Penetration Testing

Finding what your compliance audit misses.

From web and API to mobile, IoT, cloud and AI/LLM. Senior-led, manual testing against OWASP standards — grounded in a decade of running large-bandwidth pentest programmes wired into ISMS workflows.

Who we work with

Teams under regulatory pressure and real adversary risk.

Banks & Asset Managers
BaFin expectations, DORA Art. 24/25, TIBER preparation.
Insurers & Healthcare
Patient data, critical infrastructure regulation, portals with high abuse potential.
Industry & OT-adjacent IT
TISAX, NIS2, IT/OT boundary, firmware for connected products.
SaaS & E-Commerce
Enterprise deals require independent evidence of testing.
Enterprises with an ISMS
ISO 27001 A.8.29, continuous testing baked into the annual plan.
AI Product Teams
LLM apps, RAG pipelines, agents with tool calls.
Questions we hear

What CISOs, Heads of AppSec and product security ask us.

If any single one of these is open on your desk, we are the right team for a scoping call.

  • How do we make sure a test is truly manual and not just a repackaged scanner report?
  • How does the pentest fit into our SDLC without blocking releases?
  • How do we prove remediation to the auditor — not just the findings?
  • Who can realistically test our AI assistants when standard web testing finds nothing?
  • How do we scale pentesting across 200+ apps per year without losing quality?
  • How does this hook into our ISMS, risk register and Jira?
Test types

Nine test types — each senior-led.

Web Applications

OWASP WSTG · ASVS L1–L3

Manual testing per OWASP Web Security Testing Guide (WSTG) with verification against ASVS levels. Focus on business logic, broken access control and chained attacks scanners never see.

API

OWASP API Top 10 (2023)

REST, GraphQL, gRPC. Focus on BOLA, broken auth, rate-limit bypasses, mass assignment and SSRF across microservice chains.

Mobile Apps

OWASP MASVS · MASTG

iOS and Android per OWASP MASVS and MASTG. Static + dynamic, reversing, RASP bypass, certificate-pinning bypass.

IoT & Embedded

OWASP ISVS · IoTGoat · FW analysis

Firmware extraction, UART/JTAG, BLE/Zigbee/LoRa, hardware fault injection, testing aligned to OWASP IoT Security Verification Standard (ISVS) and IoT Top 10.

AI / LLM

OWASP AISVS · LLM Top 10

Prompt injection (direct & indirect), model DoS, training data poisoning, supply-chain models, agent tool abuse, data exfiltration via RAG. Verified against OWASP AI Security Verification Standard (AISVS) and OSAI-course topics.

Network & Infrastructure

Internal · External · Segmentation

External perimeter, internal movement, segmentation reviews, assumed-breach scenarios with clear success criteria.

Active Directory / Entra ID

Kerberoasting · BloodHound · Tier-0

AD CS misconfigs, ADFS, Entra ID federation, Conditional Access bypass, Tier-0 compromise paths and a hardening roadmap.

Cloud

AWS · Azure · GCP · K8s

IAM priv-esc, workload escape, Kubernetes, CI/CD supply chain, landing-zone review against CIS / CSA CCM baselines.

SAP

S/4HANA · BTP · RFC

SAP authorisations, RFC gateway, SAProuter, BTP integrations. Few providers do this — we do.

Standards & verification

We do not test on gut feel — we verify against recognised standards.

OWASP testing guides define how to test. OWASP verification standards (ASVS, MASVS, AISVS, ISVS) define the security level a system provably reaches. We combine both — for each asset type the matching guide plus the matching verification standard.

OWASP WSTG

Web testing guide — foundation of every web pentest.

OWASP ASVS

Application Security Verification Standard — L1/L2/L3 as a measurable target.

OWASP MASVS + MASTG

Mobile verification standard with matching test guide for iOS/Android.

OWASP API Top 10 (2023)

BOLA, broken auth, broken object property level authorization and more.

OWASP AISVS

Artificial Intelligence Security Verification Standard — controls for AI systems.

OWASP LLM Top 10

LLM01 prompt injection to LLM10 model theft — validated in practice.

OWASP ISVS

IoT Security Verification Standard for connected devices and firmware.

MITRE ATT&CK

TTP mapping for reports, detection engineering and purple-team handovers.

NIST SP 800-115 · PTES

Framework for scoping, execution and reporting.

AI & LLM pentesting

How to honestly test LLMs, RAG and agents.

Standard web testing finds almost nothing on AI applications. We combine OWASP AISVS and the LLM Top 10 with the attack classes taught in our OSAI course line — the same techniques we teach in training are applied to your systems here.

