Home / Services

Offensive
capabilities in full.

Six pillars, one team, one standard. Every engagement is manual, chained, and mapped to recognised frameworks — built to prove what an attacker actually reaches, moves to, and takes.

01

Web & Application Penetration Testing

Black-, grey-, and white-box testing of web apps, single-page apps, REST/GraphQL APIs, mobile (iOS/Android), thick clients, and SaaS multi-tenancy. We go beyond scanners.

Manual exploitation of authentication (OAuth2, SAML, OIDC, WebAuthn), session management, access control (IDOR/BOLA), injection (SQLi, SSTI, SSRF, deserialization) — and the business-logic flaws automated tools never find.

What we test
  • AuthN / AuthZ — OAuth2, SAML, OIDC, WebAuthn, session fixation
  • Access control — IDOR / BOLA, function-level & tenant isolation
  • Injection — SQLi, NoSQLi, SSTI, SSRF, XXE, deserialization
  • Client-side — XSS, CSRF, prototype pollution, CORS abuse
  • API surface — REST & GraphQL introspection, mass assignment, rate-limit bypass
  • Business logic — race conditions, price/amount tampering, workflow abuse
Deliverables
Risk-ranked findings, working PoCs, engineer-grade remediation, and a free verified retest with an attestation letter.
Standards
OWASP WSTGOWASP MASVSOWASP API Top 10NIST SP 800-115PTES
Coverage
SPA / WebREST / GraphQLiOS / AndroidThick clientsMulti-tenancyBusiness logic
Sample finding // CS-2

Negative-amount transfer logic flaw. On a card-issuing fintech platform, a signed transfer accepted a negative value — crediting the attacker's balance instead of debiting it. Chained with a BOLA exposing ~2M records, it was a clean path to direct financial loss. Fixed in-window; the platform passed PCI-DSS the next quarter.

02

Network & Cloud Infrastructure

External and internal network penetration testing, segmentation validation, and wireless — plus deep Active Directory attack-path analysis.

Active Directory: Kerberoasting, ADCS abuse, delegation attacks, and NTLM relay. Cloud: security review across AWS, Azure, and GCP — IAM privilege escalation, exposed metadata, misconfigured storage, and container/Kubernetes breakout.

What we test
  • External perimeter — exposed services, VPN/edge, password spraying
  • Active Directory — Kerberoasting, ADCS (ESC1–ESC8), delegation, NTLM relay
  • Segmentation — VLAN hopping, pivot & lateral-movement validation
  • Cloud IAM — privilege escalation, role assumption, metadata/SSRF abuse
  • Storage & secrets — public buckets, misconfigured KMS, leaked keys
  • Containers — Kubernetes RBAC, pod breakout, registry exposure
Deliverables
Attack-path diagrams, prioritized fixes mapped to CIS controls, and a free retest after remediation.
Standards
NIST SP 800-115MITRE ATT&CKCIS BenchmarksPTESOSSTMM
Coverage
External / InternalActive DirectoryADCSNTLM RelayAWS / Azure / GCPKubernetesWireless
Sample finding // CS-4

ADCS ESC1 → Domain Admin. A misconfigured certificate template let any authenticated user request a cert as a privileged account. Chained after a Kerberoast, it took us to Domain Admin and the production database in 6 hours. Purple-team replay tuned 14 new detections; the rematch was contained in 19 minutes.

03

Hardware, Embedded & IoT Security

Our hardware lab tears down what others won't. PCB reverse engineering, firmware extraction (SPI/eMMC dumps), JTAG/SWD/UART access, and secure-boot bypass.

Side-channel analysis and fault injection (voltage/EM glitching) to defeat "secure elements." RFID/NFC, BLE, automotive CAN bus, and medical-device assessment.

