A manual, methodology-led assessment of your external perimeter and internal network designed to identify exploitable weaknesses, validate the path from initial access to full internal compromise, and deliver evidence-based recommendations aligned with global standards and Hong Kong regulatory expectations.
Your network and infrastructure are the foundation every other security control stands on. They are also where opportunistic intrusions become full domain compromise.
A network and infrastructure penetration test simulates realistic attack scenarios against your in-scope environment, combining automated discovery with extensive manual testing techniques. The objective is to uncover exploitable weaknesses across your external perimeter, internal network, and identity systems that scanners alone will not detect.
Our consultants assess your environment from two complementary perspectives, external and internal, validating both your perimeter defences and your resilience to lateral movement, privilege escalation, and Active Directory compromise once an intruder is inside. Coverage adapts to Windows, Linux, and mixed-OS networks.
Each engagement concludes with a detailed report containing prioritised findings, attack-path narratives, proof-of-concept evidence, and clear remediation guidance suitable for both technical and executive stakeholders.
We combine elite offensive cybersecurity expertise with institutional backing to deliver penetration testing that actually drives business resilience.
Our consultants bring deep offensive cybersecurity experience from top-tier global consulting firms, backed by the industry's most rigorous certifications including OSCE³, OSEP, OSCP, CRTM, CRTL, CRTE, and HTB CAPE. We bring world-class execution to every network and infrastructure penetration testing engagement.
No junior bait-and-switch and no offshore hand-offs. The senior consultants who scope your engagement are the ones executing the test, walking you through findings, and validating your remediation. You get the same expert from kickoff through closure.
Penetration testing requires absolute trust, you are granting access to your most sensitive systems. We are proudly supported by the HKSTP Incubation Programme and the CityU HK Tech 300 Seed Fund, making us a vetted Hong Kong cybersecurity partner with institutional accountability.
We don't deliver 200-page scanner reports. Every penetration testing engagement produces prioritised findings, attack-path narratives, proof-of-concept evidence, and remediation guidance, translated for both your engineers and your board.
Clients engage us when assurance has to be independent, findings have to be actionable, and the outcome has to hold up to auditors, regulators, customers, and the board.
Teams preparing to expose new infrastructure to the internet, deploy a new internal network segment, or onboard new business units, requiring assurance before exposure.
Organisations preparing for PCI DSS, ISO/IEC 27001, SOC 2, HKMA C-RAF, or SFC cybersecurity examinations that require independent infrastructure testing evidence.
Organisations re-validating network and identity-system posture following a reported intrusion, ransomware event, or significant network architecture change.
Mature security programmes with annual or bi-annual infrastructure testing obligations to internal risk committees, customers, or regulators.
Security teams seeking third-party verification of perimeter, internal segmentation, and Active Directory hardening following internal testing or remediation cycles.
Acquirers and investors evaluating the network security posture of target organisations prior to transaction close, particularly where network or identity integration is planned.
Every engagement is scoped collaboratively to ensure testing objectives align with business priorities, risk appetite, and regulatory context.
Coverage is structured around PTES, OSSTMM, and NIST SP 800-115, and informed by the techniques real adversaries use against infrastructure and identity systems. The domains below highlight our core focus areas, but our complete coverage extends far beyond them.
Assessment of internet-facing infrastructure including exposed services, edge devices, VPN gateways, mail and DNS exposure, and forgotten or shadow assets that widen your perimeter beyond what is documented.
Discovery of all reachable hosts, services, and exposed entry points in scope, including assets that are forgotten, undocumented, or shadow IT, providing an accurate evidence-based view of your true attack surface.
Targeted assessment of your Active Directory environment, the most consequential attack surface in any internal network. Coverage includes Kerberoasting and AS-REP roasting, NTLM relay, ACL and GPO abuse, attack-path discovery, weak service accounts, and feasible paths to domain controller compromise.
Testing of password policies, credential reuse, default and weak service-account credentials, exposed credentials in scripts, network shares, and configuration files, and the practical effectiveness of password spraying, credential stuffing, and offline hash cracking.
