// Exploit Chain Confirmed

> Recon Phase

[ Hardened OK ]

! Lateral Movement

Manual Pentest · Retest Included

Penetration Testing Service
That Actually Finds What Scanners Miss

Digital Roxy runs manual penetration tests against web apps, APIs, networks, mobile apps, and cloud environments for US companies that need real findings, not checkbox scans. Every engagement is led by OSCP-certified offensive security engineers and delivered with CVSS-scored findings, exploitation proof, remediation guidance, and a free retest once your team ships the fix.

Manual Testing · OSCP Engineers OWASP · PTES · NIST SP 800-115 Retest Included SOC 2 · PCI DSS · HIPAA Reports

Get a Scoped Quote See How We Test

A penetration test is a controlled cyber attack by ethical hackers.

A penetration testing service simulates real-world attackers against your systems under a signed scope. The goal is to find exploitable vulnerabilities before a criminal, ransomware operator, or nation-state actor finds them. The output is not a list of scanner alerts. It is a report of confirmed findings that have been manually verified, exploited in a safe environment, scored for business impact, and paired with specific remediation steps your engineers can act on.

Digital Roxy runs penetration tests as offensive engagements, not compliance theater. Every finding in our reports has been reproduced by a human tester. Every remediation recommendation has been written by someone who has fixed the same bug in production code. Every retest is included in the engagement fee, so your team gets a clean attestation once the fix ships.

// Why this matters

Automated scanners catch configuration mistakes and known CVEs. They miss business logic flaws, chained exploits, privilege escalation paths, and the kind of subtle authorization bugs that get companies into breach notification territory. A real pentest assumes the attacker has time, skill, and motivation.

This page is the top-level guide to our penetration testing service. If you know which testing type you need, jump to the testing types grid below. If you need a budget range, see the pricing tiers. If you have a scoping call booked, you can also download a sample report on request.

The Difference Matters

Pentest vs Vulnerability Assessment vs Red Team

These three services get sold interchangeably and they should not be. Each answers a different security question, carries a different scope, and produces a different report. Buying the wrong one costs money and leaves gaps.

Dimension

Vulnerability Assessment

Penetration Test

Red Team Engagement

Core Question

What vulnerabilities exist?

Can those vulnerabilities be exploited?

Can we breach the business undetected?

Primary Method

Automated scanning

Manual exploitation

Goal-driven adversary simulation

Scope

Broad · shallow

Defined · deep

Enterprise · multi-vector

Typical Duration

1 to 3 days

1 to 4 weeks

6 weeks to 3 months

Proof of Exploit

Rarely

Always

Detection Evasion

Partial

Yes

Compliance Fit

Monthly scan requirement

Annual PCI, SOC 2, HIPAA, ISO

Mature security programs

Typical Cost (US market)

$500 to $3,000

$4,000 to $40,000

$50,000+

How We Test

Our Methodology is PTES, OWASP, and NIST Aligned

Every Digital Roxy penetration test follows the Penetration Testing Execution Standard, with OWASP Top 10 coverage for web targets and NIST SP 800-115 structure for reporting. Seven phases, documented handoffs at each gate, no shortcuts.

PHASE 01

Pre-engagement & Scoping

We define targets, exclusions, rules of engagement, test windows, and emergency contacts in a signed scope document. Production environments get explicit sign-off. Third-party hosted assets (AWS, Azure, Cloudflare) get provider notification when required. Nothing starts until the scope is locked.

PHASE 02

Intelligence Gathering (OSINT)

Passive reconnaissance against the target attack surface. DNS enumeration, subdomain discovery, certificate transparency logs, employee profiling from public sources, exposed credentials on breach dumps, leaked source code on public Git platforms. This phase finds what you did not know was exposed.

PHASE 03

Threat Modeling

We map the target to a concrete threat model. Who attacks this asset and why. What data would they want. What is the realistic attack path from external to crown jewels. This is not a generic STRIDE exercise. It is a tailored model that drives what gets tested hardest.

