Abstract dark technology background

Find the gaps before an attacker does.

Engineering-led, intelligence-informed penetration testing — scheduled, scoped, adversarial validation of your security posture, with every finding rated against your real-world risk.

What it is

Penetration testing is our Technical Assurance practice — offensive, point-in-time validation of your security. Where our managed services defend and operate your environment continuously, Technical Assurance attacks it on a defined schedule, using the same tools, tactics, and procedures we defend against in our MDR practice, applied from an attacker's perspective. Every finding is validated, rated against your actual environment, and paired with prioritised remediation guidance you can act on.

Test types

Eight independently scoped test types. Engagements frequently combine several — a common compliance-driven programme is External + Internal + Web Application with a re-test.

External penetration test

Identify and exploit vulnerabilities in your internet-facing systems, applications, and remote-access surfaces — before an attacker does.

Internal penetration test

Simulate a malicious insider or a breached foothold — lateral movement, privilege escalation, and the real blast radius of a compromise.

Web application assessment

OWASP Top 10, authentication and authorisation logic, business logic, and the supporting API surface of a specific web application.

Mobile application assessment

iOS and Android applications and their backends, tested against the OWASP MASVS — storage, cryptography, authentication, and resilience.

Wireless penetration test

Encryption, authentication, segmentation, and rogue-device exposure across your wireless networks and the wired networks they bridge to.

Cloud penetration test

Misconfiguration, excessive privilege, and weak identity controls across Azure, AWS, and GCP — aligned to provider baselines and CIS Benchmarks.

Social engineering

Authorised phishing and credential-harvesting campaigns — and, where scoped, vishing and physical vectors — to test how your people respond.

Vulnerability scan & report

Authenticated or unauthenticated scanning with manually validated, prioritised reporting — including a full credentialed configuration review.

Approach & standards

Manual-led, to recognised methodologies.

Automated scanning is used for coverage, but exploitation, business-logic testing, and severity validation are performed by the tester. Every engagement runs under signed authorisation and agreed rules of engagement — black, grey, or white box; authenticated or unauthenticated; remote or on-site; in or out of hours.

  • PTES
  • OSSTMM
  • NIST SP 800-115
  • OWASP WSTG
  • OWASP Top 10
  • OWASP API Top 10
  • OWASP MASVS
  • CIS Benchmarks
  • MITRE ATT&CK

What you get

  • Executive summary

    Risk posture and key findings in business language, for senior leadership.

  • Technical report

    Each finding with enough detail to reproduce, evidence, and affected assets.

  • Context-based risk analysis

    Severity validated against your actual environment — not raw scanner output.

  • Prioritised remediation guidance

    Actionable recommendations for immediate fixes and longer-term improvement.

  • Re-test to confirm closure

    Verification that corrected findings are resolved — often required for compliance evidence.

Compliance

Testing that supports your obligations.

Common frameworks expect regular penetration testing as evidence of effective security. The table below is a scoping starting point — not a compliance opinion. Confirm the precise requirement and cadence with your auditor, QSA, or regulator.

Driver Supported by Typical cadence
PCI DSS v4.0.1 External, Internal, Web App, Vulnerability Scan Annually & after significant change
ISO 27001:2022 External, Internal, Web App, Cloud Annually / on significant change
SOC 2 External, Internal, Web App, Cloud Annually (auditor-dependent)
DORA Supports the wider testing programme; TLPT is enterprise-scope Programme-based; TLPT periodic
NIS2 External, Internal, Web App, Cloud, Vulnerability Scan Risk-based, periodic
GDPR & cyber insurance Any relevant type; social engineering for the human dimension Regularly / typically annual

Why Sunwell

We test the way we defend.

Our testers use the same tactics, techniques, and procedures we defend against every day in our MDR practice, and hold recognised offensive certifications (OSCP, CEH, PNPT) — so findings reflect how real adversaries operate, not a checklist.

Context-based severity, not scanner output.

Testing is manual-led with tool assistance. Every finding is validated by hand and re-rated against your actual environment, so you act on real business risk — not a raw CVSS number.

Built for remediation.

Clear, prioritised guidance and re-testing to confirm fixes — and, where you need it, the engineering teams to help you close the gaps, not just report them.

Ready to get started?

Whether you have a specific project in mind or want to understand how we can help, we'll start with an honest conversation.

Talk to us