Starter
1 — 50 IPs · 1 — 5 domains · single cloud · simple WAF.
5 — 7
$4k — $9k
Methodology Brief · External + Internal · Assumed-Breach
TLP: Amber
Section 01 // Overview
Network
Penetration
Testing.
Two modules under one engagement contract: External — everything reachable from the internet, and Internal — assumed-breach against your AD / cloud / endpoint stack. Run independently, or sequentially in a single window.
Modules
2
External · Internal
Duration
5 — 30 days
Per module
External Floor
$4k → $35k+
Starter → Custom
Internal Floor
$8k → $80k
Starter → Custom
Section 02 // Engagement Tiers
Four tiers, per module.
Pricing tracks asset count and architectural complexity. The Standard tier covers ~70% of mid-market engagements.
External Module
Standard
51 — 200 IPs · 6 — 25 domains · multi-cloud or VPN gateways.
8 — 12
$9k — $18k
Enterprise
201 — 500 IPs · 25+ domains · multi-cloud + multiple gateways.
12 — 20
$18k — $35k
Custom
500+ IPs across subsidiaries · multi-region.
20 — 30
$35k +
Internal Module
Starter
1 — 50 hosts · 1 AD domain · no cloud · non-stealth.
7 — 10
$8k — $15k
Standard
51 — 200 hosts · 1 — 2 AD domains · basic cloud · balanced posture.
10 — 15
$12k — $28k
Enterprise
201 — 500 hosts · multi-domain · hybrid Azure AD · AD CS.
15 — 20
$25k — $45k
Custom
500+ hosts · multi-domain + multi-cloud · full stealth.
20 — 30
$40k — $80k
External Module
Section 03 // Asset Scope & Controls
What we test, and how loud.
Scope is asset-defined: we only touch what's on the list. Controls posture decides whether we go through your WAF or around it.
Special services we look for
High-value exposed services that warrant dedicated test passes.
VPNOpenVPN · IPsec · WireGuard · SSL-VPN endpoints
RDPRDP gateways · Remote Desktop Web Access
SSHBastion hosts and jump servers
MAILOWA · webmail portals · M365 federated endpoints
VDICitrix Web Interface · VDI gateways
CLOUDPublic storage · exposed metadata · vulnerable CI surface
Controls posture — you choose
Real attackers see the WAF, the rate limiters, the lockouts. We can mirror that, or bypass them for an accurate baseline of what's behind.
WAF · Bypass
Through the wall
We're whitelisted past the WAF for an accurate baseline. Tells you what's exposed once a real attacker finds an evasion.
WAF · Active
Validate the rules
We test through the WAF. Output doubles as a WAF-rule audit — what it caught, what it missed, what tuned right.
Password Spray
Lockout-aware
Max 1 attempt per account per 4 hours. With provided usernames, or with discovery as part of the engagement.
External Module
Section 04 // Methodology
Six phases. External.
Tap any phase to expand. Each maps to one or more PTES / OWASP-equivalent activities.
01
Asset Enumeration & Reconnaissance
~1 day
PTES · Recon
Verify in-scope IPs & domains; confirm out-of-scope hard limits
Subdomain enumeration (cert transparency, DNS brute, OSINT)
Cloud asset discovery against listed accounts
CDN / WAF identification per asset
Public OSINT — GitHub, paste sites, leaked credentials
02
Service & Vulnerability Discovery
~1 — 3 days
PTES · Vuln Analysis
Full TCP / selective UDP port mapping
Service fingerprinting and version identification
N-day exposure against known CVEs (no scanner-only findings shipped)
TLS / cipher configuration audit
Web application surface enumeration on every HTTP port
03
Authentication Surface
~1 day
OWASP ATHN
Login portal discovery: web, RDP, SSH, VPN, OWA
Account enumeration & user-validity differentials
Lockout-aware password spray (only if authorized)
MFA enforcement audit — portals that bypass MFA, legacy auth
SSO / federation endpoints (SAML, OAuth)
04
Exploitation & Validation
~2 — 4 days
PTES · Exploit
Manual exploitation of every finding deemed exploitable
Web vulnerabilities — injection, IDOR, SSRF, misconfig
Service exploitation — VPN / RDP / SSH / mail surface
Proof-of-concept evidence captured for the report
No untested vulnerability is shipped as critical / high
05
Cloud Surface Review
~1 — 2 days · if in scope
CSP · IAM
Public storage buckets & object permissions
IMDSv1 / metadata service exposure
Public IAM role assumption / unauthenticated APIs
Exposed CI / build infrastructure with credentials
06
Documentation & Evidence
Continuous
QA
Daily proof-capture — nothing is reconstructed from memory
CVSS v3.1 scoring with attached environmental context
Remediation written against your stack, not a generic template
All scanner output validated before inclusion or discarded
Internal Module
Section 05 // Starting Position
Where the simulation begins.
