Penetration Testing Methodology
Consultant-led penetration testing. An approach that works.
Our approach
Manual testing, led by consultants
Security testing broadly falls into two categories: automated scanning, which identifies known vulnerabilities against a database of signatures, and manual penetration testing, which finds what scanners cannot. Every engagement we deliver sits in the second category.
Our methodology draws from the OWASP Web Security Testing Guide (WSTG) and NIST SP 800-115, with adversary-informed techniques aligned to the MITRE ATT&CK framework and guidance from the NCSC. For infrastructure testing, we also reference the Penetration Testing Execution Standard (PTES) alongside NIST. These frameworks are not labels applied after the fact: they shape how we plan and execute every assessment.
Each engagement is scoped individually, priced at a fixed rate before any work begins, and delivered by the same consultant from the initial scoping call through to the debrief. Nothing is outsourced or subcontracted.
Testing phases
How every engagement is structured
The phases below apply across all service types. The specific test cases, frameworks, and depth of each phase are determined by the scope agreed at the outset.
Standards and frameworks
The frameworks our methodology is built on
OWASP Web Security Testing Guide (WSTG)
OWASP API Security Top 10
OWASP Mobile Application Security Verification Standard (MASVS)
NIST SP 800-115
Penetration Testing Execution Standard (PTES)
MITRE ATT&CK
NCSC guidance
CREST
Reports built for technical teams and business stakeholders
Every engagement produces a written report delivered within two business days of testing completion. Reports are written for two audiences: the technical teams responsible for remediation, and the business stakeholders who need to understand the risk and sign off on remediation priorities.
Findings are tracked live in Attack Surface Center throughout testing, so your team can see what is being found without waiting for the report.
- Executive summary: A concise overview of the engagement, key findings, and overall risk exposure, written for non-technical stakeholders including board members, senior management, and compliance auditors.
- Technical findings: Each vulnerability documented with a severity rating (aligned to CVSS), reproduction steps, proof-of-concept evidence, affected component, and remediation guidance. Findings are mapped to CVE, CVSS, and MITRE ATT&CK where applicable.
- Scope and methodology section: A documented description of the testing approach, the scope agreed during the engagement, the standards and frameworks applied, and any items that were excluded from testing.
- Live findings in Attack Surface Center: View findings as they are logged during testing, track remediation progress, and collaborate with your team in real time through Attack Surface Center.
- Retesting included: For externally-based assessments including web application, API, and external network testing, focused retesting of remediated vulnerabilities is included as standard at no additional charge.

What makes our methodology different
Manual testing, delivered by the same person throughout
No automated scans presented as penetration tests
The same consultant, start to finish
Nothing outsourced or subcontracted
Scoped to your environment
Critical findings raised immediately
Get a fixed-price quote for your next assessment
Submit your requirements and we will respond with a written, fixed-price proposal within one business day. All enquiries are confidential and there is no obligation to proceed.
Common questions
Penetration testing methodology: frequently asked questions
Our methodology draws from the OWASP Web Security Testing Guide (WSTG) and OWASP API Security Top 10 for application testing, NIST SP 800-115 and the Penetration Testing Execution Standard (PTES) for network and infrastructure testing, and the MITRE ATT&CK framework for adversary technique selection and findings mapping. For mobile application testing, we reference the OWASP MASVS.
We also take into account NCSC guidance on penetration testing for engagements delivered to UK organisations.
All testing is manually led. Automated tools are used selectively, for example for large-scale parameter fuzzing or directory enumeration, but every finding is reviewed and validated by the consultant. Business logic flaws, authorisation vulnerabilities, and chained attack paths are identified with the human analysis that automated tools cannot replicate.
You will not receive a repackaged vulnerability scan.
The core principles are consistent across all service types: manual, intelligence-driven testing by an in-house consultant, with a fixed price confirmed before work begins. The specific frameworks and test cases are applied depending on what is in scope.
For web application testing, we follow the OWASP WSTG. For API testing, the OWASP API Security Top 10. For network and infrastructure, NIST SP 800-115 and PTES. For mobile applications, the OWASP MASVS. See the services overview for a full breakdown by service type.
These terms describe how much information is shared with the tester before the engagement begins.
Black-box (or closed book) testing simulates an external attacker with no prior knowledge of your environment. Grey-box testing provides the tester with partial information, typically credentials or access as an authenticated user. This is the most common approach for web application and API assessments. White-box (aka. transparent or open book) testing gives the tester full access to source code, architecture documentation, and credentials.
For a full comparison and guidance on which approach to choose, see the services FAQ.
Scoping happens during the initial conversation, by call or by email. We ask about the systems or applications that are to be tested, their complexity, any compliance context, and your objectives. From that we produce a fixed-price written proposal that confirms the targets that are in scope, the methodology and approach that will be applied, the deliverables that you will receive, and the wider rules of engagement like any testing windows or exclusions.
For more detail on how scoping typically works in practice, see our articles on scoping a web application assessment and scoping a network penetration test.
Critical findings are escalated to your named technical contact the same day they are discovered, and are not held until the report is delivered. This gives your team the option to begin remediation before the testing window closes, where we can re-test the findings there and then.
You can also view any findings in real time throughout the engagement via Attack Surface Center, our attack surface management platform.
We do not use AI tools to perform penetration testing. Our methodology is based on manual, intelligence-driven testing by experienced consultants.
While AI can assist in certain tasks, it cannot replace the nuanced analysis and decision-making required to identify complex vulnerabilities and business logic flaws. See our AI policy for more information.
