Service catalogue
Every engagement concludes with a report containing risk prioritisation, remediation guidance and a retest. Scope and methodology are agreed before work begins.
Penetration testing
A controlled, hands-on attack - vulnerabilities chained into attack paths, not an automated list.
Web applications & APIs
OWASP WSTG/ASVS, authentication, business logic, REST & GraphQL.
External & internal infrastructure
Perimeter, network segmentation, privilege escalation, lateral movement.
Mobile applications
iOS and Android per OWASP MASVS, local storage, backend traffic.
Desktop / thick client
Client analysis, protocols and local security controls.
Active Directory / Entra ID
Attack paths, ADCS, delegations, routes to domain takeover.
Wi-Fi networks
Wireless audit, rogue APs, guest network isolation.
Cloud & configuration
Misconfiguration now beats exploits as the most common way in. Reviews against CIS benchmarks and vendor best practice.
AWS / Azure / GCP configuration review
IAM, public exposure, logging, networking.
Microsoft 365 / Entra ID
Conditional Access, Exchange, application permissions.
Kubernetes & containers
Cluster configuration, images, secrets, workload isolation.
Server & workstation hardening
System configuration review against CIS Benchmarks.
Secure code review
Security review of critical application modules.
Architecture review
Threat modeling of new systems ahead of production deployment.
Reconnaissance & continuous oversight
The organisation seen through an attacker's eyes - as a one-off or an ongoing programme.
Perimeter vulnerability scan
External IPs and services, manual validation of critical exposures.
Attack surface / OSINT
Subdomains, leaks, shadow IT, employee exposure.
Vulnerability management (retainer)
Recurring scans, remediation tracking, trend reporting for the board.
Credential leak monitoring
Company passwords and tokens in breach dumps, forums and combo lists.
People & compliance
The human factor and regulatory requirements - two areas best handled in parallel.
Phishing campaigns
Controlled social engineering with team response assessment.
Security awareness training
Workshops for teams and OWASP sessions for developers.
NIS2 / KSC gap analysis
Art. 21 measures mapped to the current state, with a roadmap.
Post-test support / advisory
Remediation prioritisation and implementation support, retainer option.
AI / LLM red teaming
Robustness testing for models, agents and AI integrations: prompt injection, jailbreaks, data exfiltration through tools, security of MCP servers and RAG pipelines. Research background: a doctorate in progress on adversarial ML.
How an engagement runs
Call & scope
Objective, boundaries and methodology of the test.
Authorisation
Written authorisation to conduct testing.
Testing & validation
Technical work with manual verification of findings.
Report & retest
Priorities, recommendations and remediation verification.
Frequently asked questions
What is the difference between a vulnerability scan and a penetration test?
A scan identifies known vulnerabilities in an automated manner; every finding is then validated manually, which eliminates false positives and confirms real risk. A penetration test goes further - chaining vulnerabilities into attack paths and verifying their actual impact. The engagement type is always stated explicitly; a scan is never presented as a penetration test.
Is the testing legal?
Yes, provided it is authorised. Before work begins, a written authorisation is signed defining the scope, addresses and time window of the tests. No work starts without this document.
Does the data remain confidential?
Yes. Work is carried out under a non-disclosure agreement (NDA). Access to data is limited to the necessary minimum, and results and reports are stored encrypted and deleted after an agreed retention period.
How long does an engagement take and what does the report contain?
A perimeter scan typically takes a few business days from the start of work. The report includes CVSS-based prioritisation, a management summary and a mapping of findings to NIS2 requirements. The delivery date is confirmed during scoping.
Is a retest performed after remediation?
Yes. A post-remediation retest is part of every engagement and confirms the effectiveness of the fixes.
What is the legal form of the business?
Services are provided by a registered sole proprietorship (Securember) and documented with VAT invoices.
A scope tailored to the organisation
An initial consultation covers architecture, regulatory requirements and possible scope variants.
Book a consultation