FAQs

Clear Answers From People Who Actually Do the Work

Everything you need to know about how we test, who does the work, what you'll receive, and how we operate.

Realistic testing that reflects your actual risk.

Methodology & Scope

How do you define and tailor scope for each engagement?
We start with a scoping call — not a form. We work with you to define what matters, what's in scope, and what isn't. That includes URLs, IP ranges, domains, credentials (if applicable), and any constraints we need to respect. No assumptions, no surprises.
Which methodologies do you follow?
Our work is grounded in the Penetration Testing Execution Standard (PTES). For web and SaaS testing, we also use the OWASP Testing Guide (OTG v4.2) to ensure thorough coverage where it matters most. Methodology gives structure — experience determines how it's applied.
Do you test for chained exploits and real attack paths?
Yes. Individual findings are only the starting point. Once we identify vulnerabilities, we look at how they can be chained together to escalate privileges, move laterally, or achieve real impact. That's how real attackers operate — and that's how we test.
How do you avoid "checklist" testing?
Checklists don't break into systems — people do. We combine automated tooling with hands-on manual testing and attacker-led exploration. Findings are scored using CVSS 3.1, but prioritization also considers exploitability, complexity, and real business impact — not just a number.

You know exactly who's doing the work.

Tester Qualifications & Team

Are your testers employees or subcontractors?
All testing is performed by full-time EliteSec employees. No outsourcing. No hand-offs. No mystery testers.
What certifications do your senior testers hold?
John holds OSCP, CISSP, CISM, and OSWP certifications, backed by decades of hands-on experience. Certifications matter — but they don't replace real-world judgment.
How do you keep skills current?
We maintain a formal training program and continuous skills development throughout the year. This includes hands-on labs and platforms like PortSwigger Academy, Hack The Box, and TryHackMe, alongside real-world research and testing.

Substance over badges.

Accreditation & Credibility

Are you CREST accredited?
Yes. EliteSec is fully CREST accredited for penetration testing.
What does CREST accreditation actually require?
CREST reviews how we operate — not just what we claim. That includes tester competency, documented processes, report quality, contracts, policies, and insurance coverage. It's about reducing risk for our clients, not ticking a box.
Can you provide references?
Absolutely. Reach out and we'll connect you.

Tests that reflect real attackers.

Realism & Threat Modelling

Do you perform threat modeling before testing?
Yes. Threat modeling is a core part of our PTES-based approach and informs how we prioritize and test throughout the engagement.
Can you simulate specific threat actors or campaigns?
Yes — when there's a clear objective. If you're concerned about a particular actor, technique, or scenario, we'll confirm feasibility during scoping and tailor the test accordingly.
Do you test lateral movement, privilege escalation, and persistence?
Yes. Where scope allows, we test all three. We also ensure everything is cleaned up at the end of the engagement so nothing is left behind that could be abused later.
How do you prioritize findings?
We use CVSS 3.1 as a baseline, then layer in exploitability, attack complexity, and business impact — including customer and operational risk. The result is prioritization you can actually act on.

Reports people actually use.

Reporting & Deliverables

Can we see a sample report?
Yes. You can request sanitized sample reports directly from our website.
How technical are your reports?
We provide two versions of our reports by default: A client-facing report with full technical detail, reproduction steps, screenshots, and remediation guidance. A public, shareable summary suitable for leadership or external stakeholders, without sensitive detail.
Do you provide usable remediation guidance?
Yes. Every finding includes clear remediation recommendations and references engineers can follow without guesswork.
Do you support walkthroughs or replays?
Yes. Our technical reports include step-by-step reproduction details, and we're available after the engagement to walk teams through findings and answer questions.

Fixes that actually fix the problem.

Retesting & Validation

Is retesting included?
Yes. Every engagement includes five free retests over 12 months. We want our clients to be able to prioritize fixes based on severity, schedule availability, and without financial penalty. The focus is to improve your security, not punish you for any issues discovered.
How quickly can you validate fixes?
Most retests are completed within 2–3 business days once scheduled, with updated reports available within 5 business days.
Do you confirm exploitability is eliminated?
Yes. Retesting verifies that vulnerabilities are no longer exploitable — not just that a configuration changed.

No operational surprises.

Ethics, Safety & Legal

How do you prevent production outages?
We use non-destructive payloads, current tooling, and agreed testing windows. Outages are rare, but if something happens, we stop immediately and escalate using the emergency contact defined during scoping. Many clients also choose to test in production-equivalent non-prod environments.
What is your incident escalation process?
Testing halts immediately. We contact the emergency point of contact, explain what occurred, and resume only once the issue is resolved.
Are you insured?
Yes. EliteSec carries full professional liability and E&O coverage.
How do you handle sensitive data?
Each engagement is isolated and secured with multiple layers of authentication. Sensitive data is only retained where necessary for documentation, is obfuscated, and is removed once no longer required.

Long-term improvement, not one-off tests.

Partnership & Maturity

How do you help organizations mature over time?
We focus on clarity and follow-through. Our reports explain not just what we found, but why it matters and what to do next. The included retests remove financial friction so teams can improve without rushing.
Do you track trends across engagements?
Yes. If we see recurring issues or patterns, we raise them and help clients address root causes — not just symptoms.
Can you advise on security roadmaps?
Yes. Reports include both tactical fixes and longer-term strategic recommendations.

No surprises.

Commercial & Transparency

What drives pricing?
Pricing is based on time and complexity, typically structured as 1-, 2-, or 3-week engagements. Scope is confirmed during a scoping call so pricing is clear upfront.
What is explicitly out of scope?
By default, we exclude: Denial-of-service attacks. Known destructive activity. Social engineering of employees or families. Excessive data exfiltration. Storage or removal of highly sensitive data (PCI, PHI, etc.). Any additional exclusions are agreed on during scoping.
How do you handle scope changes mid-engagement?
Scope changes require written approval from both parties and may affect timelines or cost.
Are exploit attempts time-boxed?
Yes. All testing is time-boxed to the agreed schedule and can be limited to specific operating hours if required.

Still Have Questions?

Book a no-obligation discussion. We'll walk through your environment, answer your questions, and outline exactly what an engagement looks like.

Book a Discussion