Penetration Testing

Four engagement types cover most of what clients ask for. Internal network and Active Directory pentests, where we start on a corporate VLAN with low-privilege credentials and see how far we can go. External perimeter and web application tests, where we attack what the internet sees. Wireless assessments against corporate Wi-Fi, guest networks, and BYOD separation. And full red team engagements where the blue team is unaware and we have to get in, establish persistence, and simulate data exfiltration without getting caught.

The full attack chain is on the table: Kerberoasting and AS-REP roasting, password spraying with rate-limit evasion, lateral movement via WinRM, SMB, and RDP, Kerberos delegation abuse (unconstrained, constrained, RBCD), Active Directory Certificate Services exploitation across known ESC patterns, and credential dumping from LSASS, DPAPI, and SAM.

Our custom red team toolkit has 11 attack modules covering credential spraying, lateral movement, Kerberos abuse, ADCS exploitation, C2 infrastructure spin-up, and evasion. Every technique we use is mapped to a MITRE ATT&CK ID so your detection team knows what to look for.

Companies with compliance pressure (SOC 2, PCI DSS, HIPAA, CMMC) that require annual third-party pentesting. Businesses that have never had a real test done and want to know what an attacker would actually find. Security teams who need a second-opinion red team exercise to justify budget or validate new controls. Law firms, financial services, healthcare orgs, and SaaS companies holding customer data.

Small IT shops running Active Directory who suspect their GPOs and permissions have drifted over time — they usually have. And development teams that want a black-box or credentialed assessment of a production web application before shipping a major release.

Not for: compliance-only checkbox buyers who want a short PDF and a photo-op. If that's the goal, there are cheaper vendors. Our reports get used by actual security teams to fix actual problems.

See our Active Directory pentest case study for the full attack chain from standard user to Domain Admin — Kerberoasting, ADCS abuse, and MITRE ATT&CK mapping included. Pentest engagements are served across Atlanta, Macon, Savannah, and Augusta, GA, plus remote work nationwide.

Your web app probably passed a Burp scan. That does not mean it is safe. The exploits that get companies breached are almost always business-logic bugs, broken auth flows, and IDOR chains that scanners cannot see. A real web app pentest reads your app the way an attacker does — mapping roles, abusing tenant boundaries, breaking workflow state, and finding the path from "anonymous visitor" to "domain admin."

Coverage on every web app engagement: OWASP Top 10 (SQLi, XSS, SSRF, broken access control). Authentication and session — MFA bypass, session fixation, password reset abuse. Authorization — IDOR, horizontal and vertical privilege escalation, tenant isolation. Business logic — workflow tampering, race conditions, pricing manipulation. API security across REST and GraphQL — mass assignment, rate limiting, schema introspection. Client-side — DOM XSS, prototype pollution, source-map and bundle review.

Methodology is credentialed walkthrough first so we understand the intended workflows, then test as multiple personas — unauthenticated, low-privilege user, admin — and look for the cracks between. Manual exploitation, real payloads, real proof. Pre-launch testing on staging is ideal; pre-launch findings cost less to fix than post-launch ones.

For clients who have a SIEM, an EDR, a SOC (in-house or MSSP), or a cyber-insurance carrier asking pointed questions, we run engagements scoped explicitly to MITRE ATT&CK techniques. We pick the threat profile that matches your industry — FIN7 for retail, APT41 for tech, ransomware affiliates for everyone — then execute that group's documented TTPs against your environment. Every technique attempted is logged with timestamp, source, target, and detection outcome, producing an ATT&CK heatmap of what your defenses actually catch.

See the full MITRE ATT&CK assessment page for the standalone engagement format.

Scoping call first. We pin down the rules of engagement, the authorized IP ranges, the emergency contacts, and what's explicitly off-limits (production databases, executive workstations, whatever). Then we sign the statement of work. Nothing runs without written authorization — this is non-negotiable.

Engagement runs in phases. Reconnaissance and fingerprinting. Initial access attempts. Post-exploitation and lateral movement. Privilege escalation. Then we write up the narrative — not a CSV dump of CVEs, but the actual story of how a real attacker chains the findings into impact.

Reports get delivered with an executive summary for leadership, a technical narrative for engineers, an appendix mapping every finding to MITRE ATT&CK, and a prioritized remediation plan. We do a debrief call with your team. And we include a retest after fixes so you can close the loop properly.