Penetration testing that ends arguments — not scanner exports.
Senior-led, manual testing that shows how an attacker actually reaches what matters, and what it would cost you — not a deduplicated list of CVEs.
- Senior-led delivery.
- Vendor-independent.
- Evidence-driven reporting.
For EU organisations
Testing that produces regulator-ready evidence.
Across the EU a penetration test is increasingly the evidence behind an obligation — the GDPR’s Article 32 duty to test security measures, DORA’s resilience testing for financial entities, and the security an NIS 2 supply-chain review expects. We run it senior-led and map each finding to the control and the regulation it answers, so one engagement serves both your security and your compliance file.
In the EU a penetration test is rarely just a security exercise — it is increasingly the evidence behind an obligation. The GDPR’s Article 32 requires a process for testing the effectiveness of your security measures; DORA requires resilience testing for financial entities; and NIS 2 expects security assurances to flow down the supply chain. A senior-led test gives you that evidence in a form a supervisor, an auditor, or an enterprise customer will accept.
We test web, API, cloud, and internal estates the way a capable attacker would, then map every finding to the control it breaks and the regulation it touches. Because the same senior team also runs your GRC readiness, the report doubles as compliance evidence — one engagement, not two. Whether and how a given regulation applies is your counsel’s call; we produce the technical proof.
Where we test
Web & API — the EU customer-review surface
- The applications EU enterprise buyers and their data-protection teams scrutinise before they sign, tested manually for the authorisation and business-logic flaws scanners miss — with evidence written for a security questionnaire.
Cloud in EU regions
- AWS, Azure, and GCP configuration and identity reviewed against CIS Benchmarks and the data-residency and security-of-processing expectations that follow EU personal data.
Internal & Active Directory
- Lateral movement, privilege escalation, and the blast-radius questions a NIS 2 risk-management programme has to answer about your internal estate.
Reported as Article 32 / DORA evidence
- Every engagement is scoped and written so the result stands as the regular testing the GDPR’s Article 32 and DORA’s resilience requirements both call for.
When EU teams call us
The moments EU organisations bring us in for a penetration test:
- An EU enterprise customer’s procurement or data-protection team sends a security questionnaire before they sign.
- You’re a financial entity, or an ICT provider to one, and DORA’s resilience-testing expectations are now on the calendar.
- A NIS 2 supply-chain review asks you to evidence the security of what you ship.
- You’re launching a product that handles EU personal data and want the Article 32 testing done before go-live, not after.
What you receive
The HackingByte Engagement Brief
Every service ends in the same three connected artifacts — so exploit, control gap, and business impact tell one story.
-
Technical Report
Reproducible findings with evidence and per-finding remediation, written for your engineers.
-
Executive Risk Brief
The same findings as business risk for leadership and the board — no jargon, no CVSS tables.
-
Action Plan
Prioritised, owner-assigned, and scoped to what your team can actually deliver.
Timeline
What a typical engagement looks like.
A representative external or internal penetration test runs roughly four to six weeks end to end: about a week of scoping to a signed Statement of Work, one to three weeks of testing depending on the size of the surface, a week of reporting and peer review, and a debrief once you’ve had the report in hand. An optional retest of critical and high findings adds one to three weeks whenever your team is ready.
Web and API engagements follow the same shape; very large applications extend the testing window. Threat-led and red team engagements add a threat-intelligence and scenario-design stage up front. The schedule is set during scoping around your deadline — a customer’s procurement gate, an audit date, or an insurance renewal.
How it’s different
-
Manual, senior-led testing — the chained attack paths and business-logic abuse that matter come from someone who has done this before, not a junior with a scanner licence. Every deliverable carries senior sign-off before it leaves the firm.
-
Findings reproduced with evidence — every finding includes reproduction steps and captured evidence sufficient for your team to recreate it independently. You should never have to take our word for a finding.
-
Severity scored with a business-impact overlay, not just CVSS — a “medium” on a system that moves money is not the same as a “medium” on a static marketing site. Severity inflation is a quality defect here, not a sales tactic.
External testing
External penetration testing.