What we test
  • PCB & silicon — reverse engineering, micro-probing, X-ray imaging
  • Debug interfaces — JTAG / SWD / UART discovery & access
  • Firmware — SPI / eMMC extraction, decryption, binary analysis
  • Secure boot — signature-check bypass & chain-of-trust gaps
  • Fault injection — voltage / EM glitching against secure elements
  • Wireless & bus — RFID / NFC, BLE, automotive CAN
Lab Capability
ChipWhisperer · logic analyzers · X-ray · micro-probing station · custom glitching rigs.
Deliverables
Annotated teardown, reproducible glitch parameters, hardware/firmware fixes, and coordinated-disclosure support.
Standards
OWASP IoT Top 10OWASP FSTMNIST SP 800-115PTES
Coverage
PCB ReversingFirmware ExtractionJTAG / SWD / UARTSecure-Boot BypassSide-ChannelFault InjectionRFID / NFC / BLECAN Bus
Sample finding // CS-3

Secure-boot voltage glitch. A cold-storage wallet marketed as "unhackable" fell to a single well-timed voltage glitch during boot — skipping the signature check and letting us dump firmware from external flash to reconstruct the seed on a lab unit. Coordinated disclosure; 2 CVEs assigned.

04

Blockchain & Smart Contract Security

Deep security review for the on-chain economy. Solidity / Vyper / Rust (Solana, ink!) smart-contract audits, EVM internals, DeFi protocol and bridge review, MEV and economic-attack modeling, and oracle manipulation analysis.

Off-chain: Bitcoin & crypto custody review — HSM and MPC threshold-signing flows, key generation / nonce hygiene, withdrawal-approval quorums, exchange hot/cold architecture, and validator/node hardening.

What we test
  • Contract logic — access control, reentrancy, integer & rounding flaws
  • Bridges — signature replay, message validation, mint/burn integrity
  • Economics — MEV, oracle manipulation, flash-loan attack modeling
  • Upgradeability — proxy/storage collisions, admin-key & governance risk
  • Custody crypto — threshold-ECDSA nonces, key-gen, HSM/MPC flows
  • Operations — withdrawal-quorum logic, hot/cold split, validator hardening
Track Record
Reviews spanning bridges, exchanges, and custody now help protect $1B+ in customer assets and protocol TVL.
Deliverables
Line-referenced findings, executable PoC exploits, fix recommendations, and a free retest of the patched code.
Standards
OWASP SCSVSSWC RegistryPTESCryptoCurrency Sec. Standard
Coverage
Solidity / VyperRust / SolanaDeFi & BridgesMEV ModelingOracle ManipulationMPC / HSM CustodyThreshold ECDSAValidator Hardening
Sample finding // CS-1 · CS-5

Bridge signature-replay & threshold-ECDSA nonce reuse. On a ~$220M cross-chain bridge, a message valid on chain A replayed to mint wrapped assets on chain B without burning the originals. Separately, an MPC custody service reused ECDSA nonces in a way that could leak key shares across enough signatures. Both disclosed under embargo — zero funds lost.

05

Red Team & Adversary Simulation

We don't scan. We hunt.

Full-scope, objective-based red teaming that models a real, funded adversary: initial access via spear-phishing and exposed services, evasion of EDR/SOC, lateral movement, domain dominance, and data exfiltration.

Plus physical intrusion and social engineering. Assumed-breach and purple-team collaborative exercises to tune your detection — every step mapped end-to-end to MITRE ATT&CK and logged for blue-team replay.

What we test
  • Initial access — spear-phishing, MFA fatigue, exposed-service abuse
  • Evasion — EDR/AV bypass, in-memory tradecraft, low-and-slow ops
  • Privilege escalation — local & domain, credential theft, Kerberos abuse
  • Lateral movement — pivoting to crown-jewel systems & data
  • Physical & social — on-site intrusion, badge cloning, pretexting
  • Detection tuning — assumed-breach & purple-team replay
Mapping
End-to-end to MITRE ATT&CK; every action logged for blue-team replay.
Deliverables
Narrative attack story, ATT&CK heatmap, detection gaps, and a collaborative purple-team read-out.
Standards
MITRE ATT&CKTIBER-EUPTESOSSTMM
Coverage
Objective-BasedSpear-PhishingEDR / SOC EvasionLateral MovementDomain DominancePhysical IntrusionAssumed BreachPurple Team
Sample finding // CS-4

One click to total domain compromise. A single spear-phish, an MFA-fatigue bypass, a Kerberoast, then ADCS ESC1 abuse put us in Domain Admin and the production database. The value wasn't the breach — it was the 14 detections the purple-team replay stood up afterward.

