SYS STATUS ONLINE
OPERATOR SOUTH AFRICA
SESSION 00:00:00
INDEPENDENT
ETHICAL
EFFECTIVE

INSIDETHEHACKERSMIND. ONYOURSIDE.

Based in Umhlanga, Durban — expert penetration testing in South Africa for healthcare practices, dental clinics, and SMEs. Executive-ready reports. Actionable remediation that actually works.

0
DAYS AVG. BREACH
LIFECYCLE (IBM 2025)
R0
AVG. BREACH COST
SA 2025 (IBM)
0
ENGAGEMENTS
UNDER STRICT NDA
SCROLL
▸ Frameworks & Standards We Test Against
OWASP Top 10 MITRE ATT&CK PTES OSSTMM NIST CSF CIS Controls POPIA ISO 27001
Free Intelligence Tools

See Your Exposure. For Free.

Eight live tools that show you exactly what attackers already see — plus a full arsenal of free templates and frameworks. Before you spend a rand.

FREE TOOL

Risk Self-Assessment

12 critical security controls. 90 seconds. Instant executive-grade breach exposure score across identity, backup, endpoint, and detection domains. See where you're most exposed right now.

START ASSESSMENT
LIVE OSINT

The Hacker's Dossier

Enter your domain. We run live DNS lookups, certificate transparency scans, Shodan port data, and RDAP WHOIS — and generate the exact intelligence file an attacker compiles before targeting you.

COMPILE MY DOSSIER
FINANCIAL IMPACT

Breach Cost Clock

Select your industry and company size. Watch the financial damage tick up in real time — modelled on IBM Cost of Data Breach 2025 data. Puts R44.1M in visceral, ticking perspective.

START THE CLOCK
CVE INTELLIGENCE

Vulnerability Intelligence

Search any CVE ID or product name across NVD, CISA KEV, GitHub Advisories, and Exploit-DB in real time. Instantly see severity scores, known exploits, and whether a vulnerability is actively being weaponised.

SEARCH VULNERABILITIES
AI · OSINT

Reverse Image Search

Upload, paste, or extract a video frame. Claude's AI reads the image, runs multiple live web searches, and delivers a full OSINT report — original source, earliest known date, stolen art matches, meme variants, and propaganda trails.

TRACE THIS IMAGE
LINK SCANNER

Phishing Link Checker

Paste any suspicious URL. We run 16-point heuristic analysis, query Google Safe Browsing's threat database, and scan with VirusTotal's 90+ security engines — all in real time. Know before you click.

SCAN A LINK
SCOPING TOOL

Pentest Scoping Wizard

Define your engagement type, discover in-scope assets, set testing windows, and generate a signed-ready MOU and Nmap command — all in a guided 7-step wizard. No guesswork.

START SCOPING
CRACK TIME

Password Crack Time

Type any password. Instantly see how long it would take to brute-force — from a throttled login form, to a home gaming PC, to a nation-state supercomputer. 100% offline. Your password never leaves your browser.

TEST A PASSWORD
FREE DOWNLOADS

The Arsenal

31 battle-tested templates, policies, checklists, and frameworks used by real security teams. IRPs, pentest checklists, POPIA tools, NDAs, and more. Free. No login. No catch.

OPEN THE ARSENAL
LEARN

Cyber Awareness Training

Education resources and training programmes for your team.
OUR PROCESS

The Greyhat Protocol

How we operate, our ethics framework, and engagement process.
The Cost of Doing Nothing

What A Breach Actually Costs

Every figure below is sourced directly from IBM's 2025 Cost of a Data Breach Report — the industry's most comprehensive breach study, now in its 20th year. 600 organisations. 17 industries. South Africa included.

