Manual, methodology-led penetration testing across your web applications, mobile apps, APIs, and network infrastructure. We expose exploitable weaknesses, demonstrate real-world business impact, and deliver evidence-based recommendations aligned with global standards and Hong Kong regulatory expectations.
Four dedicated engagements covering web applications, mobile apps, APIs, and network infrastructure, each scoped independently and delivered under the same methodology.
Manual exploitation of your web applications, including public portals, transactional platforms, single-page applications, and authenticated business workflows. Uncovers authentication bypasses, authorization flaws, business logic abuse, and injection vulnerabilities that scanners miss.
Learn more →Hands-on assessment of your iOS and Android applications, from reverse engineering and on-device data exposure to authentication flows and client-side control bypass. Covers both native and hybrid frameworks.
Learn more →In-depth testing of your REST, SOAP, GraphQL, and backend APIs. Surfaces authorization flaws, endpoint misuse, business logic abuse, and chained exploitation paths that gateways and contract tests cannot catch.
Learn more →External and internal testing of your network and infrastructure, including perimeter exposure, internal segments, and Active Directory. Demonstrates how an attacker would move from initial access to compromise of critical assets.
Learn more →Not sure which engagement fits your environment? Tell us about your environment, and we will recommend the right scope.
Request a Scoping Call →We combine elite offensive cybersecurity expertise with institutional backing to deliver penetration testing that actually drives business resilience.
Our consultants bring deep offensive cybersecurity experience from top-tier global consulting firms, backed by the industry's most rigorous certifications including OSCE³, OSEP, OSWE, OSCP, HTB CWEE, HTB CAPE, and eCPTX. We bring world-class execution to every penetration testing engagement.
No junior bait-and-switch and no offshore hand-offs. The senior consultants who scope your engagement are the ones executing the test, walking you through findings, and validating your remediation. You get the same expert from kickoff through closure.
Penetration testing requires absolute trust, you are granting access to your most sensitive systems. We are proudly supported by the HKSTP Incubation Programme and the CityU HK Tech 300 Seed Fund, making us a vetted Hong Kong cybersecurity partner with institutional accountability.
We don't deliver 200-page scanner reports. Every penetration testing engagement produces prioritised findings, attack-path narratives, proof-of-concept evidence, and remediation guidance, translated for both your engineers and your board.
Clients engage us when assurance has to be independent, findings have to be actionable, and the outcome has to hold up to auditors, regulators, customers, and the board.
Teams preparing to release new applications, deploy new infrastructure, or expand into new markets, requiring independent assurance before exposure.
Organisations preparing for PCI DSS, ISO/IEC 27001, SOC 2, HKMA C-RAF, or SFC cybersecurity examinations that require independent penetration testing evidence.
Organisations re-validating security posture following a reported intrusion, ransomware event, or significant architectural change.
Mature security programmes with annual or bi-annual testing obligations to internal risk committees, customers, or regulators.
Engineering and security teams seeking third-party verification following internal testing, bug bounty programmes, or remediation cycles.
Acquirers and investors evaluating the security posture of target organisations prior to transaction close.
A structured, repeatable methodology that delivers consistent quality across every engagement, with clear entry and exit criteria at each phase and defined responsibilities on both sides.
Define engagement boundaries, testing windows, communication protocols, and rules of engagement. Gather technical documentation, confirm authority to test, and agree on the delivery model.
Combined automated discovery and extensive manual testing across the full agreed scope. Critical issues are escalated in real time. All findings are manually verified to eliminate false positives.
A detailed technical report with executive summary, risk-rated findings, business impact analysis, proof-of-concept evidence, and prioritised remediation recommendations.
A structured walk-through of the findings with your technical team, covering issue context, exploitation impact, and remediation guidance. Support for clarification during fix implementation.
Retesting of remediated findings to confirm fixes are effective, followed by an updated risk posture and formal engagement closure. Deliverables are packaged for internal follow-up, audit, and regulatory evidence.
Every penetration testing engagement, regardless of target type, produces a comprehensive report designed to serve both technical remediation and executive decision-making.
A non-technical overview of the assessment, key findings, business impact, and recommended priorities, written for leadership, risk, and board-level stakeholders.
Each finding documented with technical description, affected components, exploitation steps, observed impact, attack-path narratives where applicable, and references to relevant standards.
Findings are rated using the Common Vulnerability Scoring System (CVSS) and the OWASP Risk Rating Methodology, combined with business-context adjustments to reflect realistic risk to your organisation.
Screenshots, request/response captures, command output, and step-by-step reproduction details that demonstrate each critical and high-severity issue without ambiguity.
Clear, prioritised recommendations mapped to each finding, including short-term containment and longer-term architectural improvements where applicable.
Every finding is mapped to OWASP, CWE, CVE identifiers, vendor advisories, and where relevant, to regulatory frameworks. This supports audit, compliance evidence, and internal knowledge transfer.
Our methodology is built on internationally recognised testing standards and mapped to the compliance frameworks most relevant to Hong Kong-regulated organisations.
