INDEPENDENT · ETHICAL · EFFECTIVE

WE BREACH YOU
BEFORE THEY DO.

Controlled penetration testing. Executive-ready reports. Actionable remediation that actually works.

> target.acquire() → scope.confirm() → attack.simulate() → report.generate() → threat.eliminated
0
DAYS AVG. ATTACKER
DWELL TIME
0
AVG. BREACH COST ZAR
SA 2024 (IBM)
0
ENGAGEMENTS
UNDER STRICT NDA
SCROLL
ISO 27001 NIST CSF OWASP Top 10 PCI DSS HIPAA GDPR POPIA SOC 2 Type II MITRE ATT&CK CIS Controls ISO 27701 CCPA
What We Do

Our Services

Manual, expert-led security testing that goes far beyond automated scanners. Every engagement is scoped precisely, executed methodically, and delivered with clarity. Click any service to open a full deep-dive.

SERVICE 01

Penetration Testing

We think like attackers, operate like operators, and report like executives.

Our penetration tests simulate real adversary techniques across web applications, internal networks, external perimeters, cloud infrastructure, and APIs. We don't run a scanner and call it a pentest — every finding is manually validated, chained, and contextualised for your business. You get proof of impact, not just a list of CVEs.

WHAT WE TEST
  • Web applications — OWASP Top 10 and beyond (auth bypass, IDOR, SSRF, XXE, race conditions)
  • External network — perimeter, internet-facing services, VPNs, firewalls, exposed admin panels
  • Internal network — lateral movement, privilege escalation, domain compromise, AD attacks
  • API security — REST, GraphQL, SOAP — authentication flaws, injection, mass assignment
  • Cloud misconfigurations — AWS, Azure, GCP IAM roles, storage buckets, exposed secrets
  • Social engineering & phishing simulation — targeted campaigns with metrics
KEY BENEFITS
Find what attackers find — before they do Manual, expert validation MITRE ATT&CK mapped Executive + dev reports Retest included
TOOLS & TECHNIQUES
Burp Suite ProMetasploitBloodHoundCobalt Strike TTPsImpacketResponderFFUFNuclei
⚠ REAL ATTACK SCENARIO

An attacker identifies a forgotten dev subdomain with a debug endpoint enabled. They use it to enumerate internal API routes, find a JWT with a static secret, forge admin tokens, and exfiltrate 40,000 patient records — all within 72 hours of initial access. This subdomain existed for 11 months before anyone noticed. We find these.

WHAT YOU RECEIVE

Executive Summary Report

Board-ready: risk posture, key findings, business impact

Full Technical Report

Every finding: proof-of-concept, CVSS, exploitability, fix instructions

Developer Remediation Guide

Step-by-step fix instructions, code-level examples where applicable

Live Debrief Session

Expert walkthrough of every critical finding with your team

Full Retest Included

We verify every fix is genuine — not just patched on paper

FULL SERVICE DETAILS REQUEST PENTEST
SERVICE 02

Vulnerability Assessment

A systematic, broad scan of your entire attack surface — every weakness catalogued and ranked.

Unlike a pentest, a vulnerability assessment is about breadth over depth — mapping every security weakness across your networks, servers, applications, and cloud services. Prioritised by real-world exploitability (not just CVSS), this is the foundation of a strong security programme and a prerequisite for most compliance frameworks.

SCOPE COVERAGE
  • Network devices: routers, firewalls, switches, WAPs
  • Servers: Windows, Linux, ESXi hypervisors, container hosts
  • Web applications and all public-facing services
  • Exposed cloud storage and misconfigured cloud services
  • Email security: SPF, DKIM, DMARC gaps and spoofing risk
  • Endpoint software inventory and unpatched CVEs
KEY BENEFITS
Full attack surface overview Early detection Better patch management Compliance foundation Cost-effective
TOOLS USED
Nessus ProOpenVASNmapNucleiShodanOWASP ZAP
⚠ REAL ATTACK SCENARIO

A critical unpatched vulnerability in a legacy VPN appliance sits undetected for 9 months. Automated threat actors exploit it to gain initial access, establish persistence, and quietly harvest credentials before triggering ransomware. A quarterly VA catches this before the window opens — estimated damage avoided: R12M+.