IBM COST OF A DATA BREACH 2025
SOURCE: IBM / PONEMON INSTITUTE · 600 ORGS · MAR 2024–FEB 2025
▸ SOUTH AFRICA — IBM 2025 REPORT
R44.1M
17% YoY
Average breach cost — South Africa
DETAILS
DOWN FROM R53.1M IN 2024
R70.2M
HIGHEST
Financial sector — costliest SA industry
DETAILS
FOLLOWED BY HOSPITALITY R57.5M
17%
#1 SA VECTOR
Breaches from supply chain compromise
DETAILS
CREDENTIALS 13% · PHISHING 13%
32%
AI IMPACT
Lower breach costs with AI + automation
DETAILS
SA ORGS USING SECURITY AI
▸ GLOBAL — IBM 2025 REPORT
$4.44M
9% YoY
Global average breach cost
DETAILS
FIRST DECLINE IN 5 YEARS
241days
9-YEAR LOW
Average breach lifecycle — detect + contain
DETAILS
76% TOOK 100+ DAYS TO FULLY RECOVER
53%
MOST STOLEN
Breaches that exposed customer PII
DETAILS
IP COSTLIEST AT $178/RECORD
63%
FROM 59%
Organisations that refused to pay ransom
DETAILS
EXTORTION BREACHES STILL COST $5.08M
14 YEARS #1
CRITICAL
Healthcare
Costliest sector — 14 consecutive years
$7.42M
AVG. BREACH COST
279 d
TIME TO CONTAIN

Detection takes 5+ weeks longer than any other sector. If you run a dental practice, clinic, or medical SME — you're in the crosshairs.

ASSESS YOUR PRACTICE
GLOBAL 2025
How Breaches Happen
Phishing
16%
Supply Chain
15%
DDoS
13%
Credentials
13%
Social Eng.
9%
Insider
7%
$1.9M saved · 80 days faster
ORGS USING AI + AUTOMATION EXTENSIVELY
600 ORGS STUDIED
17 INDUSTRIES
20th ANNUAL REPORT
SA INCLUDED PONEMON / IBM
2024–2025 DATA PERIOD

All figures: IBM / Ponemon Institute Cost of a Data Breach Report 2025. SA figures in ZAR. Global in USD. Full report: ibm.com/reports/data-breach

What We Do

Our Services

Manual, expert-led security testing that goes far beyond automated scanners. Every engagement is scoped precisely, executed methodically, and delivered with clarity. Click any service to open a full deep-dive.

SERVICE 01

Penetration Testing

We think like attackers, operate like operators, and report like executives.

Our penetration tests simulate real adversary techniques across web applications, internal networks, external perimeters, cloud infrastructure, and APIs. We don't run a scanner and call it a pentest — every finding is manually validated, chained, and contextualised for your business. You get proof of impact, not just a list of CVEs.

WHAT WE TEST
  • Web applications — OWASP Top 10 and beyond (auth bypass, IDOR, SSRF, XXE, race conditions)
  • External network — perimeter, internet-facing services, VPNs, firewalls, exposed admin panels
  • Internal network — lateral movement, privilege escalation, domain compromise, AD attacks
  • API security — REST, GraphQL, SOAP — authentication flaws, injection, mass assignment
  • Cloud misconfigurations — AWS, Azure, GCP IAM roles, storage buckets, exposed secrets
  • Social engineering & phishing simulation — targeted campaigns with metrics
KEY BENEFITS
Find what attackers find — before they do Manual, expert validation MITRE ATT&CK mapped Executive + dev reports Retest included
TOOLS & TECHNIQUES
Burp Suite ProMetasploitBloodHoundCobalt Strike TTPsImpacketResponderFFUFNuclei
⚠ REAL ATTACK SCENARIO

An attacker identifies a forgotten dev subdomain with a debug endpoint enabled. They use it to enumerate internal API routes, find a JWT with a static secret, forge admin tokens, and exfiltrate 40,000 patient records — all within 72 hours of initial access. This subdomain existed for 11 months before anyone noticed. We find these.

WHAT YOU RECEIVE

Executive Summary Report

Board-ready: risk posture, key findings, business impact

Full Technical Report

Every finding: proof-of-concept, CVSS, exploitability, fix instructions

Developer Remediation Guide

Step-by-step fix instructions, code-level examples where applicable

Live Debrief Session

Expert walkthrough of every critical finding with your team

Full Retest Included

We verify every fix is genuine — not just patched on paper

FULL SERVICE DETAILS REQUEST PENTEST
SERVICE 02

Vulnerability Assessment

A systematic, broad scan of your entire attack surface — every weakness catalogued and ranked.

Unlike a pentest, a vulnerability assessment is about breadth over depth — mapping every security weakness across your networks, servers, applications, and cloud services. Prioritised by real-world exploitability (not just CVSS), this is the foundation of a strong security programme and a prerequisite for most compliance frameworks.