06

Continuous Security / PTaaS

Penetration Testing as a Service: a continuous-testing platform with on-demand retests, real-time finding delivery, attack-surface monitoring, and a live remediation dashboard.

Human-driven testing on a subscription cadence for teams that ship daily — so your security keeps pace with your release velocity, not last quarter's snapshot.

What we test
  • Release-driven — focused testing on every major feature or sprint
  • Attack surface — continuous external asset & exposure monitoring
  • On-demand retests — fixes verified the moment you ship them
  • Regression — re-check of prior findings as the codebase changes
  • New-CVE triage — your stack assessed against fresh disclosures
  • Live delivery — findings to a dashboard as they're confirmed
Model
Retainer-based, continuous, human-led — not an automated scanner subscription.
Deliverables
Live findings dashboard, per-finding tickets with PoCs, unlimited retests, and a rolling executive summary.
Standards
OWASP WSTGNIST SP 800-115MITRE ATT&CKPTES
Coverage
On-Demand RetestsReal-Time FindingsAttack-Surface MonitoringLive DashboardSubscription Cadence
Sample finding // continuous

Caught between annual tests. A new release re-introduced an SSRF in an internal admin API that a point-in-time test would have missed for months. Flagged the same day it shipped, with a verified retest closing it before it ever reached an attacker.

How we work

The five-phase
engagement.

Aligned to PTES, OWASP, NIST SP 800-115, MITRE ATT&CK, and OSSTMM. Critical findings reported within 24 hours — and a free retest closes the loop.

  1. 01

    Scope & Reconnaissance

    Rules of engagement, threat-led scoping, OSINT, and attack-surface mapping.

    OSINT · ASM
  2. 02

    Threat Modeling

    We model your adversary and crown jewels, not a generic checklist.

    Adversary-led
  3. 03

    Exploitation

    Manual, chained exploitation. Real attacks, safely executed. Critical findings reported within 24h, not at the end.

    < 24h SLA
  4. 04

    Post-Exploitation & Impact

    We prove business impact: what an attacker reaches, moves to, and takes.

    Impact proof
  5. 05

    Reporting & Remediation

    Executive narrative + engineer-grade technical detail, ranked by real risk (CVSS + business context). Free retest to verify every fix.

    Free retest

Aligned to PTES · OWASP · NIST SP 800-115 · MITRE ATT&CK · OSSTMM

The deliverable

What you
actually get.

Adversaries don't send reports. We do — built so your board understands the risk and your engineers can close it the same week. Every engagement ends the same way.

01

Executive summary

A plain-language read on what an attacker could reach and what it means for the business — written for the people who sign off on risk.

02

Technical findings & PoCs

Every finding with reproduction steps and a working proof-of-concept. No "potential" hand-waving — we show the exploit running.

03

Risk-ranked remediation

Fixes ordered by real risk — CVSS plus the business context that decides what actually gets patched first.

04

Free retest + attestation

We re-test every fix at no extra cost and issue a signed attestation letter you can hand to customers, auditors, and partners.

05

Live read-out call

A working session with the engineers who broke it — so your team can ask the hard questions and walk away knowing how to fix it.

Compare engagements

Tier by
tier.

Four ways to engage, one standard of rigor. Manual exploitation and a free retest come with every tier — depth, duration, and cadence are what change.

Capability Tactical Comprehensive Red Team ContinuousPTaaS
Scope Single target Full multi-surface Objective-based Rolling / release-driven
Typical duration 3–5 days 2–4 weeks 4–8 weeks Ongoing retainer
Threat modeling
Manual exploitation
Executive read-out Summary only Rolling
Free retest Unlimited
Support SLA < 24h critical < 24h critical Real-time flag Continuous

✓ included · — not in scope · Critical findings are flagged within 24h on every tier. Scope is always tailored to your environment.