WHAT YOU RECEIVE

Comprehensive Scan Report

Full inventory of all identified vulnerabilities

Risk-Ranked Vulnerability List

CVSS scores with real-world business context applied

Expert Remediation Guidance

Prioritised next steps for every critical and high finding

REQUEST VULNERABILITY ASSESSMENT
SERVICE 03

Healthcare Risk Assessments

Tailored for dental practices, clinics, and medical SMEs protecting patient data.

Healthcare is the #1 most targeted industry for cyber attacks. Patient data is worth 25x more than financial data on the dark web — and the regulatory consequences of a breach are severe. We understand HIPAA, POPIA, and the specific threat landscape facing medical practices, telehealth platforms, EHR systems, and dental software.

WHAT WE ASSESS
  • EHR and practice management software security
  • Dental imaging systems (X-ray, CBCT) network exposure
  • Reception desk & booking system vulnerabilities
  • PHI storage: on-prem, cloud, and backups
  • Staff access controls and MFA compliance
  • HIPAA / POPIA gap analysis and remediation roadmap
KEY BENEFITS
Avoid POPIA/HIPAA fines Protect patient data Ransomware resilience Insurance readiness Certification roadmap
⚠ REAL ATTACK SCENARIO

A single phishing email compromises a receptionist account at a dental practice. The attacker pivots to the imaging server — which was on the same flat network — encrypts all patient X-rays, and demands a R500K ransom. Backups were on a network share accessible from the compromised account. Practice is down for 3 weeks. Total cost: R1.8M. We prevent this.

WHAT YOU RECEIVE

HIPAA/POPIA Gap Analysis

Control mapping, gaps identified, penalties quantified

Compliance Roadmap

Prioritised remediation plan with estimated effort and cost

Patient Data Protection Plan

Specific guidance for PHI security, backups, and access control

REQUEST HEALTHCARE ASSESSMENT
SERVICE 04

Security Audits & Compliance

Know exactly where you stand against ISO 27001, POPIA, GDPR, HIPAA, and NIST.

We map your current security controls against target frameworks, identify every gap, and produce a structured roadmap to close them. Our audits aren't just checkbox exercises — we translate compliance requirements into practical, implementable controls that actually reduce your risk posture.

FRAMEWORKS COVERED
  • ISO 27001 / ISO 27002 — Information Security Management
  • POPIA — Protection of Personal Information Act (SA)
  • GDPR — General Data Protection Regulation (EU)
  • HIPAA — Healthcare data protection (US)
  • NIST Cybersecurity Framework
  • PCI DSS — Payment Card Industry Standards
KEY BENEFITS
Avoid compliance penalties Build customer trust Certification roadmap Risk reduction Data governance
⚠ REAL REGULATORY RISK

A South African SME processes customer financial data without a documented information officer, no data breach notification policy, and retention periods exceeding POPIA guidelines. Following a routine data leak, the Information Regulator opens an investigation. Potential fine: R10M. A POPIA audit 6 months earlier would have cost under R20K and prevented this entirely.

WHAT YOU RECEIVE

Framework Gap Analysis

Control-by-control mapping against your target standard

Compliance Roadmap

Phased remediation plan with realistic timelines and ownership

Policy Templates

Draft policies for the gaps identified in your audit

REQUEST COMPLIANCE AUDIT
SERVICE 05

Incident Response & Remediation

When it's happening right now — or after the smoke clears — we help you take back control.

Whether you've detected a breach, suspect an intrusion, or are recovering from ransomware — we provide forensic investigation, containment guidance, and hardening that prevents recurrence. We're also available for proactive IR planning before incidents occur, helping you build playbooks and response capabilities that mean you're never starting from zero.

