Find your vulnerabilities before someone else does.
Manual penetration testing by senior practitioners who have tested critical systems for Israeli banks, the Prime Minister’s Office, and Iron Dome. Real attackers, real findings, written for executives and engineers.
Six attack surfaces. One report your board can read.
Each engagement is scoped to one or more of these surfaces. We don’t run scanners and rebrand the output, every finding is manually validated by a senior tester before it reaches your report.
Authenticated and unauthenticated testing.
OWASP Top 10 plus business-logic flaws scanners miss. Session handling, authorization, API endpoints, file uploads, payment flows. We test the things attackers actually exploit in production.
Internal and external network testing.
Perimeter, segmentation, lateral movement paths, privilege escalation. We map your network the way an attacker who got in would, and report the chain, not just the endpoints.
AWS, Azure, GCP, IAM, network, data layers.
Misconfigured IAM policies, exposed S3 buckets, overly permissive security groups, weak KMS rotation. Tested against the threat models specific to your industry.
iOS and Android, runtime, storage, communication.
OWASP MASVS-aligned testing. Reverse engineering, local storage analysis, jailbreak/root detection, certificate pinning bypass, intent injection on Android.
REST, GraphQL, gRPC. Authentication and authorization at scale.
Token handling, scope enforcement, rate limiting bypass, mass assignment, IDOR. Tested with realistic load and edge cases, not just happy-path queries.
Phishing, vishing, physical access (when in scope).
Tailored campaigns that simulate real attacker tactics, not generic templates. Includes employee susceptibility metrics and remediation training recommendations.
How we engage.
A typical engagement takes 3-6 weeks from kickoff to final report. We work transparently, your team sees what we’re doing as we do it, not weeks later in a static document.
Discovery, threat modeling, and authorization.
We start with a scoping call to understand your stack, your concerns, and your business context. We agree on which systems are in scope, when we test, what we do if we find something critical mid-engagement, and how we handle emergency contact.
- Asset inventory and architecture review
- Threat model aligned to your industry and regulators
- Written rules of engagement and emergency contact protocol
- NDA and master services agreement (if not already in place)
Manual testing, exploit validation, lateral movement.
Senior testers run the engagement. We use automated tooling for reconnaissance and coverage, but every finding is manually verified before it goes into your report. We share critical findings in real time, you don’t wait until the report to learn that something is exploitable in production.
- Daily standups with your security lead (optional)
- Real-time disclosure of critical findings via secure channel
- Proof-of-concept exploits where appropriate (sanitized, never destructive)
- Lateral movement and privilege escalation testing
Two reports, two audiences.
You get an executive summary for the board (5-7 pages, business impact framing, prioritized roadmap) and a technical report for your engineers (detailed findings, reproduction steps, code-level remediation guidance, references to CWE/CVE/OWASP). We walk both through on a debrief call.
- Executive summary with business risk and remediation prioritization
- Technical report with full reproduction and remediation guidance
- Live debrief with both audiences (separately or together)
- Free 30-minute follow-up 90 days after report delivery
What you actually get.
Concrete deliverables. Not vague “advisory hours” or token tools you’ll never use.
Executive report
5-7 pages, board-ready. Findings ranked by business impact (not just CVSS). Includes a remediation roadmap with effort estimates so your team can plan the next quarter.
Technical report
40-150 pages depending on scope. Every finding includes screenshot evidence, reproduction steps, affected components, root cause analysis, and specific code-level remediation guidance.
Real-time critical alerts
If we find something critical mid-engagement, you hear about it within hours via your designated emergency channel. You’re not waiting for the report.
Remediation verification
Once you’ve fixed findings, we re-test the specific items at no additional cost (within 90 days). Your auditors get confirmation that remediation actually closed the gap.
Live debrief calls
One executive debrief, one technical debrief. We answer questions, walk through nuances, and connect findings to your existing security roadmap. Recorded if requested.
90-day follow-up
One free 30-minute consultation 90 days after the report. Useful for triaging new findings, scoping the next engagement, or briefing a new CISO on the prior report.
Questions we hear constantly.
How much does a typical engagement cost?
A focused web application test runs $15-25K. A full-spectrum engagement (web + network + cloud + mobile) runs $40-80K. Pricing depends on scope, scale, and timeline. We provide a fixed quote after a 30-minute scoping call.
Can you sign an NDA before we tell you what we have?
Yes. We sign mutual NDAs before any meaningful scoping conversation. We’ve worked under high-clearance arrangements for Israeli government agencies, your standard NDA is not going to be a problem.
How do you handle findings during the engagement?
Critical and high-severity findings are disclosed to your designated security contact within 24 hours of discovery. Medium and low findings accumulate in the final report. You define what constitutes “critical” during scoping, usually anything affecting production data integrity or active exploitation.
Will you test our production environment?
If you authorize it, yes. We have testing protocols specifically for production environments (off-hours testing windows, throttled requests, no destructive payloads, monitoring coordination with your SOC). Most clients prefer staging for initial engagements and production for retests.
Do you certify our compliance after testing?
We provide attestation letters that auditors and regulators accept for SOC 2, ISO 27001, PCI-DSS, and DORA requirements. The letter confirms scope, testing dates, methodology, and a high-level summary of findings and remediation status.
What’s your turnaround on the final report?
5-10 business days from the end of active testing. We don’t rush, the report is the deliverable. Rushed reports get bounced back by auditors and frustrated engineers.
Start with a scoping call.
30 minutes. We’ll understand your environment, ask a few questions about the threat models that worry you, and send a fixed quote within two business days.