  • Direct & indirect prompt injection
  • Jailbreaks via multimodal inputs (image, audio, PDF)
  • Tool / function-calling abuse in agents
  • Data exfiltration from RAG contexts and vector stores
  • Supply chain: compromised models & adapters
  • Training / fine-tuning data poisoning
  • Model DoS, cost amplification, token flooding
  • Excessive agency & badly scoped guardrails
  • Sensitive-information leakage from system prompts
  • Model inversion & membership inference
Methodology

Clear phases. Clear handovers.

  1. 01 Scoping · threat model · rules of engagement
  2. 02 Recon · mapping · baseline
  3. 03 Manual testing · exploitation · post-exploitation
  4. 04 Verification against ASVS/MASVS/AISVS/ISVS levels
  5. 05 Report · debrief · remediation workshop
  6. 06 Retest & evidence for audit
Deliverables
  • Executive report for board & auditor
  • Technical report with PoC per finding
  • Risk-prioritised findings with CVSS + owner
  • MITRE ATT&CK mapping for detection engineering
  • Verification statement against ASVS/MASVS/AISVS
  • Remediation workshop with engineering
  • Retest & evidence pack for audit
Penetration Testing as a Service

We manage your pentest programme end to end — not just the fun part in the middle.

You have an ISMS. You know your applications and services. We help you define testing frequencies and structures: when is which app, service, or system up for testing? We plan the quarter ahead, align with your release cycles, and make sure nothing falls through the cracks.

Then we execute. And afterwards we help remediate: do you need further guidance? Are you ready for retesting? Where do findings go — into your risk register, Jira, or a black hole? We keep you auditable, from the first plan to the final evidence pack.

The PTaaS cycle
  1. 01 Planning · frequency · quarterly calendar · release alignment
  2. 02 Execution · senior-led testing against OWASP standards
  3. 03 Remediation support · guidance · retest readiness
  4. 04 Findings management · risk register · Jira · tracking
  5. 05 Audit evidence · consistent evidence with no rework
ISMS integration & scale

A decade of large pentest programmes — not a boutique experiment.

Our founders and senior operators previously ran large-bandwidth pentest service lines: hundreds of engagements per year, consistently plugged into ISMS, risk and audit processes. That operational track record is now our default — not the exception.

  • Findings straight into your risk register or Jira
  • Recurring test calendars in the annual plan
  • Consistent metrics across portfolios
  • Auditor-friendly evidence with no rework
ISO 27001 A.8.29

Security testing in the development lifecycle — documented and repeatable.

DORA / NIS2

Threat-led testing, critical assets, reporting chains, evidence trails.

TISAX / VDA ISA

Prototype protection, process maturity, clean evidence for OEM audits.

PCI DSS 4.0 · 11.4

Segmentation tests, external/internal pentests, remediation evidence.

Feedback from pentesting & red teaming

"It was incredible to see what the team still found. The internal network has been tested for years!"

German Asset Manager

"The red teaming result was an eye-opener — what is actually possible and how fast it works."

Municipal Utility

"Communication was the most important thing for us. Knowing at every point who does what and what happens next. That worked superbly."

RegTech / CapTech Provider
Engagement Models
One-Off

Classic, scoped pentest with retest.

PTaaS

Continuous testing with rolling findings instead of an annual snapshot.

Retainer

Day-budget on demand — fast slots, fixed contacts.

FAQ

Frequently asked pentest questions.

What sets you apart from a classic pentest vendor?+

A decade running large-bandwidth pentest service lines — 200+ engagements per year, wired directly into ISMS, risk-register and ticketing workflows. Every test is led by senior operators at OSCP/OSEP/OSWE/OSAI level, not sub-contracted to junior chains.

Is this a scanner report with a fancy cover page?+

No. Scanners are used only as mapping aids. The core of every report is manually verified, exploited findings with proof-of-concept, business impact and a concrete remediation path.

How do you even pentest an LLM or an AI agent?+

We follow OWASP AISVS and the LLM Top 10, extended with topics from our OSAI-led training line: prompt-injection chains, tool abuse in agents, RAG data leakage, model DoS, supply-chain attacks on models and adapters, guardrail bypass. We assess system architecture, not just individual prompts.

How does this integrate with our ISMS and annual planning?+

We have run pentest programmes for enterprises under ISO 27001, DORA, NIS2 and TISAX for years. Findings land with CVSS + owner in your risk register or Jira, retests are traceably documented, auditors receive consistent evidence without rework.

How quickly can you start?+

Typical scoping in 3–5 business days, start usually within 2–4 weeks. Retainer clients get slots significantly faster.

Do you test production or only staging?+

Both. For production we define safe rules of engagement, no-go zones and abort procedures. For destructive tests (fuzzing, DoS) we prefer staging with production-like data.

Are retests included?+

Yes — one verification retest within 60 days is part of every one-off pentest. PTaaS and retainers include retests on a rolling basis.