A vulnerability scan is automated and identifies known weaknesses through signatures and pattern matching. A penetration test adds extensive manual investigation. Consultants validate each finding, chain issues together, exploit business logic flaws, and demonstrate real-world business impact. Scanners tell you what might be wrong; a pentest confirms what is exploitable, why it matters, and how far an attacker could go.
It depends on what you are protecting and what you need to learn. Web application testing is for customer-facing portals and authenticated business platforms. Mobile testing is for iOS and Android apps that handle sensitive data or transactions. API testing is for REST, SOAP, and GraphQL services that power applications and integrations. Network and infrastructure testing is for your external perimeter, internal network, and Active Directory environment. Many organisations begin with the assets that face the highest external exposure or fall under specific regulatory mandates, then expand from there. Our scoping call helps you identify the right starting point based on your environment, regulatory context, and risk priorities.
The right cadence depends on the rate of change in your environment, your regulatory obligations, and your risk profile. As a general guideline, annually is the baseline expected by most regulatory frameworks (HKMA C-RAF, PCI DSS, SOC 2). Bi-annual or quarterly testing is appropriate for high-rate-of-change environments, multi-tenant platforms, or organisations with elevated threat profiles. We also recommend retesting after significant architectural changes, post-incident remediation, major releases, and prior to launch of new platforms. Many clients combine an annual deep pentest with continuous vulnerability assessment to maintain coverage between engagements.
All engagements are led by senior offensive security consultants. We do not assign junior operators or outsource execution to third parties. Our consultants hold recognised industry certifications across offensive security and red teaming, including credentials such as OSCE³, OSEP, OSWE, OSCP, HTB CPTS, HTB CAPE, CRTO, CRTE, CRTP, and CRTM. Every assessment is reviewed by a senior lead before delivery, ensuring consistent technical depth and reporting quality regardless of engagement type or consultant assigned.
Duration varies significantly by engagement type and scope. As a general guide: a focused web application engagement typically runs 5 to 10 business days of active testing, a mobile or API engagement runs 5 to 12 days, and a network and infrastructure engagement runs 7 to 12 days for internal or 5 to 8 days for external. All engagements include 3 to 5 additional days for reporting and review. Larger or combined engagements can extend to several weeks. Accurate estimates are provided during the scoping call based on your specific environment and objectives.
Most engagements kick off within 1 to 2 weeks of scoping sign-off, subject to consultant availability and the agreed testing window. Where a regulatory deadline or pre-launch milestone requires a faster start, we will do our best to accommodate and confirm feasibility during the scoping call.
Testing is designed to be non-disruptive. Before execution, we agree on the testing window, excluded actions (e.g. denial-of-service, destructive payloads, exploits known to risk service stability), and real-time escalation protocols. Higher-risk techniques are coordinated in advance, and critical findings are communicated immediately rather than waiting for the final report. Where production stability is particularly sensitive, we can perform reconnaissance and identification in production and exploit confirmed findings against representative non-production targets, or test out-of-hours with an open communication channel throughout. Where you operate a SOC, SIEM, or active monitoring tooling, we share testing source IPs, timing, and signatures in advance so your security team can suppress or contextualise the resulting alerts rather than triaging them as live incidents.
Any sensitive data encountered during testing is handled under strict confidentiality. We do not extract, retain, or reproduce sensitive data beyond what is strictly necessary to evidence a finding, and where possible, data is anonymised in the final report. Recovered credentials are not used outside the agreed engagement scope. Credentials provided by you for authenticated testing are held in access-controlled secrets management throughout the engagement, used only for the agreed scope and duration, and confirmed destroyed in writing after engagement closure. All engagement artefacts are stored in access-controlled environments, transmitted over encrypted channels, and securely destroyed after the agreed retention period.
Unless explicitly agreed during scoping, the following are generally excluded: denial-of-service and volumetric load testing, destructive payloads against production systems and data, social engineering and physical intrusion (these are scoped under our Red Team and Phishing Simulation services), and testing of third-party hosted infrastructure or services outside your direct control. OT/ICS environments (SCADA, PLCs, industrial control systems) and wireless network testing require specialised assessment and are scoped separately. Testing is strictly confined to the agreed scope and target list, and exploratory testing of adjacent systems or out-of-scope assets is never performed without prior written authorization.
Yes. A complimentary retest is included with every engagement. After you have applied remediation, we re-examine each confirmed finding to verify that fixes are effective and that no regressions have been introduced, and issue an updated report reflecting closure status for each item. The retesting window is agreed with you during scoping to align with your remediation plan.
Yes. On request, we issue a formal Letter of Attestation summarising the engagement scope, testing period, methodology followed, and high-level outcome. The attestation is suitable for audit, regulatory submission, and third-party assurance purposes, including PCI DSS, SOC 2, ISO/IEC 27001, and HKMA-related obligations.
Schedule a scoping call with our specialists to define the right engagement type for your environment, regulatory context, and timeline. We will walk you through methodology, deliverables, and next steps.