Pentests that prove what an attacker can actually do
We run manual, OSCP-led penetration tests for web applications, networks, cloud environments, APIs, and mobile apps. The deliverable is a narrative report — what an attacker would do, the chain of findings that gets them there, the proof-of-concept artifacts, and prioritized remediation. Not a scanner dump with an executive summary.
If your last "pentest" was a Nessus scan with a cover page, you have not had a real one. See our explainer on penetration testing vs vulnerability scanning for the buyer's diagnostic.
What we test
- Web application pentests. OWASP-aligned testing across authentication, session management, authorization, business logic, IDOR, SSRF, and supply-chain dependencies. Tested both unauthenticated and across each user role.
- External network pentests. Internet-facing assets, exposed admin interfaces, VPN concentrators, mail servers, DNS, web servers — what a remote attacker actually has to work with.
- Internal network pentests. Assumed-breach engagements simulating a compromised endpoint or insider. Active Directory escalation, lateral movement, data-exfiltration paths.
- Cloud pentests. AWS, Azure, GCP — IAM misconfigurations, exposed storage, secret leakage, lateral movement across accounts/projects, container and serverless surface.
- API pentests. REST, GraphQL, gRPC. Authorization at object level, rate limiting, mass assignment, broken object property level authorization (OWASP API Top 10).
- Mobile pentests. iOS and Android — runtime, IPC, certificate pinning, local data storage, jailbreak/root detection, MASVS-aligned.
- SOC 2 / ISO 27001 / PCI-aligned pentests. Scoped, evidenced, and reported to satisfy your audit's requirements without paying enterprise prices.
Engagement structure
- Scoping call. 30-60 minutes. We map the attack surface, agree on rules of engagement, schedule the test window, and give you a fixed-fee proposal.
- Test execution. 1-3 weeks of testing depending on scope, with daily Slack updates if you want them. Critical findings get reported immediately so you can patch in flight.
- Reporting. Written narrative report (executive summary + technical body + remediation guidance) plus a debrief call with your engineers. Each finding includes proof-of-concept, business impact, and a remediation plan.
- Retest included. 30-day window for free retest of every finding once you've remediated. Final clean report goes to your auditor or board.
What you get that most pentests skip
- Manual chaining of findings. Five medium-severity findings combined into one critical attack path. Scanners cannot do this. We do this on every engagement.
- Business-logic testing. Authorization, workflow bypasses, financial-logic errors. Where real damage lives.
- OSCP-certified testers. No exceptions, no junior staff handoff after the kickoff.
- Audit-quality documentation. Methodology section, tool list, hash-verified evidence, written for FRE 902(13)/(14) self-authentication when needed for litigation.
- Retest, not "rescan." Manual retest of the actual finding in your actual environment.
What we will not do
- Run a Nessus scan, package the output, and call it a pentest
- Charge for findings we did not actually exploit or could not demonstrate
- Out-source testing to junior staff or third parties without your written consent
- Test outside the agreed scope or rules of engagement
- Hold your retest hostage as a separate purchase
How we price
- External web app pentest, single product: $15K–$30K fixed fee
- Internal + external network pentest, mid-market: $25K–$60K fixed fee
- Cloud pentest, single AWS/Azure account: $20K–$45K fixed fee
- SOC 2 / ISO 27001 readiness pentest: $18K–$40K fixed fee
- Multi-product or hybrid scope: custom quote, fixed fee or hourly with milestone caps
Available as referral or white-label
We deliver penetration tests directly to enterprise clients, and we sub-contract delivery for security firms, MSSPs, MSPs, and IT consultancies whose clients need an offensive specialist on call. Two structures:
- Referral partnership. You introduce. We deliver under the Varcoe.ai brand and report to the client. Compensation negotiable per relationship.
- White-label / sub-contracted. We deliver under your brand on your paper. Co-branded or invisible, your call. Quoted as a discount off our retail card.
Related
- Red team & adversary simulation — multi-week, goal-based, beyond pentest scope
- Phishing simulation — pairs with a network pentest in many engagements
- Penetration testing vs vulnerability scanning (blog)