PHASE 04

Vulnerability Analysis

Automated scanning gets used here, and only here, to build coverage breadth. Burp Suite Pro, Nuclei, Nessus, and custom tooling identify candidate issues. Every automated finding then flows into the next phase for manual verification. Raw scanner output never makes it into the final report.

PHASE 05

Exploitation

This is where pentest stops looking like a scan and starts looking like an attack. Manual testers chain findings into real exploit paths. An exposed .git directory plus a default admin credential plus a privilege escalation CVE becomes a full takeover scenario, documented with request and response captures, screenshots, and proof-of-concept code.

PHASE 06

Post-Exploitation

Once an exploit works, we ask the follow-up question attackers ask: what does this foothold unlock. Lateral movement testing, privilege escalation, persistence simulation, and data access assessment. We stop at the pre-agreed boundary every time. No data exfiltration. No destructive actions. Proof of access is enough.

PHASE 07

Reporting & Retest

Every engagement ends with an executive summary for leadership, a technical report with CVSS-scored findings and full reproduction steps for engineers, a compliance attestation letter for auditors, and a free retest after your team ships the fix. Clean retest means a clean attestation.

BONUS

Knowledge Transfer

Every report is accompanied by a live debrief with your engineering team. We walk through the exploit chains, explain why each finding matters in your architecture, and answer questions. Your developers leave the call knowing how to prevent the same class of bug from shipping again.

Testing Types

Pick the Pentest Your Stack Actually Needs

Every testing type has its own methodology, toolset, and report format. A web app pentest is not a network pentest. Mobile app testing is not API testing. Choose by asset, not by vendor marketing.

Web Application Pentest

OWASP Top 10 plus business logic, authentication, authorization, and session management. SPAs, multi-tenant SaaS, e-commerce, and CMS targets. Manual exploitation of XSS, SQLi, IDOR, SSRF, and deserialization.

See Web Pentest

Network Pentest

External and internal network testing. Perimeter services, firewall rules, segmentation gaps, Active Directory weaknesses, Kerberos attacks, lateral movement, and privilege escalation to Domain Admin.

See Network Pentest

Mobile App Pentest

iOS and Android testing to OWASP MASVS. Insecure storage, certificate pinning bypass, deep link hijacking, IPC flaws, reverse engineering resistance, and the mobile API behind the app.

See Mobile Pentest

API Pentest

REST, GraphQL, and gRPC testing to OWASP API Top 10. Broken object-level authorization (BOLA), mass assignment, JWT weaknesses, rate limiting failures, and excessive data exposure.

See API Pentest

Cloud Pentest (AWS, Azure, GCP)

IAM policy review, S3 and blob exposure, metadata service abuse (IMDSv1/v2), Lambda permission escalation, Kubernetes cluster testing, and misconfigured security groups across multi-cloud environments.

See Cloud Pentest

Penetration Testing as a Service (PTaaS)

Continuous pentest program on a subscription. Always-on scanning plus quarterly deep-tests plus unlimited retests plus a dedicated Slack channel. For companies that ship weekly and need security to keep up.

See PTaaS

Compliance

We Test Against the Frameworks Your Auditors Recognize

Every engagement ships with a compliance attestation letter tailored to the framework your auditor wants. One pentest, the right documentation for whichever standard is on the line.

Annual Required

PCI DSS 4.0

Requirement 11.4 mandates annual external and internal penetration testing for any environment storing, processing, or transmitting cardholder data. Our reports include segmentation testing validation, which PCI explicitly requires for merchants claiming reduced scope.

CC7.1 Evidence

SOC 2 Type II

The SOC 2 Trust Services Criteria CC7.1 (detection and monitoring) and CC4.1 (risk assessment) both reference external security testing. A current penetration test report is the cleanest evidence artifact auditors accept for these controls.

HIPAA Security Rule

HIPAA

The HIPAA Security Rule requires covered entities to conduct a regular risk analysis of ePHI systems. Penetration testing is the recognized method for validating technical safeguards under 45 CFR 164.308(a)(1)(ii)(A). Reports are BAA-ready.