Evaluation of local privilege escalation paths on Windows and Linux hosts, including kernel and patch-level exposures, misconfigured services, weak file and registry permissions, sudo and SUID misuse, and credential material harvested from local storage.
Validation of how far an attacker can move from an initial foothold, exercising SMB and WMI execution, pass-the-hash and pass-the-ticket, RDP and SSH hopping, and pivoting through dual-homed or compromised hosts to reach high-value targets.
Practical testing of segmentation boundaries between security zones, DMZ-to-internal pivot feasibility, firewall rule effectiveness, egress filtering and outbound traffic restrictions, and unintended trust paths between environments.
Our consultants demonstrate how multiple lower-severity issues can be chained into an end-to-end intrusion path, from initial access through privilege escalation and lateral movement to compromise of critical assets, proving the real business impact a real attacker would achieve.
A structured, repeatable methodology that delivers consistent quality, with clear entry and exit criteria at each phase and defined responsibilities on both sides.
Define network boundaries, internal and external testing windows, communication protocols, and rules of engagement. Gather network diagrams and architecture documentation, confirm authority to test, and agree on the delivery model and target list.
Combined automated discovery and extensive manual testing across the agreed external and internal scope, exercising privilege escalation, lateral movement, and Active Directory attack paths where authorized. Critical issues are escalated in real time. All findings are manually verified to eliminate false positives.
A detailed technical report with executive summary, risk-rated findings, attack-path narratives demonstrating chained compromise, business impact analysis, proof-of-concept evidence, and prioritised remediation recommendations.
A structured walk-through of the findings with your technical team, covering issue context, exploitation impact, and remediation guidance. Support for clarification during fix implementation.
Retesting of remediated findings to confirm fixes are effective, followed by an updated risk posture and formal engagement closure. Deliverables are packaged for internal follow-up, audit, and regulatory evidence.
Every engagement produces a comprehensive report designed to serve both technical remediation and executive decision-making.
A non-technical overview of the assessment, key findings, business impact, and recommended priorities, written for leadership, risk, and board-level stakeholders.
Each finding documented with technical description, affected hosts and services, exploitation steps, observed impact, and references to relevant standards and CVE/CWE identifiers.
Findings are rated using the Common Vulnerability Scoring System (CVSS) and the OWASP Risk Rating Methodology, combined with business-context adjustments to reflect realistic risk to your organisation.
Screenshots, command output, captured artefacts, and step-by-step reproduction details that demonstrate each critical and high-severity issue without ambiguity.
Visual diagrams showing how findings chain into end-to-end intrusion paths, from initial access to compromise of critical assets. Useful for executives, architects, and incident response planning.
Clear, prioritised recommendations mapped to each finding, including short-term containment, configuration changes, and longer-term architectural improvements where applicable.
Our methodology is built on internationally recognised testing standards and mapped to the compliance frameworks most relevant to Hong Kong-regulated organisations.
A vulnerability scan is automated and identifies known weaknesses through signatures and pattern matching. A penetration test adds extensive manual investigation. Consultants validate each finding, chain issues together, exploit configuration and identity weaknesses, and demonstrate real-world business impact. Scanners tell you what might be wrong; a pentest confirms what is exploitable, why it matters, and how far an attacker could go inside your network.
It depends on the engagement perspective. An External engagement starts with no internal access; we work from the public internet, mirroring an anonymous attacker probing your perimeter. An Internal engagement typically starts with either no credentials (assume-breach: an attacker who has gained network access via phishing or a compromised host) or with standard domain user credentials (assume-compromise: a malicious insider or a credential-theft scenario). Higher-trust starting points are available where a specific scenario is being validated. We will recommend the right starting position during scoping based on what you need to learn from the engagement.
Where domain controller compromise is in scope and authorized, yes. Active Directory is the most consequential attack surface in any internal network, and demonstrating realistic paths to domain controller compromise is often the engagement objective. All exploitation against high-value targets is coordinated in advance, conducted with safeguards against operational impact, and the actions taken are documented step-by-step in the report. Where you prefer DC compromise to be demonstrated only to the point of proof rather than fully exercised, we will agree the cut-off during scoping.
