Pentalpina

Find the
vulnerability
before someone else does.

Your infrastructure tested the way a real attacker would. One person, full scope, full accountability.

Request a scoping callView services
62
<48h
~5d
Lifecycle

From zero-day to zero risk.

Phase 011 / 6

Kickoff

Scope locked. NDA signed before any recon begins.

  • Rules of engagement & authorized targets documented
  • Emergency disclosure protocol agreed
  • Threat model & risk appetite aligned
  • Timeline and deliverable format confirmed
Phase 022 / 6

Recon

Map the attack surface. Passive before active.

  • Certificate transparency & subdomain enumeration
  • Tech stack fingerprinting & version profiling
  • Exposed credentials and secret scanning
  • Third-party asset discovery
Phase 033 / 6

Exploitation

Manual chaining. Real attacker methodology.

  • Authentication bypass & session manipulation
  • Injection, SSRF, deserialization paths
  • Privilege escalation & lateral movement
  • Business-logic and access-control flaws
Phase 044 / 6

Triage

Every finding scored, evidenced, and contextualised.

  • CVSS v3.1 base & environmental scoring
  • Reproducible proof-of-concept captured
  • Impact assessed against your threat model
  • Criticals disclosed immediately — not held for PDF
Phase 055 / 6

Report

Executive summary + full technical detail.

  • Findings ordered by severity and exploitability
  • Remediation guidance per finding
  • Live debrief call included
  • Delivered within the agreed window
Phase 066 / 6

Retest

Every fix verified. Closed in writing.

  • Retest of all HIGH and CRITICAL findings included
  • Patch validation with original PoC
  • Updated report reflecting closure status
  • Clean-slate sign-off provided
Services

What I assess

01

Cloud security

One misconfigured permission can give an attacker full control of your AWS or GCP environment. Every escalation path mapped from initial foothold to full takeover.

AWS / GCPPermission reviewCredential theft
View details
02

Linux security

From a standard user account to full server control. Every privilege escalation path traced and documented so you can close it before an attacker finds it.

Privilege escalationServer hardeningCredentials
View details
03

Kubernetes security

A single misconfigured container permission can expose every service you run. Full attack path assessment from a compromised container to cluster-wide control.

Container escapePermission reviewCluster hardening
View details
04

CI/CD & supply chain

Your build pipeline has access to production. One injected command in a pull request or a leaked credential in a build log can compromise everything it deploys.

Build pipelineSecret leakageDependency security
View details
05

OAuth & SSO security

One misconfigured redirect in your login flow can let an attacker take over any user account. Deep testing of OAuth 2.0, SAML, and single sign-on implementations.

Account takeoverLogin flow testingSSO / SAML
View details
06

Web application security

Can someone log in as another user? Access data without a password? Abuse your checkout flow?

Login bypassData leakageAccess control
View details
07

API security testing

Your API may expose every user's records by changing one number in the URL. Every endpoint tested for broken access controls, data leakage, and authentication gaps.

User data exposureAuth bypassEndpoint coverage
View details

* Windows / Active Directory: not offered. Life is too short :)

Why Pentalpina

You know exactly
who assessed
your system.

Pentalpina is a sole practice. The same person who scopes your engagement breaks it, documents it, and signs the report. No hand-offs, no anonymous contractors, no templated output.

1 personend-to-end. Kickoff to closed findings.
62issues found
<48hfirst critical
~5davg. engagement
01
Swiss jurisdiction

NDA signed before first call. Engagement governed by Swiss Code of Obligations.

02
No subcontractors

One named practitioner from kickoff to report. You always know exactly who tested your system.

03
Fixed price per scope

Agreed upfront before any recon begins. No hourly billing, no scope-creep surprises.

04
Criticals land same day

Showstopper findings disclosed the same day, not held until the PDF ships.

05
Retest included*

Every HIGH and CRITICAL finding retested after remediation, within 30 days of report delivery. Closed status confirmed in writing.

* Retest window: 30 days from report delivery date.

FAQ

Common questions

Fixed price per scope, agreed before testing starts. No per-finding pricing, no daily rate creep. Every engagement is quoted as a flat fee based on scope, and you approve the number before work begins. If the scope grows, we re-scope together.

Fixed price per scope, agreed before testing starts. No per-finding pricing, no daily rate creep. Every engagement is quoted as a flat fee based on scope, and you approve the number before work begins. If the scope grows, we re-scope together.

A vulnerability scanner runs automated checks and produces a list of known CVEs matched against software versions. It has no understanding of context, business logic, or chained attack paths. A penetration test is a manual process where a practitioner thinks like an attacker, chains findings together, and tests for flaws scanners will never find: broken access controls, logic abuse, misconfigured trust relationships. The deliverable is a report of actual exploitable issues, not a printout of what a tool flagged.
It depends on scope. A focused web application assessment typically runs 3 to 5 days. A full infrastructure review covering cloud, Kubernetes, and CI/CD pipelines is usually 7 to 10 days. Scope is defined in writing before work starts, and the timeline is fixed in the statement of work.
Yes. Most meaningful findings only surface in production. Staging environments often lack the real data flows, integrations, and traffic patterns that matter for security. Testing is conducted carefully to avoid disruption. Any risk of service impact is discussed and agreed on before the engagement starts.
A written findings report with a description of each issue, the exact steps to reproduce it, a risk score, and a concrete remediation recommendation. Critical findings are disclosed verbally the same day they are confirmed. A live debrief is included for every engagement. Retest of HIGH and CRITICAL findings is included at no additional cost within 30 days of report delivery.
Yes. A mutual NDA is signed before any information is exchanged. Findings, client identity, and all engagement data are treated as strictly confidential. Nothing is disclosed to third parties. Engagement data is deleted after report delivery and sign-off.
A scoping call comes first. You describe the target, the technology stack, and any access restrictions. From there a statement of work is prepared that defines the scope, rules of engagement, and timeline. You will typically need to provide test credentials and notify your hosting provider or cloud team that testing will occur on a specific date range.
You are contacted immediately, before the rest of the engagement continues. You decide whether to pause and remediate, continue with the finding noted, or adjust scope. No critical finding is held until the report is finished.
Contact

Start your assessment

Fill in the scoping form and we’ll respond within 24 hours. Sensitive details? Use PGP.

Services needed *