Scoped adversarial testing. Defined engagement. Findings the team can fix on Monday.

Why This Matters

A vulnerability scan tells you what's open. A pen test tells you what's reachable. A red team tells you what's defended.

The market sells "pen testing" as a commodity, and most engagements deliver it as one. A scanner is run, the output is exported, the report is reformatted, and the invoice is sent. The artifact looks like a pen test, satisfies a checkbox, and doesn't tell the security team anything they couldn't have run themselves. Worse, it gives the audit committee and the customer a document that looks like proof of testing, when it's a document that says the scanner ran.

Real adversarial testing is scoped, manual, and outcome-defined. An objective is agreed in writing: reach a specific dataset, compromise a named system, exfiltrate a defined record, or evade detection inside an operating window. The exploitation chain is reconstructed in the report (initial access, lateral movement, privilege escalation, action on objective) with the evidence and the remediation plan behind each step. The deliverable is the artifact the board, the regulator, the customer, and the cyber insurer were asking for in the first place.

180%

year-over-year increase in the use of vulnerability exploitation as an initial breach vector. The window between disclosure and weaponization is closing.

Verizon · Data Breach Investigations Report 2024

By The Numbers

5 days

median time between a vulnerability being publicly disclosed and being exploited in the wild. Annual testing is no longer the right cadence.

Mandiant · M-Trends 2024

4 days

the SEC's reporting window for a material cybersecurity incident on a public company. The first time you want to find out what an adversary can do is not the day you have to disclose it.

SEC · Cybersecurity Disclosure Rules, 2023

Three situations where a scan won't answer the question being asked.

Who This Is For

Situation 1

A customer, regulator, or insurer is asking for a pen test on file

A security questionnaire from a major customer has a line item for third-party penetration testing. A regulator has named the requirement. The cyber insurance renewal is contingent on it. A scanner report is not the document being asked for.

Situation 2

The program is built and the next question is whether it holds

Vulnerability management is operating. Detection and response is running. The SOC has playbooks. The next question from the board is whether the controls work against a real adversary, not just a scanner, and whether the SOC catches it.

Situation 3

A new application, environment, or M&A target needs an independent read

A new web application is going to production. A cloud landing zone has been built. A newly acquired company is being integrated. The internal team is too close, and the audit committee needs an independent voice on whether the surface is defensible.

Best Outcome

A scoped engagement against a defined surface, with a Rules of Engagement document, an exploitation walkthrough, and a remediation plan written for the audience that asked for it.

Best Outcome

A red team exercise mapped to MITRE ATT&CK. Objectives agreed in advance, detections measured against actions on objective, and a debrief that pairs offense findings with defense gaps.

Best Outcome

A scoped technical assessment with the testing standard cited, the methodology documented, and the findings written so the engineering team can act on them inside the release window.

How It Works

Type 1

External Network Penetration Test

Internet-facing infrastructure. Discovery, vulnerability identification, manual exploitation, lateral movement from the perimeter inward. The engagement most security questionnaires reference when they ask for an external pen test on file.

Type 2

Internal Network Penetration Test

Assumed-breach scenario from a workstation, an unmanaged guest network, or a compromised credential. Tests the lateral movement controls, segmentation, privileged access, and detection that the internal program is built on.

Type 3

Web Application Penetration Test

OWASP-aligned testing of a defined application surface (authentication, authorization, session management, input validation, business logic, API endpoints). Findings cross-mapped to OWASP Top 10 and the application's own threat model.

Type 4

Cloud Penetration Test

AWS, Azure, or GCP environment tested against CIS benchmarks, CSP-specific attack paths, IAM misconfigurations, exposed storage, and lateral movement across accounts or subscriptions. Cloud control-plane and data-plane covered as separate paths.

Type 5

Social Engineering & Phishing

Targeted phishing, pretext calls, and physical social engineering against agreed personnel groups. Outcomes measured against the awareness program, the email security stack, and the help-desk procedures the team relies on.

