How We Work

Our Testing Methodology

A structured, repeatable process that ensures no attack vector is overlooked — from initial scoping to final re-test verification.

Reconnaissance

Information gathering & attack surface mapping

We begin with passive and active reconnaissance — mapping domains, subdomains, technologies, open-source intelligence (OSINT), leaked credentials, and cloud assets connected to your environment. Nothing that should be hidden is left unexamined.

DNS enumeration and subdomain discovery

Technology fingerprinting and version identification

OSINT: social media, job postings, GitHub leaks

Cloud asset discovery (S3 buckets, exposed APIs)

Threat Modelling

Prioritising attack vectors based on your risk profile

Using the reconnaissance data, we build a threat model specific to your application and business context. We identify the highest-value targets, most likely attacker motivations, and the attack paths that would have the greatest impact if exploited.

STRIDE and PASTA threat modelling frameworks

Attack path mapping and trust boundary analysis

Risk prioritisation by business impact

Scoping alignment with defender objectives

Active Testing

Manual and automated vulnerability testing

This is where the core engagement takes place. Our testers combine automated tooling with deep manual testing, probing every identified attack surface for vulnerabilities — authentication flaws, injection points, broken authorisation, logic errors, and beyond.

OWASP Top 10 and beyond — manual testing of each vector

Authenticated and unauthenticated testing profiles

Fuzzing of input fields, headers, and API parameters

Session management, CSRF, and cryptographic analysis

Exploitation

Safe proof-of-concept exploitation to prove real impact

We safely exploit confirmed vulnerabilities to demonstrate their real-world impact. This goes beyond a theoretical finding — we prove severity with documented evidence and chain vulnerabilities where possible to show escalation paths, all without causing disruption.

Controlled PoC exploitation with minimal footprint

Vulnerability chaining to demonstrate attack paths

Privilege escalation and lateral movement testing

Screenshot and video evidence capture

Analysis & Reporting

Comprehensive report with clear remediation guidance

Every finding is documented with severity rating (CVSS), a clear description, reproduction steps, evidence, business impact, and actionable remediation. We produce both an executive summary for leadership and a technical report for your engineering team.

CVSS 3.1 scoring for all findings

Executive summary for non-technical stakeholders

Developer-facing technical report with code-level fixes

Remediation priority roadmap

Remediation & Re-test

Verification that every vulnerability is fully fixed

After your team implements fixes, we re-test every identified vulnerability to confirm complete remediation and check that no new issues were introduced as a side-effect. A clean re-test report is provided for compliance and client assurance purposes.

Full re-test of all discovered vulnerabilities

Regression testing around patched code paths

Updated report with remediation status

Letter of attestation for compliance use

Aligned Standards

Tested against industry standards

Our methodology is aligned to the OWASP Testing Guide, PTES (Penetration Testing Execution Standard), and OWASP WSTG to ensure comprehensive, consistent coverage on every engagement.

OWASP Top 10

PTES

OWASP WSTG

CVSS 3.1

OWASP ASVS

MITRE ATT&CK

Ready to go through the process?

Let's scope your engagement and get started on a thorough security assessment.