SCOPE COVERAGE
  • Network devices: routers, firewalls, switches, WAPs
  • Servers: Windows, Linux, ESXi hypervisors, container hosts
  • Web applications and all public-facing services
  • Exposed cloud storage and misconfigured cloud services
  • Email security: SPF, DKIM, DMARC gaps and spoofing risk
  • Endpoint software inventory and unpatched CVEs
KEY BENEFITS
Full attack surface overview Early detection Better patch management Compliance foundation Cost-effective
TOOLS USED
Nessus ProOpenVASNmapNucleiShodanOWASP ZAP
⚠ REAL ATTACK SCENARIO

A critical unpatched vulnerability in a legacy VPN appliance sits undetected for 9 months. Automated threat actors exploit it to gain initial access, establish persistence, and quietly harvest credentials before triggering ransomware. A quarterly VA catches this before the window opens — estimated damage avoided: R12M+.

WHAT YOU RECEIVE

Comprehensive Scan Report

Full inventory of all identified vulnerabilities

Risk-Ranked Vulnerability List

CVSS scores with real-world business context applied

Expert Remediation Guidance

Prioritised next steps for every critical and high finding

REQUEST VULNERABILITY ASSESSMENT
SERVICE 03

Healthcare Risk Assessments

Tailored for dental practices, clinics, and medical SMEs protecting patient data.

Healthcare is the #1 most targeted industry for cyber attacks. Patient data is worth 10 to 50 times more than financial data on the dark web (Trustwave, Experian) — and the regulatory consequences of a breach are severe. We understand HIPAA, POPIA, and the specific threat landscape facing medical practices, telehealth platforms, EHR systems, and dental software.

WHAT WE ASSESS
  • EHR and practice management software security
  • Dental imaging systems (X-ray, CBCT) network exposure
  • Reception desk & booking system vulnerabilities
  • PHI storage: on-prem, cloud, and backups
  • Staff access controls and MFA compliance
  • HIPAA / POPIA gap analysis and remediation roadmap
KEY BENEFITS
Avoid POPIA/HIPAA fines Protect patient data Ransomware resilience Insurance readiness Certification roadmap
⚠ REAL ATTACK SCENARIO

A single phishing email compromises a receptionist account at a dental practice. The attacker pivots to the imaging server — which was on the same flat network — encrypts all patient X-rays, and demands a R500K ransom. Backups were on a network share accessible from the compromised account. Practice is down for 3 weeks. Total cost: R1.8M. We prevent this.

WHAT YOU RECEIVE

HIPAA/POPIA Gap Analysis

Control mapping, gaps identified, penalties quantified

Compliance Roadmap

Prioritised remediation plan with estimated effort and cost

Patient Data Protection Plan

Specific guidance for PHI security, backups, and access control

REQUEST HEALTHCARE ASSESSMENT

We also offer Security Audits & Compliance and Incident Response & Remediation — see the full picture on our services page.

VIEW ALL 5 SERVICES IN FULL DETAIL
How We Work

Our Methodology

A proven 4-phase process built around how real attackers operate. No spray-and-pray. No bloated CVE lists. Just clear, actionable intelligence that leads to genuine risk reduction.

01

Reconnaissance & Scoping

We map your full attack surface and build a threat model before touching a single system. Passive OSINT, DNS enumeration, certificate transparency, Shodan — the same starting point a real attacker uses. You approve scope. We begin.

OSINTDNS ReconShodanCert Transparency
PHASE 1
02

Controlled Exploitation

Ethical, targeted testing simulating real adversary behaviour. No automated spray-and-pray. Every attack vector is manually tested, chained, and validated by a human expert. We find what scanners miss — including logic flaws, misconfigurations, and business-layer vulnerabilities.

Manual TestingChain AttacksNo False Positives
PHASE 2
03

Executive-Level Reporting

Clear risk ratings, compliance impact, and business context — not just a CVE list. Every finding includes CVSS score, real-world exploitability rating, proof-of-concept evidence, and remediation instructions your developers can implement without a translator.

CVSS ScoringExec SummaryDev Guidance
PHASE 3
04

Remediation & Retest

We guide the fix, then verify it. Retesting is included in every engagement to confirm every vulnerability is genuinely closed — not just patched on paper. You receive a final certification report suitable for auditors, clients, and insurers. Close the loop, not just the ticket.

Retest IncludedCertification Report30-day Support
PHASE 4
READ THE FULL GREYHAT PROTOCOL
Who We Protect

Industries We Serve

Sector-specific threat knowledge. We know the regulations, the common attack paths, and the specific systems used in your industry — not generic security advice.

