Frequently Asked Questions

Penetration testing is an authorized simulated attack on your systems, applications, or people — performed by security professionals to find and demonstrate real exploitable weaknesses before malicious actors do. The output is a prioritized report with reproduction steps and remediation guidance.

Scanners find known signatures and common misconfigurations. Penteor combines those with manual testing — chaining weaknesses into real attack paths, probing business logic, exploiting authentication flaws, and showing impact. You get validated, exploitable findings rather than a noisy CVE list.

Penteor tests organizations of every size across fintech, banking, healthcare, SaaS, retail, manufacturing, telecom, energy, government, legal, automotive, hospitality, and regulated industries. Each engagement is tailored to the threat model and compliance obligations of the sector.

Most engagements run 1–3 weeks of testing followed by reporting. Scope drives duration: a small web app is 5–8 days, a full external + internal network is 2–3 weeks, and a red team operation typically runs 4–8 weeks end-to-end.

Yes. Every engagement includes a free remediation retest within a defined window after the original report. We verify each fix against its original proof-of-concept and issue an updated report reflecting the current state.

Start by submitting the contact form. Penteor replies within one business day to schedule a scoping call — confidential, no-cost — to understand your target, threat model, and timeline. You receive a written proposal and fixed-price statement of work before anything begins.

Any organization shipping software, handling customer data, or subject to regulatory requirements (PCI DSS, HIPAA, ISO 27001, DORA, NIS2, SOC 2). Annual testing is the baseline; pre-launch, post-merger, and post-major-change tests sit on top of that cadence.

Scoping call → signed proposal + SOW → pre-engagement setup (accounts, access, rules of engagement) → active testing with daily findings for critical issues → draft report → debrief workshop → final report → remediation retest.

Penteor aligns to industry standards — OWASP Testing Guide and OWASP Top 10 for web, OWASP MASVS for mobile, PTES for infrastructure, MITRE ATT&CK for red team, and CIS Benchmarks for cloud and containers — combined with practitioner-driven manual techniques that scanners miss.

Every finding carries a CVSS score for technical severity plus a business-impact rating that reflects exploitability and blast radius in your environment. Reports lead with an executive summary, prioritized remediation roadmap, and reproduction steps for each issue.

A written report with executive summary, prioritized findings with CVSS scores, exploitation proofs, remediation guidance, and a compliance-ready attestation letter suitable for auditors, customers, and regulators.

You are ready when you have a defined target (application, network, cloud tenant, or user population), a stable environment to test, a nominated technical point of contact, and the time to act on findings. A scoping call clarifies all of this in under an hour.

Every engagement is covered by a mutual NDA before any access is granted. Test data stays encrypted at rest, is segregated per client, and is purged after the retention window expires. Client names and technical details are never referenced publicly without written permission.

Most engagements run fully remote — external, web, mobile, cloud, and API tests require nothing on-site. Internal infrastructure tests use our Penteor Testing Appliance (PTA) which ships to you and provides VPN-backed remote access. On-site work is available for wireless, physical, and social-engineering engagements.

Reports are delivered in English by default. Romanian reports are available on request. Debrief workshops and live communication can be held in either language, and the Penteor website is fully bilingual.