Automated scanners produce lists of CVEs. Our engineers produce a blueprint of how an adversary would breach your network — mapping trust relationships, chaining exploits, and demonstrating real business impact.
The same engineer who scopes your engagement conducts the assessment and writes the report — using PTES methodology. No offshore subcontractors. No handoffs. Engagements start at $8,000 for a single-site internal or external assessment — scoped and quoted before any commitment.
Automated scanning has a role in a security program — but it cannot replace human adversarial reasoning. Here is why the distinction matters for your organization.
Nessus, Qualys, and OpenVAS match banners and CVE signatures against a database. They cannot reason about what a finding means in your environment — the flaws behind real breaches require human judgment to identify, chain, and exploit:
These flaws emerge from design decisions made over years, often by different engineers. Finding them requires mapping your environment the way an adversary would — spotting where the implementation diverged from the design intent:
The most impactful breaches rarely hinge on a single critical CVE. Real attackers chain low- and medium-severity findings into complete network compromise — analysis that tools alone cannot perform:
We follow the Penetration Testing Execution Standard (PTES) — a structured, reproducible framework that ensures consistent, defensible, and thorough assessments every engagement.
We define the assessment boundary in writing: IP ranges, excluded systems, testing hours, emergency contacts, and authorization signatures. Rules of engagement are established before any probe is sent. Scoping calls include your network team and, where relevant, your CISO or legal counsel.
Passive OSINT (DNS records, BGP prefixes, certificate transparency logs, Shodan, LinkedIn enumeration of network staff) followed by active reconnaissance: port scanning, service fingerprinting, SMB enumeration, SNMP community string testing, and LDAP anonymous binding. We build a comprehensive asset inventory that your team often does not have internally.
Using the asset inventory and OSINT data, we identify likely attack paths and prioritize testing effort toward the highest-impact vectors: domain controllers, certificate authorities, edge devices, management interfaces, and inter-VLAN trust relationships. This prevents wasted time on low-value targets.
Manual analysis of identified services for misconfigurations, unpatched software, weak authentication, protocol-level vulnerabilities (e.g., LLMNR/NBT-NS poisoning susceptibility, Kerberoastable SPNs, AS-REP roasting candidates, SMB signing disabled), and default credentials. CVSS v3.1 base scores are calculated for each finding at this stage.
Controlled exploitation of confirmed vulnerabilities with the goal of demonstrating real business impact. Post-exploitation includes lateral movement through the environment, privilege escalation to domain or local administrator, credential harvesting from memory and disk, and persistence mechanism identification. All exploitation is performed with care to avoid production impact.
A full written report is delivered within 72 hours of test completion. It includes an executive summary, technical findings with CVSS scores and step-by-step reproduction procedures, a prioritized remediation roadmap, and an attestation letter suitable for auditors. We schedule a report walkthrough call with your technical and executive teams.
Every network penetration test engagement produces a complete package of documents — engineered for both your technical team and your auditors.
A 2–3 page narrative written for board members, CISOs, and non-technical stakeholders. Explains the overall risk posture, most critical findings, and recommended priorities without requiring technical background to understand.
Full details for every finding: CVSS v3.1 base score, affected asset, attack vector, step-by-step reproduction procedure, proof-of-concept evidence (screenshots, command output), and specific remediation guidance. Findings are sorted by severity.
A prioritized action plan organizing findings by risk tier (Critical, High, Medium, Low) with estimated remediation complexity and recommended sequencing. Designed to help your engineering team plan sprint work and allocate resources efficiently.
A signed letter confirming that a qualified, manual penetration test was conducted within a specific date range and scope — formatted for submission to SOC 2 auditors, PCI QSAs, and HIPAA assessors. Satisfies the evidence requirement for multiple compliance frameworks.
Regulatory and framework requirements have become increasingly specific about what qualifies as an acceptable penetration test — and automated scanning does not meet the bar for most of them.
PCI DSS v4.0.1 requires internal and external penetration tests at least once every 12 months — and after any significant infrastructure or application change — following a documented methodology that covers the entire CDE perimeter and critical systems (Reqs. 11.4.1–11.4.3, PCI Security Standards Council, June 2024).
Addressable safeguard requiring covered entities to regularly evaluate technical security measures protecting ePHI, which auditors increasingly interpret to require formal penetration testing.
The entity identifies and assesses changes that could significantly impact the system of internal control, including penetration testing as part of the risk assessment process.
Annual penetration testing of information systems — from both inside and outside the systems' boundaries — plus vulnerability scanning at a risk-assessment-determined frequency and promptly after material system changes, for covered financial institutions operating in New York.
Genuine exploitation is hands-on work: obtaining proof-of-exploitation from live machines in a real network environment, chaining findings across systems, and demonstrating impact without leaning on automated exploitation frameworks. It is the standard for hands-on competency because it cannot be faked with a scanner export or a reformatted CVE list.
Fortress MSSP was built on the principle that the same hands that scope the engagement should be doing the testing, not supervising offshore teams running scan-and-report engagements.
Attackers don't wait for your annual audit cycle. A vulnerability introduced in February is live until your October pentest finds it — 8 months of exposure. Continuous testing closes that window.
Rather than a single point-in-time assessment each year, a continuous testing subscription delivers quarterly network penetration tests with monthly vulnerability scan triage — building a longitudinal picture of your security posture and catching new exposures as they emerge.
The network tier of our PTaaS program — quarterly network pentests + monthly vulnerability triage + continuous monitoring
15% below the equivalent four standalone engagements (from $8,000 each)
Engagements scheduled quarterly on a rolling basis. First test typically begins within 3 weeks of subscription activation. Subscription minimum: 12 months.
Every engagement starts with a no-cost scoping call. We will assess your environment, define a realistic scope, and give you an honest estimate — before any commitment.