All engagements are led by senior offensive security consultants. We do not assign junior operators or outsource execution to third parties. Our consultants hold recognised industry certifications across offensive security and red teaming, including credentials such as OSCE³, OSEP, OSCP, HTB CAPE (Active Directory Pentesting Expert), CRTO, CRTE, CRTP, and CRTM. Every assessment is reviewed by a senior lead before delivery, ensuring consistent technical depth and reporting quality regardless of which consultant is assigned.
Duration depends on scope size, the number of in-scope networks and hosts, and whether External, Internal, or both perspectives are tested. As a general guide, an external engagement against a small-to-medium perimeter typically runs 5 to 8 business days of active testing, and an internal engagement of similar scale runs 7 to 12 business days, plus 3 to 5 days for reporting and review. Larger Active Directory environments, multi-site networks, or combined External plus Internal engagements can extend to several weeks. An accurate estimate is provided during the scoping call based on your specific environment and objectives.
Most engagements kick off within 1 to 2 weeks of scoping sign-off, subject to consultant availability and the agreed testing window. Where a regulatory deadline or pre-launch milestone requires a faster start, we will do our best to accommodate and confirm feasibility during the scoping call.
Testing is designed to be non-disruptive. Before execution, we agree on the testing window, excluded actions (e.g. denial-of-service, destructive payloads, exploits known to risk service stability), and real-time escalation protocols. Higher-risk techniques such as relay attacks, exploitation of legacy network services, or actions against domain controllers are coordinated in advance, and critical findings are communicated immediately rather than waiting for the final report. Where production stability is particularly sensitive, we can perform reconnaissance and identification in production and exploit confirmed findings against representative non-production targets, or test out-of-hours with an open communication channel throughout. Where you operate a SOC, SIEM, or active monitoring tooling, we share testing source IPs, timing, and signatures in advance so your security team can suppress or contextualise the resulting alerts rather than triaging them as live incidents.
Any sensitive data, credentials, or hashes encountered during testing are handled under strict confidentiality. We do not extract, retain, or reproduce sensitive data beyond what is strictly necessary to evidence a finding, and where possible, data is anonymised in the final report. Recovered credentials are not used outside the agreed engagement scope. Credentials provided by you for authenticated testing are held in access-controlled secrets management throughout the engagement, used only for the agreed scope and duration, and confirmed destroyed in writing after engagement closure. All engagement artefacts are stored in access-controlled environments, transmitted over encrypted channels, and securely destroyed after the agreed retention period.
Unless explicitly agreed during scoping, the following are generally excluded: denial-of-service and volumetric load testing, destructive payloads against production systems and data, social engineering and physical intrusion (these are scoped under our Red Team and Phishing Simulation services), and testing of third-party hosted infrastructure or services outside your direct control. OT/ICS environments (SCADA, PLCs, industrial control systems) and wireless network testing (WiFi, EAP/802.1X) require specialised assessment and are scoped separately. Testing is strictly confined to the agreed network ranges and target list, and exploratory testing of adjacent systems or out-of-scope IPs is never performed without prior written authorization.
Yes. A complimentary retest is included with every engagement. After you have applied remediation, we re-examine each confirmed finding to verify that fixes are effective and that no regressions have been introduced, and issue an updated report reflecting closure status for each item. The retesting window is agreed with you during scoping to align with your remediation plan.
Yes. On request, we issue a formal Letter of Attestation summarising the engagement scope, testing period, methodology followed, and high-level outcome. The attestation is suitable for audit, regulatory submission, and third-party assurance purposes, including PCI DSS, SOC 2, ISO/IEC 27001, and HKMA-related obligations.
Schedule a scoping call with our specialists to define the right engagement perspective for your environment, regulatory context, and timeline. We will walk you through methodology, deliverables, and next steps.