Annex A.12.6

ISO 27001

ISO 27001 Annex A.12.6 on technical vulnerability management and the ISO 27002 guidance on intrusion testing both align with an annual penetration test. Reports are structured to map findings directly to Annex A control references for your ISMS evidence package.

Article 32

GDPR

GDPR Article 32 requires a process for regularly testing the effectiveness of technical measures. A pentest is the direct evidence artifact for this obligation. Reports include data-flow findings relevant to Article 32(1)(d) for EU and UK-regulated data.

PR.DS · PR.IP

NIST CSF 2.0

The NIST Cybersecurity Framework Protect and Detect functions both call for regular testing. Reports are tagged against NIST CSF 2.0 subcategories (PR.DS-01, PR.IP-07, DE.CM-08) so your governance team can slot findings directly into the framework.

Sample Findings

What a Real Pentest Report Actually Contains

These are the classes of findings our engagements surface every month. Not scanner warnings. Confirmed vulnerabilities with proof-of-exploit and remediation steps.

Critical · CVSS 9.8

Pre-auth Remote Code Execution

An unauthenticated endpoint accepts serialized objects without type validation. Crafted payload triggers deserialization against a gadget chain, giving shell access to the application server. Found in a Fortune 500 internal portal, patched within 72 hours of disclosure.

Critical · CVSS 9.1

IDOR Exposing All Customer Records

Sequential user IDs in an API response, no object-level authorization check. Iterating IDs exposes name, email, phone, and purchase history of every customer. A single exploit chain that would trigger breach notification under state laws in all 50 states.

High · CVSS 8.6

SSRF to AWS Metadata Service

Image proxy accepts arbitrary URLs and fetches them server-side. Request to http://169.254.169.254/latest/meta-data/iam/security-credentials returns long-lived AWS access keys. Full cloud account compromise from a single uploaded image URL.

High · CVSS 8.1

JWT Signing Key Confusion

JWT validation accepts both RS256 and HS256 algorithms without enforcing the expected algorithm. Attacker signs a new token using the public key as an HMAC secret, granting arbitrary user impersonation including admin role.

High · CVSS 7.5

Exposed Git Repository on Production

/.git/ directory accessible from the production web root. Full source code extraction including database credentials, S3 access keys, and a historical commit containing a private signing key that was "removed" in a later commit. Git history is forever.

Medium · CVSS 6.5

Active Directory Kerberoasting

Service account with SPN set and a weak password yields a TGS ticket that gets cracked offline in under two hours. Service account runs with local admin rights on the file server, providing lateral movement into the finance department share.

Deliverables

You Receive Six Artifacts, Not a PDF Dump

Every Digital Roxy pentest engagement ships with the full documentation package your leadership, engineering, and audit teams each need.

Executive Summary

Two pages, non-technical. Risk posture, critical findings, business impact, and remediation timeline. Written for the board and C-suite, not engineers.

Technical Report

Full findings with CVSS 3.1 scores, exploit reproduction steps, request and response captures, screenshots, and architectural recommendations. The report engineers actually use.

Compliance Attestation Letter

Signed letter tailored to PCI DSS, SOC 2, HIPAA, ISO 27001, or the specific framework driving the engagement. The artifact your auditor needs.

Retest Report

After your team ships fixes, we retest every finding and produce a clean retest report showing status: Fixed, Partially Fixed, or Open. Retest is included in the original engagement fee.

Live Debrief Call

60-minute working session with your engineering team. We walk through exploit chains, answer questions, and discuss remediation approaches specific to your stack.

Remediation Roadmap

Prioritized fix plan with effort estimates and code-level guidance. Designed as a working document your team can execute against, not a security team wishlist.

Pricing

Transparent Pricing. Scoped in a 15-Minute Call.

Penetration testing pricing depends on scope: target count, environment complexity, and required compliance framework. These tiers set the baseline. Every engagement gets a fixed-price quote after a free 15-minute scoping call.