Internal pentest is always assumed-breach — the question is "an attacker has X, what next." Pick the starting position that matches the threat you're worried about.
START · 01
Jumpbox VM
You provide RDP / SSH access to a VM that sits on the internal network. Cleanest test of internal exposure.
START · 02
VPN Access
Corporate VPN credentials + endpoint. Simulates a credential leak or stuffed VPN account.
START · 03 · Most chosen
Standard User Creds
Non-privileged AD user on a managed laptop we ship. The closest match to a successful phish.
START · 04
Physical Onsite
Rare. We connect directly inside a named site. Used for one-shot site audits, not standard engagements.
Recommendation by maturity
Honest defaults. If your situation matches the left, the right is where we'd start.
First-ever internal pentest. No prior assessment of the internal network.
Standard user creds · Managed laptop · Black/gray-box
Has done one before. You've baselined the internal once and want to push deeper.
VPN + standard user creds · Balanced posture
Mature program testing detection depth. SOC is established. You want to know if the chain rings the alarm.
Jumpbox + non-privileged creds · Stealth posture
Validating red team detection. You want a real adversary simulation, not a chain validation.
Upsell → Red Team Protocol
Internal Module
Section 06 // Crown Jewels
Tier-0 success criteria.
Engagement is shaped backwards from these assets. We pick 1 — 5 per engagement; success is reaching them or proving the path.
01Domain Controller / DA equivalent
02Production customer database
03Source code repository (Git server)
04Payment / PCI-scoped network
05Executive email (CEO / CFO mailboxes)
06Cloud management plane — AWS / Azure org
07HR systems / payroll
08Named business-critical apps (engagement-specific)
09Backup & restore infrastructure
Internal Module
Section 07 // Detection Posture
How loud should we be.
Three postures. Each changes pace, technique selection, and the cost — not the methodology floor.
Posture I · Loud
Non-Stealth
Find the issues. Detection is not the goal. Fastest path to a finding inventory.
Posture II · Default
Balanced
Moderate stealth. We document what got detected and what didn't. Best signal-to-noise.
Posture III · Stealth
Full Stealth
Adversary simulation cadence. Slower techniques, OPSEC discipline, longer engagement — priced at +25%.
Internal Module
Section 08 // Methodology
Six phases. Internal.
Tap to expand. Every TTP is documented for the detection-gap analysis.
