← Security

Pentest & offensive audit

We think like attackers. So you don't face one.

Pentest on web, mobile, API, cloud and infrastructure. OWASP & PTES methodology, exploit-proven findings, CVSS-scored report, prioritised remediation plan. Retest after fixing included.

Request a pentest quote See our methodology
  • OWASP Top 10 & ASVS Level 2/3
  • PTES & OSSTMM
  • Proof of exploit included
  • Free retest after remediation

Scope

What we actually test.

No automated scanner rebadged as an audit. Each engagement combines industrial tooling and manual expertise on critical zones.

01

Web application pentest

Complete OWASP Top 10, broken auth, IDOR, SSRF, stored XSS, deserialisation. Black-box, grey-box or white-box on demand.

02

Mobile pentest (iOS & Android)

Reverse engineering, jailbreak detection bypass, certificate pinning, local storage, API communications. OWASP MASVS reference.

03

API & micro-services pentest

REST, GraphQL, gRPC. Auth, rate-limiting, BOLA/BFLA, mass assignment. OWASP API Security Top 10.

04

Infrastructure & cloud pentest

AWS, GCP, Azure: IAM, CIS configurations, network segmentation, exposed secrets. Internal & external audit.

05

Red Team & social engineering

Targeted phishing campaigns, OSINT, simulated physical intrusion. For mature companies wanting to test detection.

06

IoT & embedded pentest

Firmware analysis, hardware reverse, proprietary protocols, BLE, MQTT. For connected devices and industrial equipment.

Methodology

Five phases, traceable.

Every engagement follows PTES (Penetration Testing Execution Standard). You know where we are at any time, and you receive critical findings in real time.

01

Pre-engagement

Scope definition, rules of engagement, test windows, emergency contacts. NDA signed before any access.

02

Reconnaissance & mapping

OSINT, enumeration, fingerprinting. Complete mapping of the attack surface before any exploitation attempt.

03

Exploitation

Manual attempts + tooling (Burp Suite Pro, Metasploit, custom scripts). Every vulnerability is proven by reproducible exploit.

04

Reporting

Executive summary (1 page) for leadership + detailed technical report. Each finding with proof, CVSS 3.1, business impact, costed remediation.

05

Retest after remediation

Within 30 days, we re-verify that critical and high vulnerabilities are effectively closed. Included in all packages.

Deliverables

What you receive.

Executive summary (1 page)

Non-technical synthesis for leadership, board or cyber insurance. Major risks, global score, top recommendations.

Detailed technical report

20 to 80 pages depending on engagement. Each finding: description, proof, CVSS 3.1, impact, remediation, CWE/CVE references.

Oral debrief

A 1 to 2-hour session over video or on-site with your tech team. We answer questions and prioritise together.

Costed remediation plan

Each vulnerability with estimated effort (man-days), impact × probability, priority order. Directly actionable roadmap.

Pentest attestation

Signed document for your customers, partners, ISO/SOC certifications, cyber insurance. Without disclosing technical details.

Free retest (30 days)

We re-verify within 30 days that critical findings are effectively fixed. No extra month to bill.

Pricing

Every project is unique. So is the quote.

Instead of abstract packages, we scope to your context: scope, complexity, deadlines, constraints. Write us 3 sentences about what you want to do — we come back with a firm quote within 48 business hours.

Response within 48 business hours Request a quote