Dental Practices

POPIA-focused assessments for patient data, imaging systems, and practice management software.

Healthcare

Clinics, telehealth platforms, and EHR system security against the #1 targeted sector.

Legal & Professional

Protecting privileged client data, communications, and intellectual property for law firms and consultancies.

Finance & FinTech

PCI DSS compliance, card data protection, API security, and BEC fraud prevention.

SMEs & Startups

Right-sized security programmes — enterprise-grade protection without enterprise budgets.

Government & NGO

Critical infrastructure protection, POPIA compliance, and citizen data security for public sector entities.

Education

Protecting student data, research IP, and administrative systems for schools, colleges, and universities.

E-Commerce & Retail

Payment security, customer data protection, supply chain risk, and fraud prevention for online retailers.

Greyhat4Hire lead security consultant
Independent. Accountable. Effective.

Who Is Greyhat4Hire?

Not a faceless agency. One senior consultant — accountable directly to you, with no overhead and no juniors running your engagement. Every test is performed by the expert you hire.
Verified Expertise

Qualified. Independent. Accountable.

Industry-certified expertise — and all the advantages of working directly with the operator who runs your engagement, not a project manager who farms it out.

PenTest+
CompTIA
CERTIFIED
MITRE ATT&CK
Framework Practitioner
APPLIED
OWASP Top 10
Web App Security
APPLIED
POPIA
Compliance Testing
APPLIED

You hire the expert who does the work

No handoffs. No junior analysts running your engagement while the senior consultant is on the proposal. The person you speak to is the person running the tools.

Enterprise-grade methodology, SME-friendly pricing

Large firms charge for floors of overhead. We don't. You get the same manual, MITRE ATT&CK-mapped methodology at a fraction of the cost.

NDA from first contact — without the legal circus

Every engagement is covered by a mutual NDA before any information is shared. Confidentiality isn't a paid add-on — it's the default.

Reports written for humans, not scanners

No 400-page Nessus exports. Every finding is manually validated, contextualised for your business, and written so your team can actually fix it.

South Africa-first threat intelligence

We understand the local threat landscape — SAPS cyber division, SA-specific ransomware groups, POPIA enforcement priorities — not just global frameworks copy-pasted for local clients.

Retest included — every time

We don't report and disappear. A full retest of every finding is included in every engagement. We verify the fix is real, not just patched on paper for the auditors.

From The Blog

Threat Intelligence & Insights

Real attack breakdowns, threat advisories, and practical security guidance — written by the same consultant who runs your engagement.

PENTEST
CRITICAL 10 min read

We Hacked a Dental Practice in 11 Minutes — Here's Exactly How

USB hub at the patient's feet. Shared WiFi. Four PCs, one flat network. A pentester walks through every step — and every fix.

09 JAN 2026 READ
THREAT INTEL
HIGH 8 min read

LockBit 4.0: What South African Businesses Need to Know Right Now

The latest LockBit variant is actively targeting EMEA SMEs. Here's the TTPs and how to harden against them before you're next.

03 MAR 2026 READ
PHYSICAL
HIGH 12 min read

Hacker Gadgets Anyone Can Buy: What These Devices Do & Why You Should Be Worried

From Flipper Zero to the WiFi Pineapple — the tools used for physical penetration testing are openly available. Here's what they do.

22 DEC 2025 READ
VIEW ALL ARTICLES
In The Field

Real Assessments. Real Findings.

Not a demo environment. Not a synthetic scenario. These are actual findings from live client engagements — anonymised, verified, and representative of what we find in the wild.

VULNERABILITY ASSESSMENT · CASE STUDY
KZN Dental Practice — Internal Network Assessment
KwaZulu-Natal · SA REMEDIATED MAR 2026
4
CRITICAL
11
HIGH
29
MEDIUM
11
HOSTS
KEY FINDINGS
CRITICAL · CVSS 9.8
Edge router running SSH from 2012 — unauthenticated remote code execution as root, reachable from the internet.
CRITICAL · 3 ADDITIONAL
Web server on end-of-life PHP 7.3.9 — multiple unauthenticated RCE paths. Full server compromise, no credentials required.
HIGH · DNS ZONE TRANSFER
DNS misconfiguration allowed full zone transfer — leaking the complete internal network map to any external requester.
HIGH · WINDOWS HOSTS
SMB signing disabled, unquoted service paths, and non-expiring passwords across multiple workstations — lateral movement ready.
POPIA exposure: Patient PII — including ID numbers, medical aid details, and treatment histories — was accessible via two independent unauthenticated attack paths. Under Section 19, this posture did not meet the threshold of "appropriate, reasonable, technical measures." Remediation and a documented patch cycle were implemented within two weeks.
CLIENT TESTIMONIAL · ANONYMISED
We'd always assumed our network was reasonably secure — we had IT support, we updated things when we were prompted to. What the GreyHat4Hire assessment showed us was that assumption was costing us. There were vulnerabilities on our network that had been sitting there for years, including on devices we didn't even think of as security risks. The report was detailed but practical — we knew exactly what to fix first and why. As a practice that holds patient records, POPIA compliance isn't optional, and now we actually have evidence that we take it seriously.
Practice Owner
KZN Dental Practice · Anonymised on request
REQUEST YOUR ASSESSMENT
Common Questions

