Darkside
HomePenetration Testing

Our Services

Penetration Testing
Built for Every Surface

Every engagement is scoped, conducted, and reported by experienced practitioners — not automated scanners. Choose from eight test types, each delivered as a standalone engagement on your schedule.

Web ApplicationAPI SecurityNetwork & InfrastructureRed TeamMobile AppCloud ConfigurationPhysical SecuritySocial Engineering
01

Web Application Pentest

Find what attackers find — before they do.

Duration: 5–10 business daysTypical for: SaaS platforms, e-commerce, internal tooling, customer portals

Our web application penetration tests go far beyond automated scanning. Our testers manually probe every input, authentication flow, and business logic path in your application to uncover vulnerabilities that scanners miss. We follow both the OWASP Testing Guide and PTES methodology, tailoring the engagement to your application's tech stack and risk profile.

What We Test

  • Authentication & session management flaws
  • Injection — SQL, NoSQL, command, LDAP, XPath
  • Cross-site scripting (reflected, stored, DOM)
  • Broken access control and IDOR
  • Business logic vulnerabilities
  • CSRF and clickjacking
  • XML/JSON deserialization issues
  • Security misconfigurations and verbose errors
  • Sensitive data exposure and weak cryptography
  • Third-party component vulnerabilities

What You Receive

  • Executive summary with risk ratings
  • Full technical findings with CVSS scores
  • Step-by-step reproduction evidence
  • Prioritised remediation guidance
  • Free retest within 90 days
  • Reference-linked to OWASP, CWE, and CVE
02

API Security Testing

APIs are the new perimeter — test them like one.

Duration: 3–7 business daysTypical for: Mobile back-ends, microservices, partner integrations, public APIs

Modern applications rely on APIs for everything, yet API security is often an afterthought. We assess REST, GraphQL, gRPC, and SOAP interfaces for the full range of API-specific attack classes, using real attacker tooling rather than generic scanners. We work from your OpenAPI/Swagger spec or through black-box discovery.

What We Test

  • Broken object-level authorisation (BOLA/IDOR)
  • Broken authentication and JWT weaknesses
  • Excessive data exposure in responses
  • Rate limiting and resource exhaustion
  • Mass assignment and parameter pollution
  • GraphQL introspection and query depth attacks
  • Insecure direct object references
  • Server-side request forgery (SSRF)
  • Injection via API parameters
  • Improper API versioning exposure

What You Receive

  • OWASP API Security Top 10 coverage report
  • Annotated API request/response evidence
  • Severity-ranked findings
  • Fix guidance per endpoint
  • Free retest within 90 days
  • CI/CD integration recommendations
03

Network & Infrastructure Pentest

Map your exposure before attackers do.

Duration: 5–10 business daysTypical for: Offices, data centres, hybrid cloud environments, OT/ICS adjacent networks

We simulate external attackers trying to breach your perimeter and internal threats moving laterally through your network. Engagements cover everything from internet-exposed services to internal segmentation, Active Directory misconfigurations, and legacy protocol weaknesses.

What We Test

  • External perimeter — open ports, exposed services
  • VPN and remote access vulnerabilities
  • Active Directory misconfigurations and privilege escalation
  • Lateral movement opportunities
  • Weak or default credentials
  • Unpatched CVEs and missing hardening
  • Network segmentation and VLAN bypass
  • SMB, RDP, and legacy protocol abuse
  • Internal DNS and LLMNR/NBT-NS poisoning
  • Firewall rule review

What You Receive

  • Network topology and exposure map
  • Risk-rated findings with exploitation evidence
  • AD hardening recommendations
  • Firewall and segmentation review notes
  • Free retest within 90 days
  • CIS benchmark alignment guidance
04

Red Team Exercise

A full adversarial simulation against your organisation.

Duration: 2–6 weeksTypical for: Mature security teams, regulated industries, pre-M&A security validation

Red team exercises test your organisation's ability to detect and respond to a sustained, multi-vector attack campaign — not just your technical defences. Our operators follow MITRE ATT&CK TTPs from initial access through to objective completion, giving your blue team a realistic measure of detection capability.

What We Test

  • Initial access — phishing, credential stuffing, supply chain
  • Persistence and privilege escalation
  • Lateral movement and credential harvesting
  • Exfiltration and C2 communications
  • EDR and SIEM evasion techniques
  • Physical access attempts (optional)
  • Social engineering against staff
  • Cloud and SaaS pivot paths
  • Objective-based compromise (data, admin, financial)
  • Detection and response capability

What You Receive

  • Full attack narrative with timeline
  • ATT&CK matrix heatmap of techniques used
  • Detection gap analysis
  • Blue team debrief session
  • Prioritised remediation roadmap
  • Executive-ready presentation
05

Mobile App Pentest

iOS and Android — tested at the binary level.

Duration: 5–8 business daysTypical for: Consumer apps, fintech, healthcare, enterprise mobile tools

We assess both the client-side application and its back-end API surface. Testing covers static analysis of the application binary, dynamic analysis of runtime behaviour, and traffic interception — across both iOS and Android platforms against the OWASP Mobile Application Security Verification Standard (MASVS).