01
Host & Service Discovery
~1 — 2 days
MITRE TA0007
Subnet mapping from the starting position
Segmentation validation — what should be unreachable, isn't
Internal SMB / RPC / RDP / SSH exposure
Internal web apps & admin panels
02
Active Directory Enumeration
~1 — 2 days
MITRE T1087 · T1018 · T1069
BloodHound data collection (LDAP, SMB, optional Kerberos)
Privileged group enumeration · Tier-0 inventory
GPO & delegation review (RBCD, unconstrained delegation)
AD CS — ESC1 through ESC11 path discovery
Hybrid Azure AD / Entra paths (where in scope)
03
Credential Access
~1 — 3 days
MITRE TA0006
Kerberoasting & AS-REP roasting
LLMNR / NBT-NS / mDNS poisoning & relaying
NTLM relay — SMB signing & LDAP signing audit
Credential vault / browser-saved cred extraction
No LSASS dumping by default — only with explicit RoE consent
04
Lateral Movement & Privilege Escalation
~2 — 4 days
MITRE TA0008 · TA0004
Local privilege escalation — misconfigured services, ACL paths
Remote execution — PsExec / WMI / WinRM / SMB
Token impersonation & pass-the-hash where in scope
AD CS abuse paths from discovered templates
Cloud lateral — IAM role chaining where Azure / AWS in scope
05
Tier-0 / Crown-Jewel Pursuit
~2 — 3 days
Engagement-specific
Path planning against the named crown jewels
DC compromise (where DA is a target)
Application-tier crown-jewel access (DBs, code, payment systems)
Cloud management plane via federated identity paths
Impact stops at the level authorized in the RoE — document, never deploy
06
Detection Mapping & Gap Analysis
Continuous
SOC Handoff
Every TTP timestamped for SIEM back-correlation
Detection diff: what your stack caught, what it missed
Sigma rules shipped for the gaps we found
BloodHound export for the security team to inherit
Section 09 // Pricing Adjusters
Base tier, then modules.
Adjusters stack on the tier price. Most engagements pick zero or one. No retainer fees, no per-finding charges.
External Adjusters
Module · Condition
Effect
WAF bypass required (chain bypasses)
+ 15 %
Multi-region cloud + IAM testing
+ 10 %
No maintenance windows allowed (slower testing)
+ 20 %
Password spray with username discovery (vs provided list)
+ 10 %
Whitelisting NOT allowed — full external-attacker mode
+ 5 %
Cloud IAM deep dive (privilege paths)
+ 15 %
Each additional reporting language
+ 5 %
Internal Adjusters
Module · Condition
Effect
Full stealth posture (vs balanced)
+ 25 %
AD CS in scope (ESC1 — ESC11 path testing)
+ 10 %
Hybrid Azure AD / Entra integration
+ 15 %
EDR cannot be disabled on jumpbox (slower techniques)
+ 15 %
Multi-site / WAN path testing
+ 20 %
Purple-team workshop add-on (2 days)
+ $5k
Custom attack-path infographic
+ $2k
Fixed overhead included on every engagement: 5 days of report writing, 1 day of readout + revision, and a 10% schedule buffer because real environments surprise everyone.
Section 10 // Deliverables
What you receive.
01
Executive Summary
One page. Business-language. The narrative leadership and auditors will read.
02
Technical Findings Report
Severity-ordered, CVSS v3.1. Each: affected asset, repro, screenshot evidence, business impact, framework-specific fix.
03
Report Formats
PDF standard. PDF + JSON for SOC ingestion. PDF + XLSX tracker for engineering. BloodHound exports on Internal.
04
Attack-Path Visual
Mermaid / draw.io diagrams as standard. Optional custom infographic at +$2k.
05
Detection Gap Analysis
For Internal: every TTP mapped against your SIEM. We ship Sigma rules where coverage was missing.
06
Retest · Included
Free re-test for every critical / high finding within 30 days of report delivery.
Section 11 // Engagements We Decline
What we won't take.
Stated up front so no one wastes a discovery call. If your situation matches one of these, we'll say so and recommend the right path.
×
External · "Find our attack surface." Without an asset list this is an OSINT engagement, not a pentest. We'll quote the OSINT version separately.
×
External · Test third-party SaaS without consent. Vendor authorization is required. We won't test on someone else's perimeter without paperwork.
×
External · 5 days for 500 IPs. Physically impossible to do well. We'll quote real scope or decline.
×
No 24/7 escalation contact. Network pentest needs a critical-finding line. Without it the engagement is too risky.
×
Internal · No crown jewels and won't define any. Engagement has no success criteria; it will drift. We'll help you pick before we sign.
×
Internal · Leave persistence "for later use." We don't leave artifacts beyond the engagement end. Period.
×
"Prove employee X is malicious." That's an HR investigation, not a pentest. We refer it back.
×
ICS / SCADA / medical-device environments without specialist consultation. The blast radius is real. We pair with an OT-specialist firm or decline.