// How we work
A methodology built on
transparency and rigour.
Every Betasec engagement follows a consistent, documented process — from the first call to the final retest. No surprises. No scope creep. No undefined handoffs.
01
Phase one
Scoping & Legal

Before anything technical happens, we align on what's in scope, what's off-limits, who the contacts are, and what success looks like. You receive an NDA and a Rules of Engagement (RoE) document to sign before any work begins. This phase defines the engagement — and protects both parties.

Scoping call
We understand your environment, objectives, constraints, and deadlines. We ask the questions a good pentest partner should ask.
NDA & RoE
Non-disclosure agreement and rules of engagement are signed. Scope, IP ranges, and emergency contacts are defined and locked.
Fixed proposal
You receive a fixed-price proposal with timeline, deliverables, and scope. No surprises, no hourly billing.
NDARules of EngagementFixed-price contractEmergency contacts
02
Phase two
Reconnaissance

We map your attack surface the way a real attacker would — passively first, then actively. OSINT collection, subdomain enumeration, employee profiling, technology fingerprinting, and public exposure analysis give us a picture of your real-world footprint before a single packet is sent to your systems.

Passive OSINT
LinkedIn, job postings, GitHub, Shodan, certificate transparency logs — we find what's already public without touching your systems.
Asset discovery
Subdomain enumeration, IP range identification, technology stack fingerprinting and forgotten assets that shouldn't be exposed.
Attack surface map
A documented map of all discovered assets, technologies, and entry points that informs the exploitation phase.
ShodanSubfinderAmasstheHarvesterRecon-ngCertificate transparency
03
Phase three
Exploitation

The core of the engagement. We manually test each attack vector identified during recon, using controlled techniques to confirm exploitability, chain vulnerabilities where possible, and establish the real business impact. We don't just report scanner output — every finding is manually validated and understood.

Manual testing
Senior engineers drive the testing. Automated tools assist — they don't lead. Every finding is validated by a human who understands context.
Vulnerability chaining
We chain low-severity issues into high-impact attack paths — showing you what an attacker would actually achieve, not just individual CVEs.
Safe exploitation
All testing is conducted within agreed RoE. We use controlled techniques, document every action, and avoid any risk to production availability.
Burp Suite ProMetasploitNmapBloodHoundImpacketCustom tooling
04
Phase four
Reporting

We write reports that people actually read. Every engagement produces two documents: an executive summary for leadership and a full technical report for your engineering team. No copy-paste scanner output, no 80-page PDFs full of noise. Findings are prioritised by real-world risk and paired with specific, actionable remediation steps.

Executive summary
A 3–5 page plain-English summary of what was found, the business risk, and what leadership needs to know and approve.
Technical report
Full vulnerability write-ups with CVSS scoring, evidence, reproduction steps, and specific remediation guidance for developers.
Debrief session
We walk through findings with your team, answer questions, and agree on a remediation timeline before closing the report phase.
CVSS v3.1 scoringEvidence-backedPrioritised findingsDebrief call
05
Phase five
Remediation & Re-test

The work isn't done when the report is delivered. We're available to answer your developers' questions during the remediation window, and once you're ready, we re-test every finding at no additional charge. You receive a remediation close-out report confirming what's been fixed and what — if anything — needs further attention.

Remediation support
Your engineering team can ask us questions during the fix window. We're available to clarify findings and advise on approach.
Free re-test
We validate each remediated finding against the original vulnerability. Re-testing is included in every engagement.
Close-out report
A final report confirming which issues are resolved, which are accepted risk, and any outstanding items — suitable for audits and compliance.
Fix validationClose-out reportCompliance-readyIncluded at no charge
// Frameworks & standards
We work to recognised standards.
OWASP
Testing Guide v4.2
The primary reference for web application security testing methodology.
PTES
Penetration Testing Execution Standard
Our foundational engagement framework covering all phases of a professional pentest.
MITRE
ATT&CK Framework
Adversary tactic and technique mapping used in red team and infrastructure engagements.
CVSS
Common Vulnerability Scoring System v3.1
Industry-standard severity scoring applied to every finding for consistent risk prioritisation.
NIST
SP 800-115
Technical guide to information security testing and assessment from the US National Institute of Standards.
MASVS
OWASP Mobile App Security Verification Standard
The benchmark for mobile application security assessments on iOS and Android.
CIS
Benchmarks (AWS / Azure / GCP)
Cloud configuration hardening benchmarks used in all cloud security review engagements.
GDPR
UK GDPR & Data Protection Act 2018
All engagements are conducted within UK data protection law. We are ICO registered.
// Our principles
How we operate, always.
Strict scope adherence
We never test systems outside the agreed scope, even if we discover adjacent vulnerabilities. Scope boundaries are absolute.
No data retention
Any data encountered or extracted during testing is securely deleted at engagement close. We never retain client data beyond delivery of the report.
Critical findings — immediate disclosure
If we find a critical vulnerability during testing, we notify you immediately — we don't wait for the final report.
Full documentation
Every action taken during an engagement is logged with timestamps, tools, and commands — a complete audit trail available on request.

"Penetration testing is a privilege — we're granted access to systems that organisations rely on. We take that seriously. Our job is to find problems, not create them, and to leave every environment exactly as we found it."

— Betasec, Rules of Engagement standard
// Get started
Ready to start?

Our scoping process is straightforward. Tell us what you need, and we'll handle the rest.

Request a Scope →