What We Test

  • Insecure data storage (keychain, SharedPrefs, SQLite)
  • Improper platform usage and permissions
  • Traffic interception and certificate pinning bypass
  • Authentication and authorisation flaws
  • Code tampering and reverse engineering resistance
  • Insecure communication channels
  • Client-side injection
  • Hardcoded secrets and API keys
  • Third-party SDK vulnerabilities
  • Deep link and IPC abuse

What You Receive

  • OWASP MASVS / MSTG-aligned report
  • Static and dynamic analysis findings
  • PoC screenshots and network captures
  • Platform-specific fix guidance
  • Free retest within 90 days
  • App store compliance notes
06

Cloud Configuration Review

One misconfigured bucket can end a company.

Duration: 3–6 business daysTypical for: AWS, Azure, GCP environments — startups to enterprise

Cloud misconfigurations remain one of the leading causes of breaches. We review your AWS, Azure, or GCP environment against the CIS Benchmarks and well-architected frameworks, identifying over-permissive IAM policies, publicly exposed storage, weak logging, and insecure network configurations.

What We Test

  • IAM roles, policies, and privilege escalation paths
  • Publicly accessible storage buckets and blobs
  • Security group and firewall rule misconfigurations
  • Logging, monitoring, and alerting gaps
  • Secrets in environment variables and metadata
  • Container and Kubernetes security (EKS, AKS, GKE)
  • Serverless function security
  • Identity federation and SSO misconfiguration
  • Snapshot and backup exposure
  • Compliance posture (SOC 2, ISO 27001, PCI DSS)

What You Receive

  • CIS Benchmark-aligned findings
  • IAM privilege escalation path diagrams
  • Risk-prioritised remediation list
  • Terraform / IaC remediation snippets where applicable
  • Free retest within 90 days
  • Compliance mapping to relevant frameworks
07

Physical Security Testing

Locks, badges, and cameras are not enough.

Duration: 1–3 days on-siteTypical for: Offices, data centres, warehouses, financial institutions

Physical security controls are only as strong as the humans and processes enforcing them. Our operators attempt to gain unauthorised access to your facilities using real-world techniques — from tailgating and badge cloning to social engineering receptionists — to identify gaps in your physical security posture.

What We Test

  • Perimeter and entry point controls
  • Tailgating and piggybacking attempts
  • Badge and RFID cloning
  • Social engineering of reception and facilities staff
  • Server room and data centre access controls
  • Rogue device placement (Wi-Fi, USB implants)
  • CCTV blind spots and camera coverage
  • Dumpster diving and document disposal
  • Visitor management processes
  • Employee security awareness

What You Receive

  • Detailed narrative of each attempt
  • Photographic evidence (where permissible)
  • Physical control gap analysis
  • Process and policy recommendations
  • Staff awareness training recommendations
  • Executive debrief
08

Social Engineering

Your staff are the most-targeted attack surface.

Duration: 1–2 weeks per campaignTypical for: All organisations — especially finance, HR, IT helpdesk teams

Attackers know that technical defences can often be bypassed by simply asking the right person. We run realistic phishing, vishing, and pretexting campaigns to measure how susceptible your staff are to manipulation — and use the results to inform targeted security awareness training.

What We Test

  • Spear phishing — credential harvesting and payload delivery
  • Bulk phishing — click and open rate measurement
  • Vishing — phone-based pretexting against staff
  • Business email compromise (BEC) simulation
  • SMS phishing (smishing)
  • Help desk impersonation
  • Executive impersonation
  • Supplier/vendor pretexting
  • Multi-stage combined phishing + vishing
  • Post-compromise persistence via staff access

What You Receive

  • Campaign metrics — click, open, credential submission rates
  • Department and role-level breakdown
  • Anonymised individual risk scoring
  • Tailored training recommendations
  • Phishing template analysis
  • Repeat campaign to measure improvement

Included in Your Subscription

Retesting is part of the deal.

Once a test is complete and your team has worked through the findings, you can book a retest directly through the client portal. There's no separate charge — retesting is included in your subscription.

A retest typically takes roughly half the time of the original engagement, sometimes less. The tester isn't starting from scratch — they focus specifically on the vulnerabilities that were identified, verifying each finding has been properly remediated and hasn't introduced any new issues in the process.

This closes the loop on your security programme and gives you documented evidence of remediation — useful for audits, compliance requirements, and internal sign-off.

How Retesting Works

  1. 01

    Original test completes

    Your report is delivered with all findings, severity ratings, and remediation guidance.

  2. 02

    You remediate

    Your team works through the findings on your own timeline. No pressure to rush.

  3. 03

    Book the retest via portal

    When you're ready, submit a retest request through the client portal. It's linked to your original engagement automatically.

  4. 04

    Tester verifies fixes

    The same tester checks each finding — confirming it's resolved, partially fixed, or still present. Typically takes half the original duration.

  5. 05

    Updated report issued

    You receive an updated report showing remediation status for every finding, suitable for auditors or compliance teams.

Get Started

Ready to find your gaps?

Book a 30-minute scoping call. We'll recommend the right test type, scope the engagement, and have a quote to you within 24 hours.