OPERATIONAL
[ SERVICES ] // CATALOG

Engagements,
scoped to fit.

Each engagement is scoped to your specific environment. Below are typical packages. All include scoping call, execution, written report, and remediation walkthrough. Pricing on request after NDA.

01 / 06

Web Application Pentest

Duration 5–7 days
Format Remote
Request Scope →

Manual penetration testing of web applications and APIs. Goes far beyond automated scanners — authentication bypass, business logic flaws, race conditions, IDOR/BOLA, server-side template injection, and chained exploitation.

Coverage
  • · OWASP Top 10 + ASVS
  • · REST/GraphQL/WebSocket APIs
  • · Authentication & session flows
  • · Business logic attacks
  • · Authorization (IDOR/BOLA)
  • · Server-side injection chains
Deliverables
  • · Executive summary report
  • · Technical findings (CVSS scored)
  • · Reproduction steps + evidence
  • · Remediation recommendations
  • · Free retest within 30 days
  • · Optional dev team walkthrough
OWASP PortSwigger BSCP-grade Burp Suite Pro Custom Tooling
02 / 06

Active Directory Assessment

Duration 7–10 days
Format Remote / On-site
Request Scope →

Full Active Directory attack chain assessment. Internal pentest assuming initial foothold, with the goal of identifying paths to Domain Admin and Tier-0 assets. Maps real attacker behavior, not theoretical vulnerabilities.

Coverage
  • · Kerberos attacks (AS-REP, S4U2)
  • · Kerberoasting & ASREPRoasting
  • · ACL/ACE abuse chains
  • · GPO weaknesses
  • · LSA secrets / NTDS extraction
  • · Lateral movement & privesc
  • · LDAP signing & relay attacks
Deliverables
  • · Attack path documentation
  • · BloodHound graph artifacts
  • · CVSS-scored findings
  • · Prioritized remediation roadmap
  • · Detection engineering hints
  • · Free retest within 30 days
BloodHound Impacket Rubeus CRTP-grade
03 / 06

External Network Pentest

Duration 5–7 days
Format Remote
Request Scope →

Internet-facing infrastructure assessment from an external attacker's perspective. OSINT-driven recon, active enumeration, exploit validation, and post-exploitation chains.

Coverage
  • · OSINT & passive recon
  • · Subdomain enumeration
  • · Service fingerprinting
  • · CVE validation & exploitation
  • · Cloud asset discovery
  • · Email/credential exposure
Deliverables
  • · Attack surface inventory
  • · Verified vulnerability findings
  • · Exposed credentials report
  • · Hardening recommendations
  • · Free retest within 30 days
OSINT Nuclei Custom Recon CVE Validation
04 / 06

Red Team Operations

Duration 2–4 weeks
Format Remote / On-site
Request Scope →

Full-spectrum adversary simulation against agreed objectives. Initial access via phishing or external exploitation, EDR evasion with custom tooling, lateral movement, and objective-driven exfiltration. Tests both prevention and detection.

Coverage
  • · Phishing campaigns (mature)
  • · EDR evasion (Sophos/CrowdStrike/SentinelOne)
  • · Custom C2 infrastructure
  • · Custom shellcode loaders
  • · Lateral movement & persistence
  • · Objective exfiltration
  • · Blue team detection mapping
Deliverables
  • · Full operation narrative
  • · MITRE ATT&CK mapping
  • · IOCs for blue team replay
  • · Detection gap analysis
  • · Executive briefing session
  • · Technical debrief with SOC
OSEP-grade Custom Loaders MITRE ATT&CK Purple Team Optional
05 / 06

Cloud Security Assessment

Duration 5–10 days
Format Remote
Request Scope →

Offensive assessment of cloud environments (AWS, Azure, GCP). Privilege escalation paths, misconfigured IAM, exposed services, and lateral movement between cloud and on-premises infrastructure.

Coverage
  • · IAM misconfigurations
  • · Privilege escalation chains
  • · Storage exposure (S3/Blob/GCS)
  • · Serverless attack surface
  • · Hybrid cloud-on-prem paths
  • · Container/K8s security
Deliverables
  • · Cloud attack surface map
  • · IAM privilege graph
  • · Exploitable misconfigurations
  • · Hardening playbook
  • · Free retest within 30 days
AWS Azure GCP K8s
06 / 06

Continuous Offensive Testing

Duration Monthly retainer
Format Ongoing
Request Scope →

Ongoing offensive testing for mature security programs. Continuous attack surface monitoring, scoped engagements per quarter, rapid response for new asset releases, and on-demand consultation.

Included
  • · Monthly attack surface scan
  • · Quarterly deep engagement (40h)
  • · New asset rapid assessment
  • · On-demand security consultation
  • · Slack/Teams direct channel
  • · Threat intel briefings
Best for
  • · SaaS companies with frequent releases
  • · Fintech / regulated industries
  • · Companies post-Series B funding
  • · Mature security teams
12-month minimum Dedicated channel Priority response
// CUSTOM

Don't see what
you need?

Mobile app pentest, source code review, phishing simulations, IoT/embedded testing, social engineering campaigns, M&A cyber due diligence, vCISO advisory. Custom scoping available.

Discuss Custom Engagement →
// PROCESS

How engagements
flow.

01

Scoping Call

30-min discovery to understand objectives, scope, constraints. NDA signed before any technical details discussed.

02

Proposal & Contract

Fixed-price proposal with clear scope, timeline, and deliverables. Standard MSA + SOW. 50% upfront, 50% on delivery.

03

Execution

Active testing with daily status updates on critical findings. Live channel for coordination during engagement.

04

Delivery

Written report + technical walkthrough call. Free retest within 30 days to verify remediation.

Engagement starts
with a 30-min call.

Request Scoping Call →