Services & Engagements
- Penetration Testing Pentest
-
A penetration test is an authorized, manual security assessment in which an operator finds and exploits vulnerabilities to prove real business impact, then reports the validated attack paths. Unlike a vulnerability scan, it confirms each finding by exploitation rather than listing potential issues.
Source · NIST SP 800-115 Related service - Vulnerability Assessment
-
A vulnerability assessment identifies, classifies, and prioritizes known weaknesses across systems, usually with automated scanning, but does not exploit them to prove impact. It answers what is potentially exposed; a penetration test answers what an attacker would actually do with it.
Source · NIST SP 800-115 Related service - Red Teaming
-
Red teaming is a full-scope, objective-driven adversary simulation that tests an organization's detection and response across digital, physical, and human vectors, not just a single system. The goal is to reach a defined objective the way a real threat actor would and measure whether the blue team catches it.
Source · MITRE ATT&CK adversary emulation Related service - Adversary Simulation
-
Adversary simulation (adversary emulation) replicates the specific tactics, techniques, and procedures of a named threat actor against your environment, mapped to MITRE ATT&CK. It tests whether your controls stop the actor you are actually likely to face, rather than a generic attacker.
Source · MITRE ATT&CK Related service - Purple Team
-
A purple team is a collaborative exercise where the offensive (red) team executes attacks while the defensive (blue) team watches in real time to tune detection and response. The deliverable is improved detection coverage, measured against MITRE ATT&CK, not a list of who won.
Source · MITRE ATT&CK Related service - Continuous Penetration Testing PTaaS
-
Continuous penetration testing, often delivered as Penetration Testing as a Service (PTaaS), runs testing on an ongoing cadence against a changing attack surface rather than as a single point-in-time engagement. It surfaces newly introduced flaws between annual assessments and shortens the window an attacker has on fresh exposure.
Source · NIST SP 800-115 (point-in-time vs. continuous) Related service - Threat-Led Penetration Testing TLPT
-
Threat-led penetration testing scopes a live, intelligence-driven attack simulation against an organization's critical functions using TTPs drawn from real threat intelligence. It is the model behind regulatory frameworks such as TIBER-EU, CBEST, and DORA for financial-sector resilience testing.
Source · TIBER-EU / CBEST / DORA Related service - Assumed Breach
-
An assumed-breach engagement starts the operator from an already-compromised position, such as a standard user workstation or a set of valid credentials, instead of spending time on initial access. It tests how far an attacker gets after the perimeter fails, which is where most real damage happens.
Source · MITRE ATT&CK (post-compromise tactics) Related service - Attack Surface Management ASM
-
Attack surface management is the continuous discovery, inventory, and monitoring of an organization's internet-facing assets, including shadow IT and forgotten infrastructure. It answers a question most organizations cannot: what do we actually expose to the internet right now.
Source · CISA attack surface guidance Related service - Phishing
-
Phishing is a social-engineering attack that uses fraudulent messages, typically email, to trick a target into revealing credentials, running malware, or authorizing a transaction. MITRE ATT&CK tracks it as technique T1566; testing emulates the same lures a real campaign would use.
Source · MITRE ATT&CK T1566 Related service - Segmentation Testing
-
Segmentation testing validates that network controls actually isolate a sensitive zone, such as a PCI cardholder data environment, from the rest of the network. It proves that a compromise in one segment cannot reach the protected segment, a requirement under PCI DSS.
Source · PCI DSS v4.0 Related service
Web & API
- OWASP Top 10
-
The OWASP Top 10 is a community-consensus document listing the most critical security risks to web applications, used industry-wide as a baseline awareness and testing standard. It is a risk-awareness reference, not a complete checklist; a real pentest goes beyond it.
Source · OWASP Related service - Server-Side Request Forgery SSRF
-
SSRF abuses a server's ability to make outbound requests, tricking the application into fetching attacker-chosen URLs to reach internal resources it should not. It is a common path to cloud metadata endpoints, internal services, and configuration that is not exposed to the internet.
Source · OWASP Related service - Cross-Site Request Forgery CSRF
-
CSRF forces an authenticated user's browser to send an unwanted state-changing request to a site they are logged into, exploiting the browser's automatic inclusion of session credentials. The attacker performs an action as the victim without ever seeing the response.