Scoped Pentest

Single asset pentest. Right for startups, one web app, or a focused network segment that needs annual testing.

From $2,500 · flat fee

Single web app or up to 10 external IPs
1-week manual testing engagement
Executive summary + technical report
CVSS-scored findings
One free retest after fixes
Compliance attestation letter

Get Scoped Quote

Full-Stack Pentest

Multi-asset engagement. Web + API + network or web + mobile + cloud. Right for SOC 2 and PCI DSS annual requirements.

From $7,500 · flat fee

Up to 3 asset classes combined
2-3 week engagement with two testers
Executive + technical + remediation roadmap
Live debrief with engineering team
Two free retests over 90 days
30-day Slack support for questions
Audit-ready compliance package

Get Full Quote

PTaaS · Continuous

Always-on pentest program. Right for SaaS companies shipping weekly that need continuous coverage.

From $1,950 / month

Continuous automated coverage
Quarterly manual deep-tests
Unlimited retests
Dedicated Slack channel
Findings dashboard with SLA tracking
Annual third-party attestation

See PTaaS Details

Enterprise engagements (red team, adversary simulation, supply chain pentest, regulated-industry work) scope at $40,000 and up. All quotes are fixed-price after a 15-minute scoping call. No hourly billing. No scope creep fees.

Why Digital Roxy

Six Reasons Security Leaders Pick Us

OSCP-certified offensive engineers

Every tester on your engagement holds Offensive Security Certified Professional (OSCP) or equivalent practical certifications. We do not staff pentests with junior scanners.

Manual-first, not scanner-only

Automated tools build coverage breadth. Humans find the bugs that matter. Our engagements are 70% manual, 30% tool-assisted. The ratio is inverted at most firms.

Retest included

Every engagement includes a free retest after your team ships fixes. Clean retest means clean attestation for your audit. No separate fee, no renegotiated scope.

Developer-friendly remediation

Reports include code snippets, configuration examples, and architectural recommendations written by engineers who have fixed the same bug in production. Not vendor-speak.

Fixed-price scoping

We quote fixed prices after a 15-minute scoping call. No hourly billing. No scope creep invoices. If the engagement expands, the pricing conversation happens before any new work starts.

Strict NDAs on every engagement

Vulnerabilities and architectural details from your environment stay confidential. Signed NDA before kickoff, evidence destruction after attestation, no case studies without written approval.

Engagement Timeline

What the Next Three Weeks Look Like

Timeline for a typical Full-Stack Pentest engagement. Scoped Pentests compress to one week. PTaaS runs continuously.

Day 0

Scoping Call & Contract

15-minute scoping call to define targets, exclusions, test windows, and rules of engagement. Signed scope document and mutual NDA in place before any work starts. Test accounts provisioned by your team.

Week 1

Reconnaissance & Vulnerability Mapping

Passive OSINT against the target attack surface. Automated vulnerability analysis with Burp Suite Pro, Nuclei, and Nessus. End of week: candidate finding list handed to the exploitation phase.

Week 2

Manual Exploitation

Two testers running manual exploitation against confirmed candidates. Critical findings disclosed in real-time through a shared Slack channel so your team can start remediating before the report ships. Full post-exploitation walk through.

Week 3

Reporting & Debrief

Technical report, executive summary, and compliance attestation drafted and peer-reviewed. 60-minute live debrief with your engineering team to walk through findings and remediation approaches.

Weeks 4-8

Your Remediation Window

Your team ships fixes. We stay available in Slack for clarifying questions. No additional fees for remediation support during the engagement window.

Week 8+

Retest & Clean Attestation

We retest every finding and update status: Fixed, Partially Fixed, or Open. Clean retest gets a clean attestation letter you can hand to your auditor. Retest is included in the engagement fee.

US Coverage

Penetration Testing Service Across the United States

Every state has a different regulatory mix, industry profile, and threat landscape. Pick your state for local context on what a pentest looks like in your jurisdiction.

