Skip to content
Cyvex Security
CREST-accredited · senior team

Penetration testing with named testers, not a black box

CREST-accredited penetration testing delivered by the same senior consultants from scoping call to retest. Daily updates, one-hour critical escalation, and a retest included.

Book a scoping call

Test types we cover

External network

Black-box and grey-box testing of your internet-facing perimeter — firewalls, VPNs, remote services, and exposed APIs.

Web application

OWASP Top 10 coverage with authenticated role-based testing, business logic abuse, and client-side attack chains.

Internal network

Simulated insider and assumed-breach scenarios across Active Directory, cloud workloads, and flat network segments.

Cloud configuration

IAM, network, and workload review across AWS, Azure, and GCP, mapped to CIS Benchmarks and provider guidance.

API & mobile

REST/GraphQL API fuzzing, token and session abuse, plus iOS and Android app testing including runtime inspection.

Red team & phishing

Objective-led engagements against detection and response, with optional social engineering and phishing payloads.

Sanitized sample report

See exactly what your report will look like. We send a redacted external-network and web-application report — CVSS scoring, reproduction steps, and remediation guidance included — in exchange for a work email.

Available sample reports

Pick the report closest to your scope and we will send a sanitized copy to your work email.

  • Sample Report

    TESTing IV

Our methodology

  1. 1

    Scoping

    We run a 30-minute scoping call, issue a fixed-fee proposal, and sign an MSA + rules of engagement.

  2. 2

    Kick-off

    Named lead tester introduces themselves, confirms scope, targets, and comms channels, and agrees testing windows.

  3. 3

    Testing

    Daily stand-ups, a live findings channel, and critical-issue escalation inside one hour of discovery.

  4. 4

    Reporting

    Draft report within five working days of test end, including executive summary, CVSS-scored findings, and reproduction steps.

  5. 5

    Retest

    Free retest of all High and Critical findings within 90 days, with an updated attestation letter.

Frequently asked questions

Are your pen tests CREST accredited?

Yes. Cyvex is a CREST-accredited company for CREST Pen Test. Every lead tester holds CREST CRT or OSCP, and most hold CCT INF or OSCE.

Can I see a sample pen test report before I buy?

Yes. Request a sanitized sample report using the form below — we will share a redacted external-network and web-application report so you can see our writing, CVSS scoring, and remediation detail before committing.

How long does a penetration test take?

A typical SME external + web-app test runs 5–10 working days end-to-end, with a further 5 working days for reporting. Larger or red team engagements run 3–6 weeks.

How much does a penetration test cost?

Most SME engagements land between $7,500 and $22,500 depending on scope and test type. We issue a fixed-fee proposal after a 30-minute scoping call.

What happens if a critical issue is found mid-test?

We escalate Critical and High findings through an agreed comms channel within one hour of discovery, with enough detail for your team to triage immediately — you do not have to wait for the report.

Do you offer a retest?

Yes. A retest of all High and Critical findings is included within 90 days of the final report, with an updated attestation letter for customers, auditors, and insurers.

Related work

Book a 30-minute scoping call

Fixed-fee proposal within 48 hours. Named lead tester, CREST-accredited methodology, and a free retest of High and Critical findings within 90 days.

Book a scoping call

Related insights and breach analysis

Recent reporting and incidents that connect to this service.

  • InsightZero-Day Vulnerabilities Exploited in May 2026

    Hackers have been exploiting zero-day vulnerabilities in popular software applications, highlighting the importance of timely patching to mitigate security risk

    2026-05-08

  • Breach reportDirty Frag: A new Linux privilege escalation vulnerability is already in the wild

    Dirty Frag: unpatched Linux kernel flaw grants root access on Ubuntu, RHEL and Fedora. A working exploit is already public. Security researchers have disclosed a new unpatched vulnerability in the Linux kernel, code-named Dirty Frag, that allows an unprivileged local user to gain full root access on most major Linux distributions, including Ubuntu, RHEL, Fedora, […]

    2026-05-08

  • Breach reportU.S. CISA adds a flaw in Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities catalog

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a flaw in the Palo Alto Networks PAN-OS, tracked as CVE-2026-0300 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog. The flaw is a buffer […]

    2026-05-07

  • Breach reportCisco Patches High-Severity Vulnerabilities in Enterprise Products

    Successful exploitation of the flaws could lead to code execution, server-side request forgery attacks, and denial-of-service conditions. The post Cisco Patches High-Severity Vulnerabilities in Enterprise Products appeared first on SecurityWeek.

    2026-05-07