Source · OWASP Related service
Network & Identity
- Kerberoasting
-
Kerberoasting is an Active Directory attack where an authenticated user requests Kerberos service tickets for accounts with a Service Principal Name, then cracks the encrypted ticket offline to recover the service account's plaintext password. It needs only a valid domain account and frequently yields privileged credentials.
Source · MITRE ATT&CK T1558.003 Related service - NTLM Relay
-
NTLM relay intercepts a victim's NTLM authentication and forwards it to a third system to authenticate as that victim, without ever cracking a password. Combined with name-resolution poisoning (LLMNR/NBT-NS), it is a reliable route from network access to domain compromise.
Source · MITRE ATT&CK T1557.001 Related service - Lateral Movement
-
Lateral movement is the MITRE ATT&CK tactic of pivoting from one compromised host to others across the network, typically using stolen credentials and legitimate remote-access tools. It is how a single foothold becomes domain-wide control.
Source · MITRE ATT&CK TA0008 Related service - Privilege Escalation
-
Privilege escalation is the MITRE ATT&CK tactic of gaining higher-level permissions, such as local administrator, SYSTEM, root, or Domain Admin, usually by exploiting a misconfiguration or vulnerability. It turns limited access into the control an attacker needs to act on objectives.
Source · MITRE ATT&CK TA0004 Related service
AI / LLM
- Prompt Injection
-
Prompt injection is an attack that alters an LLM's behavior or output with crafted input, the top risk in the OWASP LLM Top 10. Direct injection comes from the user's own prompt; indirect injection hides instructions in external content (a web page, document, or email) that the model later processes.
Source · OWASP LLM Top 10 (LLM01:2025) Related service - LLM Jailbreak
-
A jailbreak is a form of prompt injection that makes a model ignore its safety guardrails and produce restricted output, for example by role-play framing or instruction overrides. OWASP treats jailbreaking as a subcategory of prompt injection where the system prompt or alignment is fully bypassed.
Source · OWASP LLM Top 10 (LLM01:2025) Related service - RAG Poisoning
-
RAG poisoning injects malicious content into the knowledge base a retrieval-augmented-generation system draws from, so the model retrieves and acts on attacker-controlled data at answer time. It can drive misinformation, data leakage, or indirect prompt injection without ever touching the model itself.
Source · OWASP LLM Top 10 (LLM08:2025) Related service
Concepts & Scoring
- MITRE ATT&CK
-
MITRE ATT&CK is a free, globally used knowledge base of adversary tactics and techniques based on real-world observations, organized as a matrix from initial access to impact. Operators use it to map attack paths and defenders use it to measure detection coverage.
Source · MITRE - CVSS
-
The Common Vulnerability Scoring System (CVSS) captures the technical characteristics of a vulnerability as a 0.0 to 10.0 numerical score and a qualitative severity (none, low, medium, high, critical). It rates inherent technical severity, not the business risk in your specific environment, which is why operators contextualize it.
Source · FIRST CVSS - False Positive
-
A false positive is a reported finding that is not actually exploitable in context, a common output of automated scanners that flag a signature without validating impact. Manual exploitation exists in large part to remove them, so a report contains only confirmed issues.
Source · NIST SP 800-115 Related service - Attack Path
-
An attack path is the chained sequence of steps an attacker takes from an initial foothold to a business-impacting objective, where each weakness enables the next. Reporting the path, not just isolated findings, is what shows leadership the real consequence of a vulnerability.
Source · MITRE ATT&CK Related service - Remediation Validation Retest
-
Remediation validation, or retesting, re-tests a previously reported finding after a fix to confirm the vulnerability is actually closed and the fix introduced no new exposure. It is the step that turns a report into resolved risk.
Source · NIST SP 800-115 Related service
Need one of these tested against your environment, not just defined? The operator who scopes the engagement is the one who runs it. Request a penetration test.
Social engineering is the manipulation of people into performing actions or disclosing information that compromises security, bypassing technical controls entirely. In testing, it measures whether staff and process resist a realistic human-vector attack.