Type 6

Red Team Exercise

Objective-based adversary emulation against the full program. TTPs mapped to MITRE ATT&CK. Detection and response measured at every stage. The exercise the SOC, the IR team, and the CISO want when the question is whether the program actually works.

Seven stages. PTES-aligned. The exploitation chain is reconstructed in the report.

Every engagement follows the same documented methodology, anchored in the Penetration Testing Execution Standard and NIST SP 800-115. The artifact is the same shape for an external network test and a red team exercise; the depth and the objective change, not the rigor.

Methodology

Stage 1

Pre-engagement

Scope, objectives, success criteria, Rules of Engagement, escalation contacts, blackout windows, and the legal authorization that puts the engagement on contract.

Stage 2

Intelligence Gathering

OSINT and passive reconnaissance. Footprinting the target's external posture from the position a real attacker would start from.

Stage 3

Threat Modeling

Attack paths prioritized against the agreed objective. Likely TTPs selected. MITRE ATT&CK technique IDs flagged for the operational plan.

Stage 4

Vulnerability Analysis

Manual and automated identification of exploitable weaknesses against the in-scope surface. Findings validated before they're cited in the report.

Stage 5

Exploitation

Validated exploitation. Initial access, then lateral movement and privilege escalation as scope permits. Every action logged with timestamp, technique, and operator.

Stage 6

Post-Exploitation

Action on objective. Persistence, data access, evidence captured, and impact established against the agreed success criteria.

Stage 7

Reporting & Debrief

Written report with executive summary, exploitation chain, evidence, severity-rated findings, and remediation plan. Technical debrief and executive readout.

Real-world exploitation chains, translated into defensive action.

What's Included

After this engagement, you will have:

A written report, with the exploitation chain

Not a scanner export. A narrative of how the objective was reached: initial access, lateral movement, privilege escalation, action on objective. Each step paired with the evidence, the screenshot, and the technique ID that supports it.

After this engagement, you will have:

Severity-rated findings with remediation guidance

Findings rated against CVSS plus business context. Remediation written for the engineer who has to fix it, not for the form. Cross-mapped to OWASP, CIS, NIST, or the framework the audit calls for.

After this engagement, you will have:

An executive summary for the board and the customer

The artifact the audit committee, the customer, and the cyber insurer were asking for. Written in business language, with the objective, the outcome, and the residual risk framed at the right altitude.

After this engagement, you will have:

MITRE ATT&CK mapping (red team engagements)

Every TTP cited by technique ID. Detection coverage measured against the SOC's actual telemetry. Gaps named, with the rule, the log source, or the playbook that would close them.

After this engagement, you will have:

A technical debrief with the engineering team

A working session, not a slide deck, with the operators who ran the engagement. Reproduction steps walked, remediation prioritized, follow-up testing scoped if needed.

After this engagement, you will have:

A retest, included

After remediation, a focused retest of the named findings is included in scope. The closing artifact is a re-validated report, not a second invoice.

How real adversarial testing differs from the engagement you've seen before.

The space is full of engagements branded as "pen testing" that deliver a different artifact entirely. These are the patterns we don't ship.

What This Isn't

A reformatted scanner report

A vulnerability scan run by a junior, exported to PDF, and given a cover page. Useful as a scan. Not a pen test. We don't substitute scanner output for manual exploitation, and we don't cite findings we didn't verify.

An unscoped, open-ended engagement

"We'll see what we find." No objective, no Rules of Engagement, no closing date. We don't operate this way. The objective and the window are agreed in writing before testing begins, and the report ties back to both.

Ongoing vulnerability scanning

Continuous scanning is the run-state of the vulnerability program; a separate service, a different cadence. Pen testing is a defined engagement with a beginning, a middle, and an end. They complement each other; they don't substitute.

A security audit

An audit reads the controls on paper. A pen test tests them on the wire. They answer different questions, and the report from one is not the answer to the question the other was asked.

