OSCP / OSCE / CRTO testers · 24/7/365 · US-based

Penetration testing that finds the holes before your auditor or attacker does

External and internal network. Web app and mobile. Social engineering. Assumed-breach red team. Hands-on-keyboard testers with OSCP / OSCE / CRTO. Letter of attestation in 5 business days, full report in 10.

5 day letter of attestation 412 engagements this year 94% find a critical or high 100% include retest

Schedule my pen-test scoping call See pen-test pricing →

No NDA needed for the scoping call. Lead tester named before you sign. Fixed-fee quote in 48 hours.

Free scoping call · fixed-fee quote in 48 hours

Scope your penetration test

Tell us the scope you have in mind. A senior tester will reach out to confirm the rules of engagement and send a fixed-fee quote inside two business days.

No credit card. No spam. A senior pen tester will reply within one business day, not a sales rep.

Engagements delivered
this year, all sectors

94%

Of engagements find
a critical or high finding

5 day

Letter of attestation
turnaround, every engagement

100%

Free retest included
within 90 days of report

Engagement tiers

Three engagement shapes. Fixed-fee. The retest is already in the price.

Same testers, same methodology (PTES + OWASP + MITRE ATT&CK), same deliverable format. The only difference is scope. Pick what your audit, insurance carrier, or customer questionnaire actually requires.

External Pen Test

For the carrier renewal questionnaire and the SOC 2 perimeter requirement.

$4,800/engagement

One /24 + 5 web targets · attestation in 5d

One /24 IPv4 range scoped (256 hosts) plus 5 named web targets
Manual exploitation against perimeter services, exposed admin panels, weak TLS, default creds
OSINT pass: leaked creds (HIBP, dehashed), exposed git, GitHub recon, S3 buckets
Letter of attestation on letterhead in 5 business days
Full technical report (CVSS 3.1 ranked, reproduction steps, screenshots) in 10 business days
Free retest of every critical and high within 90 days

Scope external test →

Most chosen

Internal + External Pen Test

The full picture: what an outsider sees, plus what an attacker does once they're inside.

$9,400/engagement

Full network + AD attack-path + retest

Everything in External Pen Test
Internal network testing from a planted appliance or a VPN drop
Active Directory attack-path mapping with BloodHound (Kerberoast, NTLM relay, ACL abuse)
Up to 3 web applications tested against full OWASP Top 10
One social engineering wave (phishing or vishing, your call) against up to 200 users
Free retest of every critical and high within 90 days

Scope full test →

Red Team Engagement

For mature security teams that want to test the SOC, not just the firewall.

Custom

Assumed-breach · 4 to 6 weeks

Assumed-breach scenario: a workstation we control is your starting point
MITRE ATT&CK aligned, mapped to your detection coverage at the technique level
Full kill-chain: initial access, execution, persistence, privilege escalation, lateral movement, collection, exfil
Custom C2 (Sliver or Cobalt Strike) tuned to evade your specific EDR stack
Purple-team debrief with your blue team after the engagement closes
Detection-gap report mapped to MITRE ATT&CK Navigator

Scope red team →

The tooling our testers actually use · no black-box mystery scanners

Burp Suite Pro Web app Cobalt Strike Red team C2 Sliver Open-source C2 Metasploit Exploitation Nessus Pro Vuln baseline BloodHound AD attack path Impacket Windows protocols Mimikatz Credential access Nuclei Templated checks ffuf Content discovery gobuster Dir / DNS brute Wireshark Packet analysis

Coverage matrix · what each test scope actually does

Seven test scopes. Real exploit techniques. Hit rates we measure across every engagement.

"Pen test" gets thrown around to mean a Nessus scan with a logo on the cover. Here's exactly what each scope on our menu means, what we exploit, what we find, and what you get back.

