External network pentest
Internet-perimeter assessment per PTES + NIST SP 800-115: enumeration, vulnerability analysis, manual exploitation of exposed services, credential attack chains, and the breach scenario your CISO needs to see written down.
Services
Manual penetration testing by OSCP/OSCE/CREST-credentialled testers against the standards your auditors and customers actually expect: PTES methodology, OWASP ASVS L1–L3 for web, OWASP MASVS for mobile, OWASP API Security Top 10 2023, CIS Benchmarks for cloud. Every finding scored on CVSS v4.0 with business-risk context, a board-readable executive summary, JIRA-importable remediation tracker, and a free retest within 90 days. Reports designed for SOC 2 CC4/CC7 evidence, PCI DSS Req 11.4, HIPAA §164.308(a)(8), EU AI Act Article 15 and DORA TLPT. Tests from 5,500 EUR.
Named OSCP/OSCE/CREST-led testers, not just scanners · GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · CET workday with 9 AM–1 PM ET overlap
Automated scanners catch the noise; humans catch the bugs that ship. Our engagements are manual, hypothesis-driven, and follow PTES (Penetration Testing Execution Standard) end-to-end — pre-engagement, intelligence, threat modelling, vulnerability analysis, exploitation, post-exploitation and reporting. Every finding ships with a working PoC, a CVSS v4.0 vector that includes Threat and Environmental metrics, and a remediation block your developers can ticket on Monday morning. Reports survive enterprise procurement, audit fieldwork and cyber-insurance underwriting because the methodology is documented and the testers are named.
Internet-perimeter assessment per PTES + NIST SP 800-115: enumeration, vulnerability analysis, manual exploitation of exposed services, credential attack chains, and the breach scenario your CISO needs to see written down.
OWASP ASVS L1/L2/L3 coverage: authentication, session, access control (including BOLA/IDOR), input validation, business logic abuse, file handling, API surface, and the OWASP Top 10 2021 ten chapters with active exploitation.
OWASP MASVS coverage with MASTG test cases: platform interaction, data storage, cryptography, network, authentication, code quality, resilience (root/jailbreak detection, anti-debug), and the IPA/APK static + dynamic analysis your store reviewers also do.
OWASP API Security Top 10 2023: BOLA (API1), Broken Authentication (API2), BOPLA (API3), Unrestricted Resource Consumption (API4), BFLA (API5), SSRF (API7), Security Misconfiguration (API8), Improper Inventory Management (API9). REST, GraphQL and gRPC.
AWS/GCP/Azure against CIS Benchmarks plus the provider Well-Architected Framework security pillar: IAM, encryption, logging, network exposure, secret management, container/serverless config, and the cross-account/cross-tenant boundary review.
Executive summary, methodology with PTES phases and ASVS/MASVS/API Top 10 chapters cited, findings with CVSS v4.0 vectors and PoC, attack narrative, JIRA-importable remediation tracker, and one free retest within 90 days with reissued clean letter.
Week 0: scoping call, signed Rules of Engagement (target list, allowed techniques, time windows, emergency contacts), test accounts provisioned, source-code access for grey/white-box where in scope.
Days 1–N: PTES-driven manual testing with named lead and shadow tester, daily status updates, immediate notification of any Critical finding with a working PoC, screenshot evidence captured throughout.
Within 5 business days of test end: draft report, technical debrief call with engineering, executive debrief with leadership, final report shipped as PDF + JIRA-importable CSV remediation tracker.
Within 90 days: free retest of every High and Critical finding, clean retest letter reissued for hand-off to procurement/auditor. Annual bundles add quarterly cadence and continuous retest per quarter.
Which test you need — and which standard it is scoped against — depends on the regulated data your product handles and the auditors your customers answer to. These are the segments we scope and test for.
Payments, lending and neobanks where a pentest is graded against PCI DSS Req 11.4.3/11.4.5 segmentation and, for significant financial entities, EU DORA Threat-Led Penetration Testing (TLPT), CBEST and TIBER-EU. We scope threat-led engagements the way your regulator and QSA expect. See FinTech.
