Skip to content
BastionSec
Contact us
Security testing · VA · Pentest · Red Team

Real pentests. Reports that hold up. No theatre.

Vulnerability assessment and penetration testing with recognised methodologies, and a report your client's CISO can read without raising an eyebrow.

  • VA, penetration testing and red team: three different things, explained properly.
  • CVSS severity, PoC that proves impact, remediation and retest.
  • It's our most verifiable line: see an anonymised sample report.
Request a pentestSee a sample report

It's what we already do, month after month

Security testing is our most established line: recurring, real reports delivered to real clients. It's also the most verifiable deliverable there is: a report either holds up in front of a technical reviewer, or it doesn't. Ours holds up.

Sample report (anonymised)

See an anonymised example: executive summary, a finding with CVSS, evidence. Decide before you decide.

See the report

Stuck-deal scenario

An enterprise client sent you a security questionnaire or requires a pentest to close the contract.

Go to path

Three different things, and when you need which

The technical distinction is credibility: a technical buyer notices instantly.

Vulnerability Assessment (VA)

Systematic identification of vulnerabilities (automated scanning + manual verification). Output: an inventory with CVSS severity, no active exploitation. Good for a broad, recurring snapshot.

Penetration Test

Controlled exploitation to prove the real-world impact of a flaw, not just its existence. This is what enterprise clients, SOC 2 and ISO 27001 ask for.

Red Teaming

Simulating a real adversary against objectives (not a scope), often stealthy. Advanced: it makes sense when you already have a mature posture to stress-test.

What we test, and how

What (scope): web apps and APIs, network (external/internal), cloud (configuration review), identity/Active Directory, and, on request, social engineering.

How (approach): black-box (no information), grey-box (partial credentials/access), white-box (full access to code and architecture). We pick the approach based on what you actually want to find, and the budget.

Recognised methodologies, measurable severity

We work to reference methodologies: OWASP (Top 10, WSTG/ASVS for web), PTES, NIST SP 800-115, OSSTMM, with technique mapping to MITRE ATT&CK where useful.

Every finding carries a severity computed with CVSS: no gut-feel 'high/low', but a shared, defensible scale.

What's inside the report

  • An executive summary non-technical readers understand (what, how serious, what to do).
  • Technical findings with CVSS risk and context.
  • PoC / evidence proving real-world impact.
  • Concrete, prioritised remediation guidance.
  • A retest after fixes, to close the loop.
Want to see what it actually looks like? See an anonymised sample report.

Testing once isn't enough

Code changes, so do threats. Periodic testing, recurring VA plus manual pentest on a defined cadence, keeps your posture alive and feeds your Trust Center, so you can prove to clients you're genuinely tested. It's also how you reach ISO surveillance audits ready.

Continuous-security retainer

We structure periodic testing into a retainer: recurring VA, pentests on a defined cadence, a posture that stays alive.

Explore the retainer

Trust Center

Periodic testing feeds your Trust Center: you prove to clients you're genuinely tested.

Learn more

What it costs

'From' pricing, driven by scope and approach (a focused web pentest costs less than a multi-asset programme). We define it after a short scoping call.

The recurring (retainer) mode has its own dedicated plan. See the pricing page.

Frequently asked

What's the difference between VA, pentest and red team?

A VA identifies vulnerabilities (without exploiting them); a pentest exploits them in a controlled way to prove real-world impact; a red team simulates an adversary against objectives, often stealthily. Three different levels: we tell you which one fits your goal.

Black-box or white-box?

It depends on what you want to find. Black-box simulates an outside attacker with no information; white-box (access to code/architecture) finds more in less time. Grey-box is often the best compromise. We decide together during scoping.

Do you retest after I fix the issues?

Yes: the retest after fixes is part of our approach. It confirms vulnerabilities are actually closed: a report without a retest tells only half the story.

How often should I test?

It depends on how fast your software changes and on your clients' requirements. A periodic cadence (e.g. recurring) keeps your posture alive and feeds the Trust Center. We tune it to your case.

Is the report useful for SOC 2 or ISO 27001?

Yes: a pentest and documented vulnerability management are useful evidence for both ISO 27001 and SOC 2, and reassure enterprise clients. We coordinate testing with your certification/attestation path.

How do you rate the severity of an issue?

With CVSS, the industry standard for severity: a shared, defensible scale, not a gut-feel judgement. Every finding shows its score and context.

Do my data and results stay confidential?

Yes. Reports and client data are handled confidentially and kept out of public repositories: secure information handling is exactly what we sell, so we practise it first.

Do you do red teaming?

Yes, but we only recommend it when it makes sense: red teaming stress-tests an already-mature posture. For most cases a focused pentest is the right call, and we'll say so honestly.

Go deeper

Sample report

An anonymised pentest report: executive summary, a finding with CVSS, evidence and remediation.

See the report

ISO 27001 and SOC 2

Testing as evidence for ISO 27001 certification and SOC 2 attestation.

Learn more

Continuous security

Periodic testing and a maintained Trust Center: your posture stays alive, not a one-off event.

Explore the retainer

Want to know where you're really exposed?

Tell us your need: we define scope and approach and tell you what you actually need.

Request a pentest