We attack your stack.
Then we close every finding.
Continuous internal pentest run by our AI engine and certified red teamers, included in every CaaS engagement. For independent third party assessments, we coordinate a vetted partner firm. Two streams, one operating model, both auditor accepted.
We test what we own. Partners test what we built for you.
We are also your remediator. That means we cannot credibly certify our own work to your auditor. Industry standards agree: ISO 17021-1 enforces a two year cooling off between implementer and assessor. So we run two streams and you pick whichever your buyer needs.
Internal pentest. Continuous, in scope.
Our AI pentest engine plus our certified red team, running against your live surface as part of your compliance program. Findings come with pull requests. Engagement closes only when criticals close.
- Continuous, not annual point in time
- AI surfaces candidates, humans verify
- Pull requests against your infra repo
- No standalone invoice. Bundled into CaaS.
- Internal use only · not for arm's length attestations
Independent pentest. Third party report.
When your auditor needs a pentest report from a firm that did not also remediate your stack, we coordinate a vetted partner. We handle scoping, NDA, results delivery and follow up remediation. You get a standalone report under their letterhead.
- Independent, arm's length per ISO 17021-1
- Boutique offensive firms, PCI ASV/QSA aligned, cleared red teams
- We coordinate scope, NDA, retest at no markup
- You get the report. We get the gap list.
- Required for: SOC 2 Type II evidence, PCI DSS, ISO Stage 2
Nine attack surfaces. One operating model.
Each surface gets a dedicated lead with the right certification stack. Internal-stream surfaces run as part of your CaaS engagement. The two partner-stream surfaces coordinate through firms in our network.
Web application
Authenticated and unauthenticated assessments of your web surfaces. Business logic abuse, session handling, access control.
API
REST and GraphQL endpoints, internal and public. Authorization boundaries, token handling, schema introspection.
Mobile application
Static and dynamic analysis on iOS and Android. Runtime tampering, certificate pinning, local storage exposure.
Cloud infrastructure
AWS, GCP and Azure account hardening. IAM walks, privilege escalation paths, exposed services, misconfigured logging.
Internal network
Assumed breach simulation from inside the perimeter. Lateral movement, credential harvesting, privilege escalation, AD walks.
Source code review
Architectural review and selective deep dive. Cryptography, authorization, input validation, secret handling.
DevSecOps & supply chain
CI/CD pipelines, container registries, dependency graphs, signing keys. Where SolarWinds-style risk lives.
External red team
Full kill chain against your live perimeter. Recon, initial access, persistence, exfiltration. Run by an independent partner firm because we are also your remediator.
Social engineering
Phishing, vishing, pretexting tied to the control review. Coordinated through partner firms when the engagement requires arm's length execution.
A fixed process. No surprises.
Every engagement runs the same five phases regardless of stream. Durations adjust to scope, the structure does not. You always know what we are doing this week and what lands next.
Scope
Define targets, rules of engagement, communication paths, escalation contacts. NDA in place. Test windows agreed in writing. We pick the stream (internal or partner) before scoping closes.
Recon
Asset enumeration, surface mapping, attack graph generation. AI handles breadth, the lead engineer prioritizes depth. Partner streams add their own recon layer on top.
Exploit
Manual exploitation and chaining. Every candidate finding verified, written up with proof of exploit, severity scored against your business context.
Report
Executive summary, technical detail per finding, repro steps, recommended fix, mapped to OWASP and ATT&CK. Auditor accepted format. Partner streams publish their own standalone report under their letterhead.
Retest
Engagement closes only when criticals and highs are verified closed. We retest at no additional charge. For partner streams, we coordinate the partner retest at no markup.
Three modes. Pick what your buyer actually needs.
Most teams ask for a pentest when they want continuous assurance, or a red team when they want a pentest. We help you pick the right mode and the right stream for the question you are trying to answer.
Continuous Internal Pentest
Run as part of your CaaS engagement. AI scans your live surface, our red team verifies, fixes ship as pull requests against your repo.
- Cadence
- always on · in scope
- Findings
- delta per sprint
- Scope
- All internal-stream surfaces from the list above
- Use case
- Continuous assurance · drift detection · pre release checks
External Pentest (third party)
Independent assessment by a vetted partner firm. The report you hand to your auditor when SOC 2, ISO or PCI requires arm's length verification.
- Cadence
- 3 to 6 weeks
- Findings
- 12 to 30 typical
- Scope
- Public IPs, web apps, APIs, partner endpoints
- Use case
- SOC 2 evidence · PCI ASV/QSA · ISO Stage 2
Full Red Team
Adversary simulation against the full organization, run by a partner firm that has not previously remediated your environment. SOC measured under real conditions.
- Cadence
- 6 to 10 weeks
- Findings
- 5 to 15 high signal
- Scope
- Everything. Including humans and physical.
- Use case
- Board level assurance · post incident validation
The firms we route to. When independence matters.
We do not white label. The partner firm signs the report under their letterhead, owns the relationship with your auditor and bills you directly. We handle the administrative work and the post engagement remediation so you do not have to vet, scope and project manage a third vendor.
Boutique offensive security firms
Three to ten engineer teams, OSCP / OSEP / OSWE deep stacks. We use them when you need a senior, hands-on red teamer running the whole engagement.
PCI ASV / QSA aligned firms
Approved Scanning Vendors and Qualified Security Assessor companies. Their attestation is what your acquiring bank or QSA actually accepts.
Cleared red team operators
For regulated industries needing adversary simulation under tighter governance. Partner firms with formal blue team coordination protocols.
A note on naming. We do not publish the partner roster. Each engagement gets two or three matched firms with relevant industry, scope and certification fit. You pick the one whose chemistry lands.
Anonymized. But the criticals are real.
Customer logos stay private by default. The findings, the durations and the outcomes are exactly as recorded.
Auth bypass via JWT key confusion in payments API
Critical patched in 4 days, two related logic flaws closed alongside, SOC 2 audit on schedule.
Tenant isolation break in shared microservice
Architecture rewrite proposed, scoped and shipped under the same engagement. PHI containment verified end to end.
Phishing payload reached AD admin, full domain control reached on day 11
Partner firm delivered the formal report under their letterhead. We took the findings, tuned SOC detection, and permanently closed two privilege paths.
Built by practitioners. Not just consultants.
The grid below is the certification floor across the in house team. Partner firms in the network meet at minimum the same floor and add jurisdiction specific accreditations (ASV, QSA, regional CPA equivalents) where required.
What ends with a clean repo. Not a 200 page PDF.
AI plus human verification
AI maps surface and proposes candidate findings. Certified red teamers verify each one before it reaches your queue. You never see a noisy false positive list.
Continuous, not annual
Internal stream runs as a programme, not a once a year report. New endpoints get tested as they ship. Findings are deltas, not fire drills.
Remediation in scope
Internal-stream issues land as pull requests against your repo. For partner-stream findings, we take the report and close the gaps under the same CaaS engagement.
Independence when you need it
Auditors increasingly ask whether your pentest firm is the same as your remediator. Saying no, with named partner firms, removes the question before it gets asked.
Ready to test your defenses?
Send us your scope or just tell us where the auditor is pushing back. We come back with a recommended stream (internal or partner), a duration window and a price range within 24 hours. Under NDA from the first email.