Start to finish

How an
engagement runs.

From the day we sign to the day your fix is verified. No black box — you know where we are and what we've found at every step.

  1. 00

    Day 0 — Kickoff & ROE

    Rules of engagement signed, scope and crown jewels confirmed, emergency contacts and safe-words agreed. Authorization in writing before a single packet.

    Authorized
  2. 01

    Recon & threat model

    OSINT, attack-surface mapping, and an adversary model tied to your actual business — not a generic checklist.

    OSINT · ASM
  3. 02

    Exploitation

    Manual, chained exploitation — real attacks, safely executed. Critical findings flagged within 24h, the moment we confirm them.

    < 24h flag
  4. 03

    Post-exploitation & impact

    We prove business impact: what an attacker reaches, moves to, and takes — with the evidence to back every claim.

    Impact proof
  5. 04

    Reporting

    Executive narrative + engineer-grade detail, risk-ranked with CVSS and business context, delivered with a live read-out call.

    Read-out
  6. 05

    Free retest

    You fix; we verify — at no extra cost — and issue an attestation letter. The loop closes only when the risk is gone.

    Free retest
Engagement tiers

Pick your
depth.

From a focused single-target test to continuous, retainer-based coverage. Every tier ends with a free retest and a report your board and your engineers can both use.

Fixed scope · fast

Tactical

Focused test of a single application, network, or contract. Fixed scope, fast turnaround — when you need one thing tested right.

Get a quote
Most chosen

Comprehensive

Full-scope assessment across web, infra, and identity, with threat modeling and an executive readout. The complete picture.

Get a quote
Objective-based

Red Team

Objective-based adversary simulation with optional physical and social-engineering scope. We model a real, funded attacker.

Get a quote
Retainer · ongoing

Continuous

Retainer-based continuous testing (PTaaS), unlimited retests, and a live findings dashboard. Security that ships when you do.

Get a quote
Common questions

Before you
scope.

The questions every serious buyer asks us. If yours isn't here, a 0block engineer will answer it on the scoping call — no sales filter in between.

Q1 Can the scope flex once we've started?

Yes. Scope is set in the rules of engagement, but real testing surfaces things nobody anticipated. If we find an adjacent system that changes the risk picture, we'll raise it and agree a change in writing before touching it — never silent scope creep, never silently ignoring a critical path that falls just outside the lines.

Q2 How fast can you start, and how long does it take?

A Tactical test typically runs 3–5 days; Comprehensive 2–4 weeks; Red Team 4–8 weeks. We usually kick off within one to two weeks of a signed agreement, and an engineer responds to your scoping request within one business day. Whatever the tier, critical findings are flagged within 24 hours — not held for the final report.

Q3 Is this safe to run against production?

Yes — with rules. We prefer production for accurate results and design every action to be non-destructive: rate-limited, reversible, and scheduled around your maintenance windows. Destructive or denial-of-service style tests only happen with explicit written sign-off, and we keep an open comms channel with a safe-word to pause instantly if anything looks off.

Q4 What standards and methodology do you follow?

Every engagement maps to recognised frameworks — PTES, OWASP WSTG / MASVS, NIST SP 800-115, MITRE ATT&CK, and OSSTMM, plus domain-specific standards (OWASP SCSVS for contracts, FSTM for firmware). But frameworks are the floor, not the ceiling: we don't scan, we hunt — manual, chained exploitation is where the findings that matter actually come from.

Q5 How does pricing work — fixed or retainer?

One-off assessments (Tactical, Comprehensive, Red Team) are fixed-scope, fixed-fee — quoted up front from the agreed scope, with the free retest and attestation included, so there are no surprise line items. Continuous / PTaaS is a retainer priced to your attack surface and release cadence. Every quote follows a scoping call; we don't price blind.

Scope your
engagement.

Tell us what you're shipping and what keeps you up at night. A 0block engineer responds within one business day.

Request a scoping call See our work