REACTIVE RESPONSE
  • Immediate containment guidance — stop the bleeding fast
  • Forensic investigation — what happened, when, and how
  • Attacker persistence identification and eradication
  • Post-incident hardening — close the original entry point and all lateral paths
  • Evidence preservation for regulatory or legal proceedings
PROACTIVE PLANNING
  • Incident response playbook development (ransomware, data breach, insider threat)
  • Tabletop exercises — test your team before the attackers do
  • Notification and escalation procedures (POPIA, GDPR)
⚠ WHAT HAPPENS WITHOUT A PLAN

A law firm discovers ransomware at 2am. With no IR plan, they spend 6 hours deciding who to call and what to shut down — during which the attacker exfiltrates an additional 20GB of client files. The unstructured response extends downtime from 3 days to 3 weeks. Organisations with tested IR plans contain breaches 74% faster and spend 58% less on recovery.

WHAT YOU RECEIVE

Forensic Investigation Report

Timeline of attack, root cause, evidence documentation

Containment & Eradication Plan

Clear actions to remove the threat and prevent re-entry

IR Playbooks (proactive)

Scenario-specific response procedures for your team

REQUEST INCIDENT RESPONSE
VIEW ALL SERVICES IN FULL DETAIL
Free Intelligence Tools

See Your Exposure. For Free.

Three live tools that show you exactly what attackers already see — before you spend a rand on anything.

FREE TOOL

Risk Self-Assessment

12 critical security controls. 90 seconds. Instant executive-grade breach exposure score across identity, backup, endpoint, and detection domains. See where you're most exposed right now.

START ASSESSMENT
LIVE OSINT

The Hacker's Dossier

Enter your domain. We run live DNS lookups, certificate transparency scans, Shodan port data, and RDAP WHOIS — and generate the exact intelligence file an attacker compiles before targeting you.

COMPILE MY DOSSIER
FINANCIAL IMPACT

Breach Cost Clock

Select your industry and company size. Watch the financial damage tick up in real time — modelled on IBM Cost of Data Breach 2024 data. Puts R89M in visceral, ticking perspective.

START THE CLOCK
LEARN

Cyber Awareness Training

Education resources and training programmes for your team.
OUR PROCESS

The Greyhat Protocol

How we operate, our ethics framework, and engagement process.
How We Work

Our Methodology

A proven 4-phase process built around how real attackers operate. No spray-and-pray. No bloated CVE lists. Just clear, actionable intelligence that leads to genuine risk reduction.

01

Reconnaissance & Scoping

We map your full attack surface and build a threat model before touching a single system. Passive OSINT, DNS enumeration, certificate transparency, Shodan — the same starting point a real attacker uses. You approve scope. We begin.

OSINTDNS ReconShodanCert Transparency
PHASE 1
02

Controlled Exploitation

Ethical, targeted testing simulating real adversary behaviour. No automated spray-and-pray. Every attack vector is manually tested, chained, and validated by a human expert. We find what scanners miss — including logic flaws, misconfigurations, and business-layer vulnerabilities.

Manual TestingChain AttacksNo False Positives
PHASE 2
03

Executive-Level Reporting

Clear risk ratings, compliance impact, and business context — not just a CVE list. Every finding includes CVSS score, real-world exploitability rating, proof-of-concept evidence, and remediation instructions your developers can implement without a translator.

CVSS ScoringExec SummaryDev Guidance
PHASE 3
04

Remediation & Retest

We guide the fix, then verify it. Retesting is included in every engagement to confirm every vulnerability is genuinely closed — not just patched on paper. You receive a final certification report suitable for auditors, clients, and insurers. Close the loop, not just the ticket.

Retest IncludedCertification Report30-day Support
PHASE 4
READ THE FULL GREYHAT PROTOCOL
Who We Protect

Industries We Serve

Sector-specific threat knowledge. We know the regulations, the common attack paths, and the specific systems used in your industry — not generic security advice.

Dental Practices

HIPAA-focused assessments for patient data, imaging systems, and practice management software.

Healthcare

Clinics, telehealth platforms, and EHR system security against the #1 targeted sector.

