Manual Penetration Test

An automated vulnerability scan will hand you a list of unlocked windows. What it cannot tell you is that the unlocked bathroom window opens onto the landing that leads to the office where you keep the safe - or that the key to the front door is kept under the flower pot outside. Scanners find findings; attackers find attacks, and the two are not the same. Automated security tools have uses - and we use them. Nevertheless, there is, as yet, no substitute for human reasoning for going from security findings to the path through those findings an adversary might utilise.

Our Manual Penetration Test engagements are grey-box assessments that identify and demonstrate realistic vectors for attacks, and draw on similar information to what attackers actually know about systems to do so. We aim to complete a thorough test in a focused window. Automated scanners have their place, and we use them to cover breadth, but they produce noise, miss anything requiring judgement, and cannot chain a series of individually minor weaknesses into a serious compromise. Skilled human testers can, because that is precisely what real attackers do.

Grey-Box Testing

Our Manual Penetration Test service is a grey-box test, and this separates it from a fully realistic attack simulation - as we aim to provide with our Red Teaming engagements - on both ends of the life cycle of an attack: reconnaissance and post-exploitation.

Reconnaissance. We work with a degree of pre-knowledge about the architecture of your system, which lets us spend our time on depth rather than reconnaissance. While this somewhat reduces realism, it saves time and can increase the comprehensiveness of the test. This pre-knowledge does not extend to precise details of your systems, only to the general information needed to identify attack paths worth pursuing.

Post-Exploitation. A core aspect of a real attack is what happens after an attack - evading detection by security teams, lateral movement to compromise additional systems, escalating privileges to gain access to the actual target of the attack. Our Manual Penetration Test engagements simplify or eliminate these steps as we primarily are testing the ability of an attacker to compromise your systems - not the effectiveness of your organisation at responding to an attack. This engagement does not involve testing how security operation centres or other security teams perform at detecting and responding to an attack, or the ease with which an attacker already inside a system could exfiltrate or compromise critical data. Those seeking such testing should consider our Red Teaming or Breach Impact engagements instead. Our Manual Penetration Tests merely demonstrate attack paths, and stop short of testing our ability to acquire undetectable, persistent access to your systems.

Looking For The Chain

Most security weaknesses are not individually catastrophic. Real attackers rarely compromise an organisation through a single dramatic flaw. More commonly, they begin with a small foothold and gradually expand it. A minor information disclosure reveals useful details about a system. A weak access control allows access to additional functionality. A privilege escalation turns limited access into administrative control.

Our objective is therefore to understand how vulnerabilities interact. We focus on realistic routes an attacker could take through a system and the obstacles and opportunities they would encounter. A penetration test is an investigation into how weaknesses combine into opportunities for compromise. This approach naturally includes technical issues such as authentication flaws, broken access control, injection vulnerabilities, insecure configuration, and business-logic weaknesses. However, the value of the engagement comes from understanding how they fit together into a coherent attack, and synergise with human process issues.

What You Receive

The purpose of a penetration test is to provide a clear understanding of how identified weaknesses could affect your organisation in practice. Our reporting therefore focuses on what a given attack pathway actually means and what remediation steps should happen next. The objective is a practical roadmap for making future compromise more difficult.

Every confirmed finding is assessed in business context rather than solely through technical severity metrics. We distinguish clearly between vulnerabilities we successfully exploited, issues we observed but did not exploit, and broader security concerns identified during the engagement. Findings are prioritised according to their realistic impact on your organisation so that remediation effort can be directed where it will achieve the greatest reduction in risk.

The final report is written for multiple audiences simultaneously. Executive and operational leadership receive a clear explanation of the significance of the findings, while technical teams receive sufficient detail to reproduce, understand, and remediate issues confidently. Where requested, our engagements can include a consultation meeting to advise or review remediation work aimed at closing attack paths we identified.