Test scope	What we exploit	Sample finding rate	Deliverable
External network	Perimeter mis-config, exposed services, default creds, leaked OSINT keys	73% find a critical	IPv4-mapped finding report + attestation letter
Internal network	AD weak ACLs, Kerberoastable accounts, NTLM relay, LLMNR poisoning, SMB signing	88% reach domain admin	BloodHound attack-path graph + remediation playbook
Web app (OWASP Top 10)	IDOR, auth bypass, SSRF, injection, broken session management, deserialization	91% find a critical	Per-endpoint finding report with reproduction steps
Mobile (iOS / Android)	Insecure local storage, weak crypto, deeplink abuse, certificate pinning bypass, IPC abuse	84% find a high or critical	OWASP MASVS-aligned report
Social engineering	Phishing, vishing, pretext calls, USB drops, physical follow-on (where scoped)	38% click rate average	Awareness-gap report with named users opted out
Assumed-breach red team	Lateral movement, credential dumping, persistence, defense evasion, exfiltration	96% reach domain admin	MITRE ATT&CK kill-chain + detection-gap map
Wireless	Rogue AP, WPA2 EAP cracks, evil-twin captive portals, BLE / Zigbee attacks	64% find a high or critical	Wireless posture report with channel and SSID inventory

Every engagement starts with a written rules-of-engagement doc, scope sign-off, and a stop-test contact on both sides. Ask for a redacted sample report and ROE template.

Engagement case file · anonymized

One Kerberoastable service account. Eleven minutes from foothold to domain admin.

A 220-employee healthtech in Boston needed an external + internal + web-app test for SOC 2 Type II readiness. Here's what we found, when we found it, and what they fixed before the audit. Names changed, timing real.

SOC 2 readiness · Critical findings · Closed

"Northbridge Health Analytics" · 220 employees · Boston, MA

Engagement window: 9 business days · scope: external + internal + 2 web apps · methodology: PTES + OWASP + MITRE ATT&CK

Day 1 Rules of engagement signed. Scope confirmed: /24 external range, internal access via planted appliance, two patient-portal web apps. Stop-test contact named on both sides.
Day 2 External recon: 5 hosts exposed beyond the documented scope. OSINT surfaces a leaked Bitbucket access token in a public Stack Overflow answer from 2023.
Day 3 Critical web finding: auth bypass on the patient-portal admin endpoint. A crafted JWT with alg:none grants access to any patient record. Reported same day to client.
Day 4 Internal kickoff. Planted appliance dropped into the corporate VLAN. Initial enumeration shows SMB signing not enforced on 41 hosts and IPv6 relay attack surface wide open.
Day 4 + 11min Domain admin reached. Kerberoasted a service account with a weak password (Welcome2023!), cracked offline in 90 seconds, account had nested Domain Admins via legacy group membership.
Day 7 Mobile patient-portal app tested. Two highs (insecure local storage of session token, missing certificate pinning). Letter of attestation drafted.
Day 9 Engagement closed. Letter of attestation delivered. Full report (1 critical, 4 highs, 9 mediums, 14 lows) delivered with reproduction steps and remediation guidance.
Week 6 Retest run on all critical and high findings. All 5 closed. Updated attestation letter delivered. Audit landed clean two weeks later, zero pen-test-related findings on the SOC 2 report.

✔

Outcome: 1 critical and 4 highs caught and closed before the auditor walked in. SOC 2 Type II report issued with no pen-test findings carried forward. Total client-side time on remediation: two weeks of one engineer. Insurance renewal premium dropped 11 percent the following quarter.

Compliance and certification mapping

Our reports satisfy the frameworks your auditor and your insurance carrier actually score against.

Every letter of attestation cross-references the controls you're being tested on, so your evidence binder doesn't need a translation layer. Below is the short list. The proposal includes the full mapping.

PCI-DSS Req 11.3

Annual penetration testing of cardholder data environments and segmentation validation.

SOC 2 Type II

CC4.1 control testing evidence and CC7.1 vulnerability management. Auditor-accepted attestation format.

HIPAA Security Rule

45 CFR 164.308(a)(1)(ii)(A) risk analysis and (B) risk management, evaluation testing.

CMMC AC-11

110 NIST 800-171 controls plus access-control testing for DoD subcontractors. We are a registered RPO.

NIST 800-53 CA-8

Penetration-testing control for federal systems and FedRAMP-adjacent vendors.

