Methodology
A Structured, Repeatable Approach to Authorized Testing
Every assessment follows a documented process designed for clarity, reproducibility, and defensible results.
Process
Our Process
- 01
Discovery and intake
- 02
Scope confirmation
- 03
Proposal and Statement of Work
- 04
Written authorization and Rules of Engagement
- 05
Asset and environment confirmation
- 06
Reconnaissance and information gathering
- 07
Vulnerability identification
- 08
Manual validation and exploitation (where in scope)
- 09
Risk rating and impact analysis
- 10
Reporting and debrief
- 11
Retesting and verification
Frameworks
Standards and References
Our work draws on established security standards and threat-informed frameworks.
- OWASP Top 10
- OWASP Web Security Testing Guide (WSTG)
- OWASP API Security Top 10
- OWASP ASVS
- PTES
- NIST Cybersecurity Framework
- MITRE ATT&CK
- CIS Controls
Risk
Risk Rating Approach
Severity is assigned through six factors so engineering teams can prioritize realistically.
- Likelihood
- How realistic exploitation is given preconditions and attacker skill.
- Impact
- Confidentiality, integrity, and availability consequences if exploited.
- Exposure
- Whether the issue is internet-facing or requires internal access.
- Authentication
- Whether authentication is required to reach the vulnerability.
- Data sensitivity
- Type and regulatory weight of data placed at risk.
- Business context
- Operational and reputational consequences specific to your organization.
Severity
Severity Badges
- CRITICAL
Immediate threat. Exploitation likely enables full compromise or wide-impact data exposure.
- HIGH
Significant risk. Exploitation enables sensitive data access or major capability abuse.
- MEDIUM
Meaningful weakness. Often requires conditions or chained issues to fully exploit.
- LOW
Limited risk. Should be remediated but unlikely to cause material impact on its own.
- INFORMATIONAL
Observation or hardening recommendation with no direct exploit path.