Our methodology
A structured, repeatable process based on PTES, OSSTMM and NIST SP 800-115: scoping, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation and reporting.
What we test
Web and API applications, mobile apps, internal and external infrastructure, cloud and crypto systems, wireless networks, and AI/LLM systems — individually or as a combined engagement.
Scoping & rules of engagement
We agree a precise scope, safe testing windows and clear rules of engagement up front, avoid destructive tests and coordinate any sensitive actions with your team.
Reporting & retest
You receive a prioritized technical report and an executive summary, plus a free remediation retest once findings are fixed.
Frameworks & standards
What you get
- Technical report with reproducible, CVSS-rated findings
- Executive summary for management and auditors
- Prioritized remediation roadmap
- Free remediation retest
FAQ
How long does a pentest take?
Typically 1–3 weeks depending on scope and complexity; we confirm a timeline after scoping.
How often should we test?
At least annually, and after any major change — DORA and NIS 2 expect regular testing of critical systems.
Which standard do you follow?
We blend PTES, OSSTMM and NIST SP 800-115, and map findings to MITRE ATT&CK and OWASP where relevant.