FinTech engineering →Healthcare and other custodians of sensitive records, where a pentest is the de-facto evidence for the HIPAA §164.308(a)(8) periodic technical evaluation. Web app testing runs to ASVS L3 for high-assurance data, with findings traceable to the safeguards your auditor cites. See HealthTech.
HealthTech engineering →Multi-tenant SaaS where BOLA/IDOR and broken tenant isolation are the findings that matter, and the report doubles as SOC 2 CC4.1 monitoring and CC7.1 vulnerability-identification evidence for your Type II audit. Authenticated multi-role testing across tenant boundaries. See SaaS Development.
SaaS architecture →Five business days testing + report. Internet-perimeter scope, up to ~50 hosts, PTES methodology, CVSS v4.0 scoring, executive + technical report, free retest within 90 days. 5,500 EUR.
Eight business days. Single web application, OWASP ASVS L2 default (L3 +30%), authenticated multi-role testing, full OWASP Top 10 + business logic, report and retest included. 8,500 EUR.
Seven business days, single platform (iOS or Android). MASVS L1+R, static + dynamic analysis, runtime instrumentation (Frida/Objection), report and retest. Both platforms together: 13,500 EUR. Single: 7,500 EUR.
Six business days. Single API surface (REST/GraphQL/gRPC), OWASP API Security Top 10 2023, authenticated multi-role testing, report and retest included. 6,500 EUR.
Six business days. Single AWS, GCP or Azure account, CIS Benchmark + Well-Architected security pillar, IAM/encryption/logging/network review, hardening backlog. 7,000 EUR.
Any combination of four tests across the year with priority scheduling, continuous retest within each quarter, year-end executive summary across all engagements, named relationship lead. 22,000 EUR/year.
Threat-Led Penetration Testing (DORA TLPT, CBEST, TIBER-EU) and red team engagements quoted separately on a custom-scope basis. NDA and signed Rules of Engagement before any testing begins.

Annual pentest evidence packaged for CC4.1 monitoring and CC7.1 vulnerability identification — report accepted by every major audit firm.
Read more →
Annual external/internal pentest per Req 11.4.3 and segmentation testing per Req 11.4.5 — scoped and reported the way your QSA expects.
Read more →
§164.308(a)(8) technical evaluation evidence, with findings traceable to Security Rule safeguards and OCR-defensible remediation tracking.
Read more →GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · OSCP/CREST-led
Every engagement is led by a named OSCP/OSCE/CREST-credentialled tester. Automated scanners run in support to maximise coverage, but the findings that matter come from manual hypothesis testing and chained exploitation.
PTES-cited methodology, OWASP standard chapters, CVSS v4.0 vectors, named testers and credentials, retest letter format that maps to SOC 2 / PCI / HIPAA evidence requirements. No back-and-forth with the audit firm.
Findings are written for the developer who has to fix them: minimal repro, root-cause analysis, code-level guidance, JIRA-importable. Engineering teams close findings instead of arguing with the report.
For continuous assurance, the annual bundle pairs you with a relationship lead who learns your stack across the year — each quarter's test builds on prior findings rather than restarting from scratch.
Our iOS and Android apps had diverged over years of separate development. YuSMP rebuilt a single unified solution with live camera feeds, smart-home device control, and role-based multi-user access. Zero critical defects in the first six months post-launch.
Privacy apps live and die by trust. YuSMP built a no-logs WireGuard implementation with a server latency map, one-tap connect, and kill switch — every feature we had promised users. Apple review approved on the first submission.
