Services
Standards‑aligned testing (OWASP ASVS / NIST) with manual exploitation and actionable guidance. Typical engagements run 7–14 days with a clear, executive‑to‑engineer readout.
External Network Pentesting
Enumerate exposed services, validate CVEs, and chain misconfigurations to simulate a real attacker. Includes exploitation of impactful findings and proof of compromise where safe.
- Port/service discovery & vuln validation
- Auth, brute‑force, and exposure testing with guardrails
- Clear remediation steps and retest
Web & API Testing
Application‑layer testing mapped to OWASP Top 10 / ASVS. We prefer gray‑box for speed and depth.
- AuthZ/AuthN, access control, session mgmt
- Injection, deserialization, SSRF, file upload
- Business logic abuse & multi‑tenant isolation
Internal Network Assessments
Assume a foothold and measure blast radius. Identify lateral movement paths and privilege escalation routes.
- AD misconfig, credential exposure, SMB/LDAP issues
- Segmentation testing & egress controls
- Hardening guidance and retest
Adversary Simulation / Red Teaming
Objective‑driven exercises to test detection and response without disrupting operations. Strict ROE, low‑noise.
- Threat‑led scenario design
- Initial access testing (phishing/social, opt‑in)
- Detection gaps & response playbook improvements
Cloud Security Review
Assess AWS/GCP/Azure for excessive permissions, insecure defaults, and public exposures.
- IAM least‑privilege & boundary checks
- Secrets management & CI/CD hardening
- Storage/network exposure and guardrails
Deliverables
- Executive summary with business impact
- Prioritized findings with reproduction & PoCs
- Fix guidance and optional remediation retest
Contact
Email contact@palomasec.com or use our contact form.