AlvorAdvisory

Assess · Technical assurance

Penetration testing that proves your controls hold.

Hands-on testing of your network, applications, and cloud by certified offensive-security practitioners, run to methodologies you can cite and scoped in writing before any work begins. Findings arrive with reproduction steps and a remediation order, and the retest on fixes is part of the engagement, not an upsell.

Book a consultation All engagements

Scope and price agreed in writing before any work. No obligation.

OWASP · PTES · MITRE ATT&CKCertified offensive-security practitionersRetest on fixes included

Three reasons teams commission a test.

A customer or auditor asked

A contract, a security questionnaire, or an assessor wants evidence of independent technical testing. You need a report written to be read by their security team, not just yours, with a summary you can share under NDA.

Something significant is about to ship

A new platform, a major feature, an acquisition's estate joining yours. The cheapest time to find the exploitable path is before it carries production data and customers.

Controls deployed, never pressure-tested

MFA, segmentation, and detection are stood up, and nobody has confirmed they hold under an actual adversary's hands. Validation replaces assumption with evidence.

What you are commissioning

The engagement, as a term sheet.

One named engagement from the Assess track backs this page. Scope, rules of engagement, and price are fixed in writing before testing starts.

Assess trackScopedTypically 1–3 weeks per scope

Penetration Test and Control Validation

Confirm the controls you rely on actually hold.

Best for teams needing technical proof, not just a paper review.

Includes

Hands-on testing of network, application, or cloud, scoped to your estate
Run to recognised methodologies: OWASP for applications, PTES and MITRE ATT&CK for adversary emulation
Delivered by certified offensive-security practitioners
Findings with clear reproduction steps and remediation guidance

Deliverables

Test report with severity ratingsValidated control findingsRetest on fixes

The standardised assessments are fixed-fee. Every other engagement is scoped and priced in writing before you commit, from a one-off review to a managed service.

The method

How the test is run.

Scoped by engineers, not salespeople

Scope is set against your estate and risk: external and internal network, web applications and APIs, or cloud, each defined precisely with rules of engagement and testing windows agreed before work begins. No vague day-rate sprawl.

Methodology you can cite

Application testing follows OWASP; engagement phasing follows PTES; adversary emulation maps to MITRE ATT&CK techniques relevant to your estate. When your customer's security team asks how the test was run, the answer is a named method, not a vendor's habit.

Findings built to be fixed

Every finding carries clear reproduction steps, a severity rated by exploitability and blast radius rather than scanner defaults, and a remediation order. Your engineers should never have to reverse-engineer the report.

Validation, then proof

We test the control as designed: does MFA actually gate the path, does the alert actually fire, does the segment actually hold. After you remediate, the retest confirms the fix and updates the report, so the artefact you hand a customer reflects the estate as it now stands.

Beyond the report

A test that feeds the program.

A penetration test that ends at the PDF is a missed opportunity. Run within the Assess track, the findings can flow straight into a risk-ranked gap register and a costed remediation path.

1Findings land in the same register format as the wider diagnostic
2Remediation can be delivered under Build, by us, your partner, or your team
3Each subsequent test then measures movement, not just exposure

Questions

What teams ask about this engagement.

What can be in scope?

External and internal network, web applications and APIs, and cloud environments, individually or together, with the approach (black, grey, or white box) agreed up front. Each scope is defined and priced in writing before testing begins, typically one to three weeks per scope.

Will testing disrupt production?

Rules of engagement are agreed before any traffic is sent: testing windows, exclusions, escalation contacts, and a stop condition. Exploitation that risks availability is only performed where the rules of engagement explicitly allow it.

Who performs the testing?

Certified offensive-security practitioners from the practice's senior team, under the same engagement terms as everything else we do: a master services agreement, mutual NDA, and professional indemnity and cyber liability cover.

Can we share the results with customers?

Yes. Alongside the full technical report you receive a summary letter of engagement and outcome written for third parties, suitable for sharing with customers and assessors under NDA, and the retest updates it once fixes land.

How often should we test?

At least annually, and on significant change: a new product surface, a major architectural shift, or an acquisition. Standards you may answer to ask for the same; PCI DSS, for example, expects testing annually and after significant changes.