guidance with code examples and configuration changes
  • Retest of fixed findings; updated report and compliance validation letter
WHAT YOU GET

A finding looks like this.

Reproducible, scored, mapped. Sample below shows the format and depth your engineering team will see in every report — drawn from our independent exploit analysis of CopyFail (CVE-2026-31431).

research/GRS-2026-031 · copyfail-afalg-lpe.mdCVE analysis
HIGH
CVSS:4.0
GRS-2026-031 · Local privilege escalation via in-place buffer reuse in the kernel AF_ALG crypto path (CopyFail)
CVE-2026-31431 · CWE-669 (resource transfer) · ATT&CK T1078.003 → T1068 → T1003.008 → T1543.002
8.5
BASE 8.5 · CVSS 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Local attack vector · Low complexity · No attack requirements · Low privileges required · No user interaction · Full C/I/A on the vulnerable system · No direct subsequent-system impact (contained within VS).
SUMMARY
The kernel AF_ALG / algif_aead crypto interface performs an in-place AEAD transform that reuses the source buffer as its destination — an optimisation added upstream in 2017. Driven through splice() from an unprivileged pipe, a low-privileged local user gains a controlled 4-byte write into the page cache of any file they can read, then patches a root-owned binary in memory to reach root code execution.
AFFECTED
asset · any Linux host exposing AF_ALG to unprivileged users
component · Linux kernel AF_ALG (algif_aead) crypto path
kernel · in-place AEAD optimisation introduced upstream in 2017; affected through patched releases
fixed in · mainline commit a664bf3d603d; backported to maintained stable/LTS and distro kernels
arch · x86_64, aarch64 (lab-validated)
auth · low-privileged local user
ui · none required
REPRODUCTION
// Public proof-of-concept (~732-byte Python); steps abbreviated.
$ # 1. Open an AF_ALG socket; bind an in-place AEAD transform
$ # 2. splice() a crafted pipe into the AEAD operation
$ # 3. Controlled 4-byte write lands in the page cache of a readable root-owned file
$ # 4. setuid binary patched in cache; root payload executed
[+] page-cache write landed at target offset
[+] /usr/bin/[redacted] (setuid root) patched in cache
[+] reverse shell as uid=0(root) established
VALIDATED IMPACT
  • Root code execution from a low-privileged interactive session.
  • Read of /etc/shadow, SSSD credential cache (/var/lib/sss/db/cache_*.ldb), and on-disk Kerberos keytabs (/etc/krb5.keytab) — extracted in lab validation.
  • Persistent root systemd unit installed via /etc/systemd/system override; survives reboot. Out-of-the-box Linux installs (no audit framework configured) do not detect writes to this path from non-root UIDs.
  • Deterministic primitive — no race to win; the public ~732-byte proof-of-concept escalates to root reliably on any affected kernel that exposes AF_ALG to unprivileged users.
FIX
Upgrade to a patched kernel. The upstream fix reverts the in-place AEAD optimisation so the crypto path no longer reuses the source buffer as its destination (mainline commit a664bf3d603d, backported to maintained stable/LTS and distro kernels). Reboot required.
MITIGATE (if patch deployment is blocked)
If a kernel update is blocked, remove the attack surface: deny unprivileged access to AF_ALG — block socket(AF_ALG) with a seccomp-bpf filter or systemd RestrictAddressFamilies on exposed services, or unload / blacklist the af_algmodule where the kernel crypto user-API isn't needed. Unlike a race condition this is a deterministic in-kernel write, so file-permission hardening and audit watches don't prevent it — only cutting off AF_ALG reachability does.
EPSS · 0.30 · public exploit availableCWE · 669 (resource transfer)PCI 4.0 · 6.3.3SOC 2 · CC7.1SLA· fix < 7 days
DELIVERABLES

What ships at the end of every engagement.

Technical Report

  • CVSSv4-scored findings with environmental adjustments
  • Step-by-step reproduction with screenshots and tool output
  • MITRE ATT&CK technique and sub-technique mapping for each finding
  • Attack chain narrative: how findings combine into high-impact paths
  • Prioritised remediation with owner-ready tasks, code examples, and control references

Compliance Artifacts

  • PCI DSS 4.0 Req 11.x alignment: methodology, scope, and evidence documentation
  • Compliance mapping to SOC 2, ISO 27001, HIPAA, and NIST CSF
  • Segmentation testing evidence for CDE boundary validation
  • Retest validation letter for auditor and assessor submission

Engagement Support

  • Executive summary: risk narrative and business impact for leadership and board
  • Interim findings during extended engagements for early remediation starts
  • Technical readout session with your engineering and security teams
  • Post-remediation retest with updated report on request
ENGAGEMENT MODELS

Pick the depth of insider knowledge.

Black-box
No prior knowledge; simulates an external attacker with no insider information.
Grey-box
Authenticated credentials or partial documentation; most efficient coverage of application logic and privilege boundaries.
White-box
Full source code, architecture documentation, and credentials; maximum coverage and highest finding density.
Expedited
Accelerated scheduling and parallel workstreams for audit deadlines; premium applies (subject to scope and analyst availability).
Team size and engagement duration scaled to scope and coverage objectives.
ASSURANCE & DATA HANDLING

How we hold your data while we test it.

  • ISO/IEC 27001:2022-conformant information security programme
  • Signed rules of engagement and mutual NDA before engagement commencement
  • Encrypted evidence storage in transit and at rest; access limited to assigned team
  • Time-bound data retention with certified secure disposal on completion
  • Change window coordination; no production-impacting action without prior approval
  • Kill-switch procedure: named contact with authority to suspend testing immediately
ACTIVE INCIDENT?