A marketing "red team"

A two-day exercise branded as a red team to clear a procurement line. Real red team work runs against a real objective, over a real window, with TTPs mapped to ATT&CK and detection coverage measured. Anything shorter is a scoped pen test; that's fine, but it should be sold as one.

A finding list without remediation

A report that names the problem and walks away. Our remediation guidance is written for the engineer who has to ship the fix, and the retest is included in scope. The engagement ends when the findings close, not when the report lands.

Four phases. Scoped. Authorized. Reported. Retested.

How It Works

Phase 1

Scoping & Rules of Engagement

A pre-engagement workshop confirms the objective, the in-scope surface, the testing window, the escalation contacts, the blackout periods, and the success criteria. A signed Rules of Engagement document closes the scope. Legal authorization is on file before the first packet leaves the operator's workstation.

Phase 2

Intelligence & threat modeling

OSINT, passive reconnaissance, and footprinting from the position a real adversary would start from. Threat modeling prioritizes attack paths against the agreed objective. Likely TTPs are selected and mapped to MITRE ATT&CK technique IDs for the operational plan.

Phase 3

Exploitation & action on objective

Validated exploitation against the in-scope surface. Lateral movement and privilege escalation as scope permits. Every action logged with timestamp, technique, and operator. For red team engagements, detection coverage is measured at each stage and the SOC's response is observed without being interfered with.

Phase 4

Reporting, debrief & retest

The written report is drafted, peer-reviewed by a senior operator, and walked through with the engineering team and the executive sponsor. After remediation, a focused retest of the named findings is included in scope, and the report is re-validated against the closed findings.

You Walk Away With:

• A scoping memo with objective, surface, and success criteria.

• A signed Rules of Engagement document with escalation contacts.

• A testing schedule with blackout windows and operator roster.

You Walk Away With:

• An intelligence package on the target surface.

• A prioritized attack path map.

• An operational plan with technique IDs and operator assignments.

You Walk Away With:

• A documented exploitation chain with evidence per step.

• An attribution log with timestamps and techniques.

• For red teams: a detection map against ATT&CK tactics.

You Walk Away With:

• A written report with executive summary and technical detail.

• A working debrief with the engineering and SOC teams.

• A retest pass and a re-validated closing report.

Expertise This Work Draws On

The components behind a Penetration Testing & Red Team engagement.

Cybersecurity & Compliance

Offensive Security

Senior operators with sustained hands-on experience across external, internal, application, and cloud surfaces. Reports are peer-reviewed, exploitation is validated, and the methodology is documented against PTES and NIST SP 800-115 — not improvised on the engagement.

Cybersecurity & Compliance

Threat Engineering & Detection

Red team engagements run alongside the detection engineering practice, so every TTP mapped to ATT&CK is paired against the telemetry and the rules the SOC actually has. The output is offense findings and defense gaps in the same report.

Cloud & Technology Infrastructure

Cloud Security & Governance

Cloud pen testing reads against the same hardened-landing-zone reference architecture the practice ships. AWS, Azure, and GCP control-plane attack paths are part of the published methodology, not a one-off engagement skill.

Cybersecurity & Compliance

Incident Response Readiness

Red team debriefs feed directly into IR plan refinement, tabletop scenarios, and the playbook library so the lessons from the exercise land where they need to land, not in a folder no one re-opens.

A scoped engagement, a written report, and the retest that closes the findings on a defined window.

Thirty minutes with a senior partner. Bring the trigger asking for the test, the surface you need scoped, and the audience that will read the report, and we'll size the engagement on the call.

Strategic technology partners
combining deep industry expertise with innovative solutions for regulated industries.

Services

Company

Strategic

Deployment

Managed

Cybersecurity & Compliance

Cloud & Technology Infrastructure

Technology & Security Operations

Expertise

About Us

Resources

Contact

© 2025 Fortellar. All rights reserved.

Careers