security · services · penetration testing
01 / TEST
We break in on paper, so no one breaks in for real.
Hands-on penetration testing of your applications, APIs, cloud, and networks by senior engineers. You get the exact path we took, ranked by real risk, with a clear fix for each finding.
WHAT THIS IS
A real attacker's attempt, run by people on your side.
A penetration test is not a scan. A scanner flags a list of maybes; a tester decides what is actually exploitable, chains it together the way a real attacker would, and shows you how far it goes. That is the difference between a report you can trust and a list you have to triage yourself.
We test manually, against your real systems, with agreed rules of engagement. Every finding is something we reached, not something a tool guessed. That is what makes the result worth handing to a customer or a board.
WHAT WE TEST
Six surfaces, one engagement.
Web applications
Auth, access control, injection, and business-logic flaws in your web apps.
APIs
REST and GraphQL endpoints, token handling, broken object-level authorisation.
Mobile
iOS and Android apps, local storage, certificate pinning, API misuse.
Cloud
AWS, Azure, and GCP configuration, IAM, exposed services and buckets.
Infrastructure & network
External and internal network surface, segmentation, exposed services.
Source & architecture review
Reading the code and the design, not just probing the surface.
WHAT YOU RECEIVE
A report two audiences can actually use.
Executive summary
One page, plain language. Risk posture, the headline issues, and what they mean for the business. The part your board and your customers read.
Technical findings
Each issue with severity, evidence, reproduction steps, and impact. Ranked so your team knows what to fix first, not just everything at once.
Remediation guidance
A specific fix for each finding, not "consult a specialist". Written by people who have shipped the kind of code that needs fixing.
A debrief, not just a document
We walk your team through the findings live, answer questions, and make sure the priorities are understood before you start fixing.
WHO THIS IS FOR
You probably need this if...
- A customer or investor is asking for a recent penetration test report.
- You are about to ship something that touches money, health, or personal data.
- You have never had an independent test, or the last one was over a year ago.
- You need evidence for SOC 2, ISO 27001, or a security questionnaire.
COMMON QUESTIONS
Before you ask on the call.
How long does a penetration test take?
It depends on scope, but most engagements run from a few days to a few weeks. We agree the timeline with you in the scoping call so it fits your release schedule.
How do you price an engagement?
We work on a day-rate basis, scoped to what needs testing. After a short scoping call we tell you the effort involved and the cost before anything starts, so there are no surprises.
Will it disrupt our production systems?
No. We agree rules of engagement before we start, including what is in scope, what is off-limits, and when we test. Where needed we work against staging or in agreed windows.
What do we need to provide?
Access to the systems in scope and a point of contact. For some tests, credentials or a staging environment. We tell you exactly what we need in the scoping call.
Do you only test, or can you help fix it too?
Both. Because we are builders across our software and AI arms, we can advise on or implement the fix, not just point at it.
START HERE
Not sure what needs testing? That's the first call.
Tell us what you are building. We will scope the right test, explain the effort involved, and tell you what to expect.