Professional penetration testing and security assurance.
Every plan includes a retest. No surprises. Just results.
once-off · automated scan, human-verified · know where you stand
once-off · manual pentest + retest · compliance-ready
per year · 4 assessments · continuous coverage
custom scope · red team · enterprise coverage
Typically R180k – R350k / yr
Add-ons are gated to the package that makes them meaningful. Select your base package — watch what unlocks.
Extended Burp Pro testing, full OWASP Top 10 coverage, business logic flaws, auth bypass attempts.
REST/GraphQL endpoint testing, authentication flaws, rate limiting, injection, BOLA/IDOR vulnerabilities.
WiFi security audit, rogue AP detection, WPA2/WPA3 testing, guest network isolation verification.
AWS/Azure/GCP configuration audit, IAM review, S3/blob exposure, security group analysis.
Custom phishing campaign targeting up to 50 employees with tracking, credential capture, and detailed report.
Voice/phone social engineering test. Pretexting calls to reception, IT helpdesk, or specified targets.
Adversary-in-the-middle phishing simulation that bypasses MFA. Tests whether your staff — and your authentication controls — can withstand real credential-harvesting attacks that standard phishing tests don't catch.
2-hour interactive session for up to 20 staff. Covers phishing, passwords, social engineering, safe browsing.
1-hour board/C-suite presentation. Risk landscape, findings summary, strategic recommendations.
Gap analysis, documentation review, compliance roadmap, and Information Officer support guidance.
Test your backup restoration, RTO/RPO verification, ransomware resilience check.
12-month credential leak monitoring for your domain. Instant alerts when employee data appears.
Custom incident response plan, escalation procedures, communication templates, tabletop exercise.
Final pricing confirmed in written scope of work
Everything you get — no fine print surprises.
The average data breach costs a South African organisation R10 million+ in downtime, legal fees, regulatory fines, and reputational damage (IBM CDR 2024). Our SHIELD pentest costs the same number — with three fewer zeroes.
And that's before you factor in that the average attacker is in your network 194 days before detection — racking up costs the entire time.
SEE YOUR BREACH COST TICK LIVE →The bars are to scale.
See how your estimated breach exposure stacks up against the cost of protecting yourself.
Our tests include passive and active reconnaissance, vulnerability scanning, manual exploitation attempts, privilege escalation testing, lateral movement simulation, and post-exploitation analysis. Every test concludes with a comprehensive report that maps findings to business risk — not just CVE IDs — with a clear remediation priority order.
A Single Assessment typically takes 2–3 weeks from signed scope to final report delivery. This includes the active testing window (usually 5–10 business days depending on scope), report writing, and an initial findings briefing. Timeline varies based on scope complexity. We confirm everything in writing before starting.
Yes — all reports are structured to support compliance requirements. We produce findings mapped to PCI DSS, SOC 2 Type II, ISO 27001, POPIA, and NIST CSF as required. For GUARDIAN and PHANTOM tiers, we include quarterly compliance posture updates and a compliance roadmap as part of the engagement.
The retest verifies that every vulnerability identified in the original assessment has been genuinely closed — not just documented as patched. We re-exploit each finding category to confirm it's no longer accessible, and perform regression testing to check that fixes haven't introduced new vulnerabilities. You receive a final certification report suitable for auditors, board members, and insurers.
Always. We sign NDA before any technical discussion, before receiving any documentation, and certainly before any active testing begins. Client confidentiality is foundational to how we operate — we have never disclosed a client name, finding, or engagement detail without explicit written permission.
Absolutely. These tiers are starting points — the real scope of every engagement is defined in a written Statement of Work agreed before anything begins. Whether you need a single API tested, a red team exercise, or a multi-phase engagement, we'll scope it accurately and quote it in writing. No scope creep, no surprise invoices.
Automated scanners find what they're programmed to find — usually the obvious stuff. They don't chain vulnerabilities together, miss business logic flaws, generate enormous false-positive noise, and produce reports that mean nothing to a board or insurer. Real attackers are human. Our testers think like humans. A scanner has never found SQL injection hidden behind a custom authentication layer. We have.
From first contact to final report — here's exactly what happens, in order. No surprises, no upsells after you've signed.
Let's talk through your specific security needs. Free consultation — no commitment, no hard sell. We'll tell you honestly what you need and what you don't.
We respond within 24 hours · All inquiries strictly confidential · NDA from first contact
You've selected: