Pentests that go beyond the scanner.
A compliance checkbox pentest finds what it is designed to find. A real penetration test simulates how a determined adversary operates against your specific environment — chaining vulnerabilities, abusing business logic, pivoting across trust boundaries, and demonstrating concrete impact before an attacker does.
We build custom attack chains informed by current threat intelligence, map every finding to MITRE ATT&CK, and deliver outputs that satisfy PCI DSS 4.0, SOC 2, ISO 27001, and HIPAA requirements while giving your engineers the reproduction evidence to fix what is actually broken.
Coverage across your full attack surface.
Web Applications & APIs
- Authentication & authorisation — IDOR, broken access control, privilege escalation, JWT and OAuth 2.0 flow attacks
- Injection & server-side flaws — SQL, NoSQL, LDAP, OS command, SSTI, XXE, SSRF, and prototype pollution
- Business logic — race conditions, payment and quota bypasses, workflow manipulation, and chained multi-step abuse
- REST, GraphQL, and gRPC interfaces including introspection abuse and batch attacks
- SPA and SSR attack surfaces: CORS misconfigurations, CSP bypass, and missing subresource integrity
Network & Infrastructure
- Active Directory — Kerberoasting, AS-REP roasting, ACL abuse, DCSync, and domain compromise paths
- Cloud — IAM privilege escalation, storage exposure, control plane misconfiguration, and cross-account trust
- Perimeter — firewall rule analysis, VPN configuration, network segmentation validation, and DMZ penetration
- Containers & Kubernetes — escape paths, RBAC misconfigurations, admission control bypass, and secret extraction
- Wireless: 802.11 security, rogue AP detection, and credential capture scenarios
Mobile & Embedded
- iOS & Android — source and binary analysis, certificate pinning bypass, local data storage, and IPC attack surfaces
- Mobile backend APIs tested in conjunction with app-layer review
- Embedded & IoT — firmware extraction and analysis, UART/JTAG/SPI interface testing, bootloader bypass, and secure update verification
- Desktop & drivers — Windows/macOS/Linux applications, DLL hijacking, privilege escalation via misconfigured services, and kernel module review
Evidence-driven. Repeatable. Auditable.
Every engagement follows a process aligned to NIST SP 800-115. Attack chains map to MITRE ATT&CK. No finding is reported without reproduction evidence.
Scoping & Intelligence
- Asset inventory and scope boundary definition
- Threat actor profiling: adversaries most relevant to your industry and asset profile
- Rules of engagement: test windows, off-limits systems, escalation contacts
- OSINT baseline: external attack surface, credential exposure, supply chain footprint
Reconnaissance
- Subdomain and service enumeration; passive and active fingerprinting
- Trust relationship mapping: third-party integrations and supply chain entry points
- Credential and secret exposure: paste sites, public repositories, breach data
- Attack surface prioritisation by exposure and business impact
Exploitation & Chain Development
- Initial access through identified weaknesses
- Chaining lower-severity findings into high-impact attack paths
- Lateral movement and privilege escalation toward engagement objectives
- Business impact validation: data access, persistence, and operational disruption scenarios
Reporting & Retest
- CVSSv4-scored findings with MITRE ATT&CK mapping and reproduction steps
- Executive readout: risk narrative, business impact, and prioritised remediation
- Remediation guidance with code examples and configuration changes
- Retest of fixed findings; updated report and compliance validation letter
A finding looks like this.
Reproducible, scored, mapped. Sample below shows the format and depth your engineering team will see in every report — drawn from our independent exploit analysis of CopyFail (CVE-2026-31431).
AF_ALG / algif_aead crypto interface performs an in-place AEAD transform that reuses the source buffer as its destination — an optimisation added upstream in 2017. Driven through splice() from an unprivileged pipe, a low-privileged local user gains a controlled 4-byte write into the page cache of any file they can read, then patches a root-owned binary in memory to reach root code execution.- ▸Root code execution from a low-privileged interactive session.
- ▸Read of /etc/shadow, SSSD credential cache (/var/lib/sss/db/cache_*.ldb), and on-disk Kerberos keytabs (/etc/krb5.keytab) — extracted in lab validation.
- ▸Persistent root systemd unit installed via /etc/systemd/system override; survives reboot. Out-of-the-box Linux installs (no audit framework configured) do not detect writes to this path from non-root UIDs.
- ▸Deterministic primitive — no race to win; the public ~732-byte proof-of-concept escalates to root reliably on any affected kernel that exposes AF_ALG to unprivileged users.
a664bf3d603d, backported to maintained stable/LTS and distro kernels). Reboot required.socket(AF_ALG) with a seccomp-bpf filter or systemd RestrictAddressFamilies on exposed services, or unload / blacklist the af_algmodule where the kernel crypto user-API isn't needed. Unlike a race condition this is a deterministic in-kernel write, so file-permission hardening and audit watches don't prevent it — only cutting off AF_ALG reachability does.What ships at the end of every engagement.
Technical Report
- CVSSv4-scored findings with environmental adjustments
- Step-by-step reproduction with screenshots and tool output
- MITRE ATT&CK technique and sub-technique mapping for each finding
- Attack chain narrative: how findings combine into high-impact paths
- Prioritised remediation with owner-ready tasks, code examples, and control references
Compliance Artifacts
- PCI DSS 4.0 Req 11.x alignment: methodology, scope, and evidence documentation
- Compliance mapping to SOC 2, ISO 27001, HIPAA, and NIST CSF
- Segmentation testing evidence for CDE boundary validation
- Retest validation letter for auditor and assessor submission
Engagement Support
- Executive summary: risk narrative and business impact for leadership and board
- Interim findings during extended engagements for early remediation starts
- Technical readout session with your engineering and security teams
- Post-remediation retest with updated report on request
Pick the depth of insider knowledge.
How we hold your data while we test it.
- ✓ISO/IEC 27001:2022-conformant information security programme
- ✓Signed rules of engagement and mutual NDA before engagement commencement
- ✓Encrypted evidence storage in transit and at rest; access limited to assigned team
- ✓Time-bound data retention with certified secure disposal on completion
- ✓Change window coordination; no production-impacting action without prior approval
- ✓Kill-switch procedure: named contact with authority to suspend testing immediately