It depends on your attack surface. External network pentest (PTES methodology, NIST SP 800-115) covers internet-exposed infrastructure — DNS, mail, perimeter services, exposed admin interfaces. Web app pentest covers your application logic and is scoped against OWASP ASVS (Application Security Verification Standard) L1 for opportunistic threats, L2 for most SaaS applications handling sensitive data, L3 for high-assurance (healthcare, fintech, defence). Mobile pentest follows OWASP MASVS (Mobile ASVS) covering platform (iOS/Android) controls, network, cryptography, auth and code quality. API pentest follows the OWASP API Security Top 10 2023 (BOLA, broken auth, BOPLA, unrestricted resource consumption, etc.) and tests authn/authz at the request level. Cloud config audit reviews AWS/GCP/Azure against CIS Benchmarks plus provider-specific Well-Architected Framework security pillar. Most SaaS need web app + API + cloud config annually; mobile if you ship a mobile app.
Our lead testers hold a combination of OSCP (Offensive Security Certified Professional — practical 24-hour exam), OSCE/OSEP (more advanced exploitation), CREST CRT/CCT (UK industry-recognised, accepted by HMG and Bank of England CBEST), and where relevant CISSP for the senior advisor role. Why it matters: an OSCP-holder has demonstrably exploited multi-host environments under time pressure; an automated scanner has not. Enterprise procurement, Bank of England CBEST, EU TIBER-EU, and most cyber-insurance underwriters now ask for named credentialed testers on the engagement, not just a firm's marketing claim of 'certified professionals'.
Every finding is scored on CVSS v4.0 (the current FIRST-published vector that includes Threat and Environmental metrics, plus the Safety/Automated/Recovery extensions). We also assign a contextual business risk rating because CVSS alone misses tenant isolation and data-classification context. The report contains: an executive summary readable by the board, a methodology section citing PTES phases and the ASVS/MASVS/API Top 10 chapters tested, a findings section with reproduction steps, CVSS vector, business impact, and prioritised remediation, an attack narrative reconstructing the path an attacker would take, and an appendix of testing evidence. We also deliver a remediation tracker as JIRA-importable CSV.
Yes — every engagement includes one free retest within 90 days of the report. We re-execute the proof-of-concept for every High and Critical finding, verify the fix, and reissue a clean retest letter you can hand to enterprise procurement or an auditor. Out-of-scope retests (more than 90 days, or expanded scope) are quoted at 30% of the original engagement. For continuous assurance, the annual 4-test bundle includes quarterly cadence and continuous retest within each quarter.
SOC 2 expects a regular pentest as evidence for CC4.1 monitoring and CC7.1 vulnerability identification; our reports are accepted by every major audit firm. PCI DSS v4.0.1 Req 11.4.3 requires annual external/internal penetration testing plus after any significant change; Req 11.4.5 requires segmentation testing (annual merchants, every 6 months service providers). HIPAA does not name 'penetration test' explicitly but §164.308(a)(8) requires periodic technical evaluation — pentests are the de-facto evidence. EU AI Act Article 15 requires accuracy, robustness and cybersecurity testing; DORA (Regulation (EU) 2022/2554) imposes Threat-Led Penetration Testing (TLPT) on significant financial entities from January 2025. We map every finding to the relevant control so the report does double duty in audits.
Per-engagement pricing. External Network Pentest is 5,500 EUR (5 business days testing + report) — internet-perimeter scope, up to ~50 hosts. Web Application Pentest is 8,500 EUR (8 days) — single application or tightly scoped multi-app, ASVS L2 by default. Mobile Application Pentest is 7,500 EUR (7 days) — iOS or Android, MASVS L1+R; both platforms quoted together at 13,500 EUR. API Pentest is 6,500 EUR (6 days) — single API surface, OWASP API Top 10 2023. Cloud Configuration Audit is 7,000 EUR (6 days) — single AWS/GCP/Azure account, CIS Benchmark + provider Well-Architected security pillar. Annual 4-test Bundle is 22,000 EUR — any combination of four tests through the year with priority scheduling, continuous retest, and a year-end executive summary across all engagements. Free retest within 90 days included on every engagement.
Practical guides on application security, compliance audits, and data protection.




Share a few details and a senior consultant will reply within one business day.