Secure channel · TLS 1.3 All systems nominal 00:00:00 UTC v.2026.05
Disclose a vuln Talk to us
Home/ Services/ Penetration Testing
01 Offensive Security

Adversarial testing that thinks like the people we keep awake at night.

A senior-led, manual penetration test. We model your actual adversary — ransomware affiliate, nation-state collector, insider — and exercise your environment against that scenario until something breaks.

Duration3–6 weeks
Team2–4 senior testers
ReportingExec + technical
RetestIncluded
01 Overview

Manual, scoped, reproducible — and almost never quiet.

Most penetration tests are scanner runs in disguise. We do the opposite: a small senior team works hands-on inside an explicit scope, chains findings into impact, and surfaces only the few things that actually matter.

An Onidef engagement is built around your adversary model, not a catalog. We start from a candid conversation about what you are afraid of — payment fraud, IP theft, regulator disclosure — and we work backward through the kill chain to the realistic entry points.

During execution, the same person who scoped the work is the person doing the work. There is no junior-staffing handoff. Daily updates land in a shared, encrypted channel; severe findings escalate within the hour.

The output is two reports and a debrief. The executive report is short and quotable — fit for the board and external regulators. The technical dossier is long, dense and engineer-ready, with reproducible proof for every finding and a written remediation pathway for each one.

02 Methodology

Six stages — borrowed from PTES, OSSTMM and the ones that actually work.

Our process is documented end to end so your auditors, regulators and internal stakeholders can verify exactly what was done — and what was not.

  1. 01 · SCOPE
    Scoping & rules of engagement
    Defined targets, attack windows, blackout times, in-scope and out-of-scope behaviours, escalation contacts, evidence handling and legal authorisation — captured in a signed engagement letter.
  2. 02 · RECON
    Reconnaissance & surface mapping
    Passive OSINT, DNS & certificate transparency review, active enumeration of services, technology fingerprinting, dependency mapping and exposed-secret search.
  3. 03 · ATTACK
    Manual exploitation & chaining
    Hands-on identification and exploitation of vulnerabilities — authentication flaws, authorisation gaps, injection, deserialisation, SSRF, business-logic abuse. Findings are chained where credible to demonstrate true impact.
  4. 04 · ESCALATE
    Privilege escalation & pivot
    Where in scope, we escalate from the initial foothold — through tokens, secrets, misconfigured services or trust relationships — to demonstrate the realistic blast radius of a compromise.
  5. 05 · REPORT
    Reporting & debrief
    Executive summary, technical dossier, raw evidence, and a live debrief with engineering and leadership. Findings are scored against CVSS 4.0 and our internal business-impact scale.
  6. 06 · RETEST
    Retest & attestation
    Once your team has remediated, we independently retest each finding and deliver a signed attestation letter — suitable for customers, partners, insurers and regulators.
03 Deliverables

What lands in your inbox when we are done.

Every artefact is encrypted in transit, signed, and retained on your terms. We can deliver via secure portal, encrypted PDF or hand-off to your e-discovery vault.

01

Executive narrative

A 6–10 page board-ready document. Risk in business language, a single chart of severity, and three explicit recommendations.

02

Technical dossier

40–120 pages. Every finding with CVSS 4.0 score, request/response evidence, reproduction steps, root cause analysis and a written fix.

03

Replayable evidence

Signed pcap, HAR and screen capture archives. Your engineers can re-run every exploit in a lab before they ship the fix.

04

Remediation workshop

Half-day session with the engineers who will write the fix. We walk through findings on a whiteboard, not over a deck.

05

Retest & attestation

Independent retest of each finding plus a signed letter you can hand to customers, regulators and cyber-insurance carriers.

06

12-month follow-up

One scheduled review per quarter for a year. We come back and check the fixes still hold under real-world drift.

04 Frequently asked

The questions every security buyer asks us.

If yours is not here, write to us at contact. We will answer it in writing within one business day.

Will this be a scanner run with a PDF on top?
No. Automated tools are used for coverage and triage. Every finding in the report has been reproduced manually by a named tester. We do not report results we cannot demonstrate live.
Can you test our production environment?
Generally yes, with explicit scope and blackout windows. We avoid destructive techniques and any action that could disrupt customer traffic without prior written approval. Production testing is documented in the rules of engagement.
How is this scoped commercially?
Engagements are fixed-fee, by-the-engagement — not per-day. We will quote after a short scoping call and a review of your assets. There is no procurement surprise.
Are your reports accepted for SOC 2, ISO 27001 and customer due diligence?
Yes. Our reports are routinely accepted by external auditors, insurers and enterprise procurement. We will tailor the executive summary to the framework you need to satisfy.
What if you find nothing?
Then the report says so — with evidence. We do not pad reports with informational findings to justify the invoice. A clean report from a senior team is a meaningful result, and we say so plainly.
Do you sign NDAs and DPAs?
Always, before any sensitive material is shared. Our standard documents are reciprocal and GDPR-aligned, and we will work with yours if preferred.

Ready to put the real attack surface on paper?

A 30-minute scoping call is enough to write a credible proposal. We will not pitch — we will ask hard questions about what would actually hurt.

Book a scoping call See certifications →