Before You Book

Everything prospects actually want to know — answered plainly, without the sales spin.

Yes. I hold the CompTIA PenTest+ certification — an industry-recognised, hands-on penetration testing qualification that covers planning, scoping, vulnerability assessment, exploitation, lateral movement, and reporting. Engagements follow the MITRE ATT&CK framework and OWASP methodology. I hold a current NDA-grade client confidentiality standard as standard practice. Continuing professional development is ongoing — the threat landscape doesn't pause, and neither does the training.
Not if scoped correctly — and correct scoping is our job. Before any testing begins we agree on explicit rules of engagement: which systems are in scope, what testing windows are allowed, what constitutes a stop condition, and what to do if something unexpected happens. For production environments we typically test during low-traffic windows and avoid techniques known to cause disruption. Anything genuinely high-risk is tested on staging first, or flagged with your team before execution.
A mutual NDA is signed before any sensitive information is shared — from the first discovery call. Your systems, architecture, findings, and business data are never shared with third parties. Test data is handled according to agreed retention policies: most engagements use encrypted handling and secure deletion after report delivery. You'll have this in writing before we start.
It depends on scope, but typical timelines look like this:
  • Vulnerability Assessment — 3 to 5 business days (scan + manual review + report)
  • Web Application Pentest — 5 to 10 business days depending on complexity
  • Internal Network Pentest — 5 to 10 business days on-site or remote
  • Healthcare / SME Risk Assessment — 2 to 4 days + report
  • Full retest — included, typically 1 to 2 days after remediation
We'll agree on a precise timeline during scoping. Rush engagements can sometimes be accommodated — ask.
Pricing is scoped per engagement — there's no one-size-fits-all rate because a single-page web app and a 50-machine internal network are very different jobs. That said, we're transparent: our full pricing guide is here, with indicative ranges for every service tier. A basic vulnerability assessment for a small practice starts significantly lower than big-firm quotes. The free consultation call is the right place to get an accurate number for your specific environment — no obligation, no sales pressure.
Large firms are the right choice for large enterprises needing a 12-person red team and a compliance paper trail. For SMEs, dental practices, clinics, and professional firms — they're often overkill, overpriced, and impersonal. With Greyhat4Hire you get:
  • The senior consultant doing the actual work — not a graduate analyst
  • Direct communication — no account manager layer
  • Faster turnaround — no internal queues and project handoffs
  • Reports written for your team — not templated boilerplate
  • Pricing that doesn't assume you have a corporate procurement budget
You're not paying for someone else's office lease.
Start with our free Risk Self-Assessment — it takes 90 seconds and gives you a breach exposure score across 12 critical controls. That score will tell you where your biggest gaps are and help frame the conversation. Then book a free consultation: we'll look at your environment, explain exactly what we'd test and what we'd expect to find, and recommend the right engagement type for your situation. No commitment required at that stage.

Still have a question not answered here?

Ask Us Directly
FREE SECURITY ARSENAL

31 Free Templates, Policies & Frameworks

IRPs, pentest checklists, POPIA compliance tools, NDAs, SOWs, and more — battle-tested by real security teams. No login required.

OPEN ARSENAL
Ready When You Are

Let's Find What
Attackers Would Find.

Confidential consultation. No commitment. We'll tell you exactly what we'd test and what we'd expect to find — before you spend a rand.

> threat.level=UNKNOWN  →  schedule.consultation()  →  threat.level=MANAGED

Request Consultation See Your Dossier First

We respond within 24 hours · All inquiries strictly confidential · Under NDA from first contact

INTEL