Legal

Client confidentiality, privileged communications, and ransomware resilience for law firms.

Tech Startups

SaaS platforms, fintech, and API-driven products secured pre- and post-launch for investor readiness.

Financial Services

PCI DSS compliance, fraud prevention, and transaction security for financial operators.

Manufacturing

OT/IT convergence, SCADA security, and supply chain risk in connected industrial environments.

Government

Public sector compliance, critical infrastructure protection, and citizen data security.

Professional Services

Consulting, accounting, and advisory firms handling sensitive client and commercial data.

Proof of Work

Case Studies

Real engagements. Real outcomes. Names and identifying details anonymised under NDA.

Healthcare · Multi-Location

Dental Practice Group — HIPAA Compliance Gap Analysis

🦷

A 12-location dental group came to us after a failed compliance audit. We discovered unpatched dental imaging software with 3 critical CVEs, PHI exposed in misconfigured cloud storage accessible without authentication, and missing MFA on every admin account across all locations. Estimated regulatory fine exposure: R4.2M.

Our remediation roadmap was prioritised by risk and implemented in phases over 6 weeks. We guided the patching cycle, locked down storage permissions, and designed a new access control architecture before retest verification.

Full remediation in 6 weeks. Passed re-audit. Zero fines. Cyber insurance premium reduced 22%.
Technology · Pre-Launch

Telehealth SaaS Platform — Pre-Launch Security Assessment

💻

A startup building a patient portal hired us one month before their planned launch. We found SQL injection in the appointment booking API allowing full database read access, weak session management enabling session fixation attacks against active patients, and an exposed admin panel indexed by Google.

We provided developer-level remediation instructions for each finding. Working alongside their engineering team, all critical and high findings were resolved within 18 days. Launch proceeded on schedule with full sign-off.

Fixed pre-launch. No breach. Investors satisfied. Series A secured at higher valuation.
Legal · Ransomware Defence

Law Firm — Network Penetration Test & Ransomware Resilience

⚖️

We simulated a full ransomware attack chain against their environment. Achieved domain admin in 4 hours via Kerberoasting due to weak service account passwords and a flat, unsegmented network. Backup systems were reachable from any compromised workstation — they would have been encrypted simultaneously with production data.

We designed a segmented network architecture, implemented offline backup rotation, enforced service account password policies, and ran a tabletop IR exercise with partners and senior associates. A full retest 60 days later confirmed all attack paths were closed.

Complete network redesign. Offline backups. Tabletop IR exercise complete. Zero incidents in 18 months.
Transparent Pricing

Engagement Models

No surprise invoices. No scope creep fees. Every engagement includes a full retest and certification report.

Single Assessment
R6,600
one-time engagement
Full penetration test or VA
Executive + technical report
One full retest included
30-day remediation support
NDA & strict confidentiality
Get Started
⭐ MOST POPULAR
Annual Assurance
R10,000
per year
Quarterly penetration tests
Unlimited retests
Continuous vuln monitoring
Priority incident response
Annual compliance report
Dedicated security advisor
Get Started
Retest Only
R15,500
after your remediation
Verify all fixes are closed
Regression testing
Final certification report
Suitable for auditors & insurers
New test scope not included
Get Started

All pricing in South African Rand (ZAR). Custom enterprise scoping available — contact us. View full pricing details →

Strict NDA
Every engagement covered from first contact
24hr Response
Initial consultation guaranteed
Retest Included
In every engagement — not an add-on
Consultant
Independent. Accountable. Effective.

Who Is Greyhat4Hire?

Not a faceless agency. One senior consultant — accountable directly to you, with no overhead and no juniors running your engagement. Every test is performed by the expert you hire.
Ready When You Are

Let's Find What
Attackers Would Find.

Confidential consultation. No commitment. We'll tell you exactly what we'd test and what we'd expect to find — before you spend a rand.

> threat.level=UNKNOWN  →  schedule.consultation()  →  threat.level=MANAGED

Request Consultation See Your Dossier First

We respond within 24 hours · All inquiries strictly confidential · Under NDA from first contact