What We Do Our Story Field Notes Get in Touch
Services

What we test, and how.

Four engagement types. All fixed price. All delivered with a written report that covers findings, reproduction steps, and remediation guidance.

Cybersecurity team collaborating in a darkened operations room with multiple monitors
01 — Core service

Web Application Penetration Test

A manual test of your public-facing or internal web application for exploitable vulnerabilities. We do not run automated scanners and call it a pentest. Each finding is manually confirmed and documented with reproduction steps.

  • Authentication and session management flaws
  • Injection vulnerabilities (SQL, command, LDAP)
  • Access control and privilege escalation paths
  • Sensitive data exposure and misconfigured headers
  • Business logic issues specific to your application
Typically 3–5 business days of testing. Suitable for SaaS platforms, internal tools, customer portals. Authenticated and unauthenticated testing both available.
02 — Infrastructure

Network and Infrastructure Audit

An assessment of your internal or external network perimeter. We identify open attack paths, misconfigured services, weak credentials, and lateral movement opportunities that an attacker could use after initial access.

  • External perimeter scan and service fingerprinting
  • Internal network segmentation review
  • Active Directory configuration and privilege review
  • Firewall and VPN configuration spot-checks
  • Known vulnerability identification across services
Scope depends on IP range size and whether internal access is required. We work with remote access or on-site depending on what you need. Not a substitute for a full pentest of specific applications.
03 — Human layer

Social Engineering Assessment

A controlled phishing campaign and optionally a vishing (voice phishing) or physical access test. The point is not to catch employees out — it is to understand your actual exposure before someone else does it for real.

  • Targeted email phishing campaign with custom pretext
  • Credential harvest and malware execution simulation
  • Click-rate, submission-rate, and escalation reporting
  • Optional: telephone-based vishing scenarios
  • Post-campaign debrief for security and HR teams
Requires written authorization from an appropriate authority in your organisation. We do not run tests without this. All campaigns are scoped to target only agreed systems and staff.
04 — Awareness

Security Awareness Training

A structured session for non-technical staff, IT teams, or leadership. We use concrete examples from real incidents — not vendor slide decks — to make the risk legible to people who are not security specialists.

  • Password and credential hygiene
  • Phishing and social engineering recognition
  • Safe use of SaaS tools and cloud storage
  • Incident reporting: what to do and who to call
  • Optional: Q&A with leadership on current threat landscape
Delivered remotely or on-site in Frankfurt and surrounding areas. Duration is typically 2 hours. Materials are provided in German or English depending on your team.

Not sure which engagement fits? A 30-minute call is usually enough to figure it out.

Request a scoping call