CA California TX Texas NY New York FL Florida IL Illinois PA Pennsylvania GA Georgia NC North Carolina VA Virginia NJ New Jersey

FAQ

Penetration Testing Questions, Answered Directly

Penetration testing costs in the US range from $2,500 for a focused single-asset pentest to $40,000+ for enterprise multi-asset engagements. A scoped web application pentest typically runs $4,000 to $8,000. A full-stack engagement covering web, API, and network falls between $10,000 and $25,000. PTaaS (continuous pentesting) starts at $1,950 per month. Pricing depends on asset count, environment complexity, and required compliance framework. Digital Roxy quotes fixed prices after a free 15-minute scoping call.

A single-asset pentest takes one week of active testing plus one week for reporting. A full-stack pentest covering multiple asset types takes two to three weeks of testing plus one week for reporting. Add two to six weeks of your team's remediation time, then one week for the retest. Total engagement calendar time is typically four to eight weeks from kickoff to clean attestation.

A vulnerability assessment answers "what vulnerabilities exist." A penetration test answers "can those vulnerabilities actually be exploited by an attacker." Vulnerability assessments are automated, broad, and shallow. They produce scanner output. Penetration tests are manual, focused, and deep. They produce confirmed findings with proof-of-exploit, CVSS scoring, and specific remediation steps. Most compliance frameworks require both: monthly vulnerability scans plus annual penetration testing.

Yes. Every engagement ships with a compliance attestation letter tailored to the specific framework driving the engagement. Our reports include the evidence artifacts auditors expect for PCI DSS Requirement 11.4, SOC 2 Trust Services Criteria CC7.1, HIPAA Security Rule 45 CFR 164.308(a)(1), ISO 27001 Annex A.12.6, GDPR Article 32, and NIST CSF 2.0 control references. We have worked with Big 4 audit firms and regional attestation providers.

No. Rules of engagement are defined and signed before testing begins. Destructive exploitation, denial-of-service testing, and data exfiltration are excluded by default. Critical findings are disclosed in real-time so you can start remediating immediately. We schedule production testing against low-traffic windows and use non-production environments for any high-risk validation. Emergency contact procedures are in place for the entire engagement.

Critical findings (CVSS 9.0+) are disclosed within one business hour of discovery through a shared Slack or Teams channel. Your team gets reproduction steps, CVSS justification, and initial remediation guidance immediately, not at the end of the engagement. We pause further testing on related attack paths until your team acknowledges the disclosure, to prevent the same issue from masking other findings.

Yes. Every Digital Roxy engagement includes at least one free retest after your team ships fixes. Scoped Pentests include one retest within 60 days. Full-Stack Pentests include two retests within 90 days. PTaaS clients get unlimited retests. Clean retest means a clean attestation letter you can hand to your auditor. No separate retest fee.

Four questions separate real pentest providers from checkbox shops. First, who does the testing: named OSCP-level engineers or "offshore partners"? Second, what percentage of the engagement is manual versus scanner output? Third, is a free retest included or a separate invoice? Fourth, will you talk to a sample report and a reference client? A provider that cannot answer these questions clearly is selling a vulnerability scan in a penetration test wrapper.

PTaaS is penetration testing delivered on a subscription with continuous coverage and always-available testers. It fits companies that ship code weekly and cannot wait 12 months for the next annual pentest to catch regressions. If your team deploys infrequently and you only need compliance attestation once a year, a point-in-time pentest is the right fit. If your attack surface changes weekly, PTaaS is the right fit. Our PTaaS page has the full comparison.

Yes. Mutual NDA is signed before kickoff. All evidence, raw scanner output, exploit payloads, and customer data collected during testing are destroyed on a defined schedule after attestation. We never reference client engagements in marketing without signed written approval. Your vulnerabilities, architecture details, and findings stay confidential, full stop.

Parent Service

Your Next Pentest Should Actually Find Bugs

Book a 15-minute scoping call. Tell us what you need tested and which compliance framework is driving it. You get a fixed-price quote within one business day.

Book Scoping Call See Full Security Program

Penetration Testing Service That Actually Finds What Scanners Miss