OSCP-tested

Every lead tester holds Offensive Security Certified Professional at minimum. OSEP and OSCE on senior staff.

CREST registered

Firm-level CREST registration. Test plans align to the CREST Penetration Testing Methodology.

Cyber Essentials Plus

Aligned to the UK Cyber Essentials Plus testing scheme for clients with EU and UK customers.

The humans behind the keyboard

Your engagement is delivered by named, US-based testers. No overseas tier-one wall.

Our pen-test team is in-house across Tampa, Orlando, Chicago, Atlanta, and Detroit. Every lead holds OSCP at minimum. Senior testers carry OSCE and CRTO. The lead for your engagement is named in your scoping call.

Priya Venkatesh

Lead Pen Tester · Tampa

OSCP OSCE CRTO GCFA

Marcus Chen

Red Team Operator · Atlanta

OSEP CRTO CRTP

Miguel Santos

Web App Lead · Orlando

OSWE GWAPT CISSP

Aisha Khan

Mobile & Social Engineer · Orlando

GMOB GPEN GCTI

Deandre Williams

Compliance Mapping · Chicago

CISA CISM PCI QSA

Jordan Reyes

Engagement Manager · Tampa

OSCP CISA PMP

FAQ · the ones that actually block the sale

Five questions. Honest answers.

What's the difference between a vuln scan and a real pen test?

A vulnerability scan is automated. Tools like Nessus, Qualys, or Rapid7 fingerprint your hosts and report known CVEs. A pen test is a human, with hands on keyboard, chaining those findings into actual exploitation.

Scans tell you "this version of OpenSSL has CVE-2024-XXXX." A pen test tells you "we used that CVE to land on a jumphost, pivoted to your domain controller via a Kerberoastable service account, and pulled the password hashes in 11 minutes." Auditors and cyber insurance carriers no longer accept a Nessus PDF. They want the manual report and a letter of attestation signed by an OSCP-certified tester.

Will you crash production?

No. Every engagement starts with a written rules-of-engagement document signed by your team. We agree on the scope, the testing windows, the escalation path, and a stop-test contact on both sides.

Default behavior: no denial-of-service traffic, no destructive payloads, no exploitation of fragile legacy systems without explicit approval. Web app testing is rate-limited to avoid filling logs. Internal testing in production environments is run during change windows you pick. In 412 engagements this year we have not caused a single production outage.

How is your team certified?

Every lead tester holds OSCP at minimum. Senior testers carry OSCE and OSEP. Red team operators hold CRTO and CRTP. We are also a CREST-registered firm and our principal consultant chairs the local OWASP chapter.

We do not sub-contract to overseas testing pools. Every engagement is delivered by a US-based, badged employee. The lead tester for your engagement is named in your scoping call before you sign anything.

Will the report satisfy our cyber insurance carrier and SOC 2 auditor?

Yes. Our deliverable is a two-part package. First, a letter of attestation on our letterhead, signed by the lead tester, dated, stating the scope tested and the testing methodology (PTES, OWASP, MITRE ATT&CK). This is what insurance carriers and SOC 2 auditors put in evidence binders.

Second, the full technical report with findings ranked by CVSS 3.1, reproduction steps, screenshots, and remediation guidance. We have delivered reports cleared by Coalition, At-Bay, Travelers, Chubb, and AIG, and by SOC 2 audit firms including A-LIGN, Schellman, Prescient, and Sensiba.

What's included in the retest?

Every engagement includes one free retest of every critical and high finding, redeemable within 90 days. We re-run the exact exploitation chain for each fixed finding, confirm the patch worked, and update the report and attestation letter.

If a finding is downgraded or closed, the new letter reflects that. The retest is scoped to the original findings, not a second full assessment. About 87 percent of our clients pass retest on the first attempt.

Find the path to domain admin before someone else does.

Our pen testers find a critical or high in 94 percent of engagements. The fix list lands on your desk in 10 business days, with a letter of attestation already on your auditor's stack. Free retest included for every critical and high.

Schedule my pen-test scoping call Or call (888) 574-5120