External penetration testing answers the question every customer security review and insurance renewal is really asking: what could a competent attacker reach from the internet today? We attack your internet-facing surface — web applications, exposed APIs, infrastructure, and the third-party integrations attached to them — starting from OSINT and asset discovery, because the assets you have forgotten about are usually the ones that matter. It is the most common starting point, and the baseline most external obligations expect.
Internal testing
Internal penetration testing.
Internal penetration testing is an assumed-breach engagement: we start from a foothold inside the network and measure how far an attacker moves before someone stops them. The objective is usually Domain Admin, a privileged data store, or a business-critical workload. The output is a quantified view of internal blast radius and ransomware exposure — the kind of figure a board and a CFO can actually use.
Choosing a provider
Choosing a penetration testing company.
Not every penetration testing company delivers the same thing. What separates a useful test from a scanner export is senior practitioners doing the work, reproducible evidence for every finding, severity scored against business impact, and a remediation plan your team can act on. Before you sign, ask who will actually run the test, how scope is set, and what the report contains.
Our methodology
Cited standards, a six-stage lifecycle, senior sign-off at every stage.
We don’t invent methodology — we use, cite, and extend recognised standards, and we tell you which ones before the engagement starts. Every test runs on the same six-stage lifecycle, so you always know what happens next.
Scoping. We define objectives, assets, threat model, rules of engagement, deliverables, and a pricing band, ending in a signed Statement of Work.
Kickoff. We confirm rules of engagement, contacts, escalation paths, schedule, secure communication channels, and access in a single 60-minute call.
Execution. The testing itself, scoped to the asset class. Critical findings are escalated to you within four working hours of discovery — never held back until the report.
Reporting. We produce the three-artifact Engagement Brief and put it through internal peer review before you see it.
Debrief. Two sessions — a technical walkthrough with your engineers and an executive debrief with leadership — plus Q&A on the action plan.
Closure and optional retest. The action plan goes to its owners, and you can elect a focused retest of critical and high findings with an updated attestation.
The standards base depends on the asset: PTES and MITRE ATT&CK for external and internal work; the OWASP Web Security Testing Guide and API Security Top 10 for web and APIs; OWASP MASVS for mobile; the MITRE ATT&CK Cloud matrix and CIS Benchmarks for cloud.
Scoping & pricing
How penetration tests are priced.
We price engagements fixed, banded by scope — not by the day. For an external or internal test, the band is set by the number of in-scope assets and the complexity of the environment; for web and API work, by the number of roles, endpoints, and the business-logic complexity of the application. We give you the band during scoping, before you sign anything, so there are no day-rate surprises.
A few things we deliberately don’t do: we don’t sell day rates, we don’t resell or upsell tooling, and we take no vendor commissions — so the test is sized to answer your actual question, not the largest engagement we could justify. If you have a budget you’re working within, tell us during scoping and we’ll be straight about what it covers.
Frequently asked questions
Does a penetration test satisfy the GDPR’s Article 32?
- Article 32 requires a process for regularly testing and evaluating the effectiveness of your security measures; a scoped penetration test is the most direct way to produce that evidence, and we report it to stand up to a supervisory authority or a customer’s DPO. Whether it is sufficient for your specific processing is your counsel’s call.
Can this double as DORA resilience testing?
- Often, yes — DORA expects vulnerability and threat-led testing for financial entities. We scope to the pillar you need, and for the threat-led requirement deliver TLPT through our red-teaming practice. Interpretation of DORA stays with your counsel.
Will the report work for an EU customer security review?
- That is what the Executive Risk Brief is for: the same findings expressed as business risk, in language an enterprise buyer’s security and procurement teams accept — without CVSS tables they have to decode.
Do you account for where EU data is hosted?
- We test wherever your estate runs and flag where data residency or cross-border transfer is in play, so the security evidence and the data-protection picture line up. The legal transfer analysis stays with your counsel.
Bring us the system you’re worried about and the deadline you’re working to — we’ll scope the test around both.
Every engagement ends in the same three connected artifacts, and the continuous platforms keep watch between engagements. Continuous monitoring platforms.