Vancouver, BC nrcybersolutions.contact@gmail.com +1 (236) 818-8470

Penetration Testing

Web, mobile, API, cloud, and infrastructure testing — risk-ranked findings and retesting included.

Industry-aligned testing using OWASP, MASTG/MASVS, and standard network PT workflows. You get an executive summary for leaders, reproducible technical findings for engineers, and a complimentary retest to verify fixes.

What We Test

  • OWASP-aligned coverage for auth, access control, input handling, and business logic.
  • Manual + assisted testing (Burp/ZAP) for XSS, SQLi, CSRF, SSRF, IDOR.
  • Output: prioritized fixes and quick wins.
  • MASTG/MASVS-aligned static & dynamic testing (storage, crypto, cert pinning).
  • API traffic review, deeplinks/intents, build/signing hygiene.
  • Output: store-readiness issues and remediation guidance.
  • Spec + live discovery, authn/authz (BOLA/IDOR), rate limits, schema validation.
  • Endpoint-level findings with example requests.
  • External & internal PT, exposed services review (RDP/SMB/SSH/DB).
  • AD misconfig paths (Kerberoasting, delegation, stale objects).
  • Thick Client / Desktop: binary abuse paths, local storage, update channels, DLL hijacking, IPC/COM.
  • IAM, segmentation, storage exposure, keys/secrets, logging & monitoring.
  • Benchmarks: CIS + platform best practices; optional IaC/Terraform review.
  • Switch/router/firewall configs vs CIS (AAA, SNMP, logging, ACLs, mgmt plane).
  • Secure defaults and hardening plan.

Black Box

No credentials; closest to an unknown external attacker.

Grey Box

Limited context/standard test accounts; best value for time.

White Box

Full design/code/config access; deep coverage and faster root-cause.

Manual + assisted Evidence-based findings

How We Work

  1. Scope & Rules of Engagement — targets, windows, out-of-scope, safety.
  2. Kickoff — accounts, API specs, VPN/access, comms channel.
  3. Testing — manual + assisted techniques; evidence captured.
  4. Readout — exec summary + technical walkthrough with owners.
  5. Retest Included — verify fixes and update the report version.
Retest in 60 days Exec summary + Jira text

What You Get

  • Risk-ranked report (likelihood × impact), reproducible PoCs, screenshots.
  • Executive summary + technical ticket text for Jira/ServiceNow.
  • Remediation workshop (1–2 hours) and one retest within 60 days.
  • Compliance mapping (SOC 2, ISO 27001, PCI DSS 4.0, CCCS/ITSG-33, OSFI B-13).
  • Privacy alignment as applicable (PIPEDA, Quebec Law 25, PHIPA, BC/AB PIPA).

Canadian frameworks supported: CCCS/ITSG-33, OSFI B-13, SOC 2, ISO 27001, PCI DSS.

Packages

Essentials (Fixed-Fee)

  • 1 web app or small API
  • 3–5 test days
  • Retest included

Standard

  • Multi-app or app+API
  • Light infra add-on
  • 7–10 test days

Advanced / Red-Team-Lite

  • Grey-box plus cloud/AD attack-path validation
  • Custom scope
Book a PT consult See a sample report Add PT to my project Back to Security Solutions

Free 15-min call. No obligation.