Skip to main content
Operator-led validation

Penetration Testing

Replace assumptions with evidence. Prove whether attackers can get in, move laterally, and reach what matters.

What you get

  • External, Internal, Web App, and AD-focused scopes
  • Real exploitation chains - not automated scans repackaged
  • Evidence package: attack paths, screenshots, IoCs, retest plan

Available standalone or paired with a Security Reality Check.

Typical range: $8,000–$30,000 · Timeline: 2–4 weeks.

Pen Test vs. Security Reality Check

Both are valuable and both are available as standalone engagements. They answer different questions - many clients choose to pair them for full coverage.

Security Reality Check

Question answered: "What weaknesses exist, and what should we fix first?"

  • Coverage-oriented
  • Validated findings + prioritized roadmap
  • ~2 weeks
  • Lower cost, higher first-engagement value
See Reality Check →

Penetration Testing

Question answered: "Could an attacker actually get in and reach our crown jewels?"

  • Adversarial validation
  • Real exploit chains, not theoretical findings
  • 2–4 weeks
  • Best after Critical/High items have been remediated

Scope Options

Pick one. Combine. Or run a full-spectrum engagement.

External

Internet-facing services, web apps, edge devices, OSINT and credential leak validation.

Internal

Assumed-breach simulation: lateral movement, AD attacks, privilege escalation, data access.

Web App / API

OWASP-aligned manual testing: authn/authz, business logic, IDOR, injection, session, API abuse.

Identity / M365

Entra ID, conditional access, OAuth abuse, token theft, hybrid AD trust paths.

What You Get

  • Engagement Report

    Executive summary, full technical narrative, attack-path diagrams, MITRE ATT&CK mapping.

  • Evidence Pack

    Annotated screenshots, command logs, IoCs, and chain-of-custody for every finding.

  • Ranked Remediation Plan

    Each finding ranked by exploitability + business impact, with explicit remediation steps.

  • Live Debrief

    CEO-led working session - your team can ask the operator anything.

  • Retest

    We re-validate every Critical/High finding within the agreed remediation window.

Sample Findings Section

FINDING PT-2024-007 Severity: Critical Title: Domain Admin via PtH from stale account ATT&CK: T1078.002, T1550.002 Reproduction 1. Authenticate as low-priv user (assumed breach) 2. Enumerate AD via SharpHound 3. Identify dormant DA: svc_legacyadmin 4. Coerce auth via PetitPotam → DC02 5. Pass-the-Hash with cached NTLM 6. Result: Domain Admin Business impact Full domain compromise; access to all PHI shares; ability to disable AV, deploy ransomware, or exfil. Remediation - Disable svc_legacyadmin (validate use first) - Enable AD tiering + protected-users group - Block NTLM relay on DC SMB - Enforce LDAPS + SMB signing

Engagement Flow

Week 0

Scoping & Authorization

Rules of engagement, written authorization, contacts, escalation paths.

Week 1–3

Active Testing

Recon, foothold, lateral movement, privilege escalation, controlled impact.

Week 3–4

Reporting & Debrief

Full report, evidence pack, CEO-led live debrief.

+30–60 days

Retest

Critical/High validation. Optional purple-team session.

Ready for Real Validation?

Know what an attacker can actually do. We scope it, test it, prove it, and hand you the evidence and the fix list.