Finding what your compliance audit misses.
From web and API to mobile, IoT, cloud and AI/LLM. Senior-led, manual testing against OWASP standards — grounded in a decade of running large-bandwidth pentest programmes wired into ISMS workflows.
Teams under regulatory pressure and real adversary risk.
What CISOs, Heads of AppSec and product security ask us.
If any single one of these is open on your desk, we are the right team for a scoping call.
- How do we make sure a test is truly manual and not just a repackaged scanner report?
- How does the pentest fit into our SDLC without blocking releases?
- How do we prove remediation to the auditor — not just the findings?
- Who can realistically test our AI assistants when standard web testing finds nothing?
- How do we scale pentesting across 200+ apps per year without losing quality?
- How does this hook into our ISMS, risk register and Jira?
Nine test types — each senior-led.
Web Applications
Manual testing per OWASP Web Security Testing Guide (WSTG) with verification against ASVS levels. Focus on business logic, broken access control and chained attacks scanners never see.
API
REST, GraphQL, gRPC. Focus on BOLA, broken auth, rate-limit bypasses, mass assignment and SSRF across microservice chains.
Mobile Apps
iOS and Android per OWASP MASVS and MASTG. Static + dynamic, reversing, RASP bypass, certificate-pinning bypass.
IoT & Embedded
Firmware extraction, UART/JTAG, BLE/Zigbee/LoRa, hardware fault injection, testing aligned to OWASP IoT Security Verification Standard (ISVS) and IoT Top 10.
AI / LLM
Prompt injection (direct & indirect), model DoS, training data poisoning, supply-chain models, agent tool abuse, data exfiltration via RAG. Verified against OWASP AI Security Verification Standard (AISVS) and OSAI-course topics.
Network & Infrastructure
External perimeter, internal movement, segmentation reviews, assumed-breach scenarios with clear success criteria.
Active Directory / Entra ID
AD CS misconfigs, ADFS, Entra ID federation, Conditional Access bypass, Tier-0 compromise paths and a hardening roadmap.
Cloud
IAM priv-esc, workload escape, Kubernetes, CI/CD supply chain, landing-zone review against CIS / CSA CCM baselines.
SAP
SAP authorisations, RFC gateway, SAProuter, BTP integrations. Few providers do this — we do.
We do not test on gut feel — we verify against recognised standards.
OWASP testing guides define how to test. OWASP verification standards (ASVS, MASVS, AISVS, ISVS) define the security level a system provably reaches. We combine both — for each asset type the matching guide plus the matching verification standard.
Web testing guide — foundation of every web pentest.
Application Security Verification Standard — L1/L2/L3 as a measurable target.
Mobile verification standard with matching test guide for iOS/Android.
BOLA, broken auth, broken object property level authorization and more.
Artificial Intelligence Security Verification Standard — controls for AI systems.
LLM01 prompt injection to LLM10 model theft — validated in practice.
IoT Security Verification Standard for connected devices and firmware.
TTP mapping for reports, detection engineering and purple-team handovers.
Framework for scoping, execution and reporting.
How to honestly test LLMs, RAG and agents.
Standard web testing finds almost nothing on AI applications. We combine OWASP AISVS and the LLM Top 10 with the attack classes taught in our OSAI course line — the same techniques we teach in training are applied to your systems here.
- Direct & indirect prompt injection
- Jailbreaks via multimodal inputs (image, audio, PDF)
- Tool / function-calling abuse in agents
- Data exfiltration from RAG contexts and vector stores
- Supply chain: compromised models & adapters
- Training / fine-tuning data poisoning
- Model DoS, cost amplification, token flooding
- Excessive agency & badly scoped guardrails
- Sensitive-information leakage from system prompts
- Model inversion & membership inference
Clear phases. Clear handovers.
