What We Do Our Story Field Notes Get in Touch
Frankfurt — serving EU clients

Security testing
without the
theatre.

Fixed scope. Fixed price. A real technical report in 10 business days. No retainer, no sales cycle, no ambiguity about what you are paying for.

Request a scoping call See what we test
Web App Pentest Network Audit Social Engineering Cloud Config Review GDPR Readiness Incident Response Web App Pentest Network Audit Social Engineering Cloud Config Review GDPR Readiness Incident Response
Where are you right now?

Start from your situation

We scope engagements differently depending on what triggered the need for a test. Pick the one that fits.

A client sent me a security questionnaire

You need documented evidence of a pentest to close a contract or pass a vendor review.

Start here →

We want to know what our real risk is

No external pressure — you just want an honest, technical look at your current attack surface.

Start here →

Something suspicious already happened

An incident occurred or is suspected. You need external eyes on logs, systems, and scope of exposure.

Start here →

The team needs to understand the risk

You want security awareness training or a walkthrough that makes risks concrete for non-technical leadership.

Start here →
0 Years running engagements across Germany and the EU
0 Maximum turnaround from kickoff to final report
0 Retainers, lock-in contracts, or surprise scope changes
How it works

Four steps, no moving parts

We keep the process simple because the work itself is already complex.

We agree on exactly what gets tested

A 30-minute call where we define the scope, the systems in scope, the rules of engagement, and a fixed price. You get a written scope document before anything starts. No surprises about what's included.

Typical scoping questions: which domains, which IPs, which user roles, whether you want phishing tests included, whether any systems are fragile and require care.

Testing happens in the agreed window

We test within the agreed timeframe — typically 3 to 5 business days for a standard web application test. You receive a daily status message so you know what's been covered and whether anything critical was found that requires immediate attention.

We do not produce alerts or dashboards. We test, document findings, and communicate directly.

A technical report, not a slide deck

The report contains: every finding with a severity rating, the exact steps to reproduce it, and specific remediation guidance. It is written for the person who will fix the issue, not for executive presentation.

A management summary is included for leadership. It translates findings into business impact without oversimplifying the technical content.

A call to walk through the findings

After the report is delivered, we schedule a 60-minute walkthrough. Your developers, your IT lead, your CISO — whoever needs to understand the findings participates. Questions get answered. Remediation priorities get discussed.

One retest of critical findings is included in the original price if completed within 90 days.

Field Notes

From the work

Notes on things we run into. Written for IT managers and security leads, not for SEO.

All field notes →
Network switches and cables in a data centre, blue LED light
Architecture

Zero trust is not a product. Notes on what it actually requires.

Elena Brandt · May 2026
 Security analyst monitoring multiple screens in a dark room
Social Engineering

Phishing still works. Why training alone does not solve it.

Tobias Necker · April 2026
 Laptop screen displaying cascading lines of code
Incident Response

The first 48 hours after a suspected breach. What actually matters.

Tobias Necker · March 2026
Common questions

Before you reach out

Price is based on scope: number of domains, IP ranges, user roles to test, and estimated test duration. We give you a fixed number in writing before the engagement starts. It does not change unless you add scope after sign-off.
Each finding has: a severity (critical / high / medium / low / informational), a description of what was found, the exact reproduction steps, the potential business impact, and specific remediation guidance. There is also a management summary section.
No. We do discrete engagements only. One scope, one test, one report. If you need continuous monitoring, we can recommend appropriate tooling or MSSP partners. We are not the right fit for that model.
A signed scope document and a point of contact who can confirm scope and receive status messages during testing. For authenticated tests we need test credentials. That is it. We handle the rest.
Yes. Send us your standard NDA or use ours. We do not share engagement details with anyone outside the team assigned to your engagement.

Ready to get a real scope?

A 30-minute call is enough to agree on what gets tested, when, and at what price. No commitment required.

Request a scoping call