- 01 Scoping · threat model · rules of engagement
- 02 Recon · mapping · baseline
- 03 Manual testing · exploitation · post-exploitation
- 04 Verification against ASVS/MASVS/AISVS/ISVS levels
- 05 Report · debrief · remediation workshop
- 06 Retest & evidence for audit
- ▸ Executive report for board & auditor
- ▸ Technical report with PoC per finding
- ▸ Risk-prioritised findings with CVSS + owner
- ▸ MITRE ATT&CK mapping for detection engineering
- ▸ Verification statement against ASVS/MASVS/AISVS
- ▸ Remediation workshop with engineering
- ▸ Retest & evidence pack for audit
We manage your pentest programme end to end — not just the fun part in the middle.
You have an ISMS. You know your applications and services. We help you define testing frequencies and structures: when is which app, service, or system up for testing? We plan the quarter ahead, align with your release cycles, and make sure nothing falls through the cracks.
Then we execute. And afterwards we help remediate: do you need further guidance? Are you ready for retesting? Where do findings go — into your risk register, Jira, or a black hole? We keep you auditable, from the first plan to the final evidence pack.
- 01 Planning · frequency · quarterly calendar · release alignment
- 02 Execution · senior-led testing against OWASP standards
- 03 Remediation support · guidance · retest readiness
- 04 Findings management · risk register · Jira · tracking
- 05 Audit evidence · consistent evidence with no rework
A decade of large pentest programmes — not a boutique experiment.
Our founders and senior operators previously ran large-bandwidth pentest service lines: hundreds of engagements per year, consistently plugged into ISMS, risk and audit processes. That operational track record is now our default — not the exception.
- ▸ Findings straight into your risk register or Jira
- ▸ Recurring test calendars in the annual plan
- ▸ Consistent metrics across portfolios
- ▸ Auditor-friendly evidence with no rework
Security testing in the development lifecycle — documented and repeatable.
Threat-led testing, critical assets, reporting chains, evidence trails.
Prototype protection, process maturity, clean evidence for OEM audits.
Segmentation tests, external/internal pentests, remediation evidence.
"It was incredible to see what the team still found. The internal network has been tested for years!"
"The red teaming result was an eye-opener — what is actually possible and how fast it works."
"Communication was the most important thing for us. Knowing at every point who does what and what happens next. That worked superbly."
Classic, scoped pentest with retest.
Continuous testing with rolling findings instead of an annual snapshot.
Day-budget on demand — fast slots, fixed contacts.
Frequently asked pentest questions.
What sets you apart from a classic pentest vendor?+
A decade running large-bandwidth pentest service lines — 200+ engagements per year, wired directly into ISMS, risk-register and ticketing workflows. Every test is led by senior operators at OSCP/OSEP/OSWE/OSAI level, not sub-contracted to junior chains.
Is this a scanner report with a fancy cover page?+
No. Scanners are used only as mapping aids. The core of every report is manually verified, exploited findings with proof-of-concept, business impact and a concrete remediation path.
How do you even pentest an LLM or an AI agent?+
We follow OWASP AISVS and the LLM Top 10, extended with topics from our OSAI-led training line: prompt-injection chains, tool abuse in agents, RAG data leakage, model DoS, supply-chain attacks on models and adapters, guardrail bypass. We assess system architecture, not just individual prompts.
How does this integrate with our ISMS and annual planning?+
We have run pentest programmes for enterprises under ISO 27001, DORA, NIS2 and TISAX for years. Findings land with CVSS + owner in your risk register or Jira, retests are traceably documented, auditors receive consistent evidence without rework.
How quickly can you start?+
Typical scoping in 3–5 business days, start usually within 2–4 weeks. Retainer clients get slots significantly faster.
Do you test production or only staging?+
Both. For production we define safe rules of engagement, no-go zones and abort procedures. For destructive tests (fuzzing, DoS) we prefer staging with production-like data.
Are retests included?+
Yes — one verification retest within 60 days is part of every one-off pentest. PTaaS and retainers include retests on a rolling basis.