Penetration Testing
Network, web application, API, cloud, and AI/ML penetration testing from practitioners who have built kernel-level vulnerability scanners, published covert channel research, and trained production LLMs. Manual testing, not automated scan reports.
Our penetration testers have published vulnerability research, built tools that find exploitable buffer overflows in deployed Windows kernel drivers, created automated supply chain attack detection tools, and documented network covert channel techniques used by nation-state threat actors. When we test your systems, we bring that depth to every engagement.
Starting at $10K | 1-3 weeks typical
Services
External Network Penetration Testing
Assess your internet-facing attack surface: firewalls, VPNs, mail servers, DNS, and exposed services. Identifies misconfigurations, unpatched vulnerabilities, and exploitable entry points before attackers do.
1-2 weeks
Internal Network Penetration Testing
Simulate a compromised insider or breached perimeter. Active Directory attacks, lateral movement, privilege escalation, and segmentation testing. Maps the blast radius of a real intrusion.
1-2 weeks
Web Application Penetration Testing
Manual testing beyond OWASP Top 10: authentication bypass, authorization flaws, business logic abuse, session management, and injection attacks. White, gray, and black box approaches.
1-3 weeks
API Penetration Testing
REST, GraphQL, gRPC, and WebSocket API testing. Broken authentication, excessive data exposure, rate limiting, injection, and business logic flaws. Covers both public and internal APIs.
1-2 weeks
Cloud Infrastructure Testing
AWS, Azure, and GCP security assessments. IAM misconfigurations, storage exposure, network segmentation, serverless function vulnerabilities, and container escape testing.
1-3 weeks
Mobile Application Testing
iOS and Android application testing: local data storage, certificate pinning, API communication, binary protections, and runtime manipulation.
1-2 weeks
AI/ML Application Testing
Prompt injection, model extraction, training data leakage, adversarial input attacks, and API abuse scenarios. Tested by practitioners who have built and trained production LLMs.
1-3 weeks
Wireless & Physical
Wi-Fi security assessments, rogue access point detection, Bluetooth/BLE testing, and physical security reviews including badge cloning and tailgating.
1-2 weeks
Why us
Vulnerability researchers, not scan operators
Our team built an enhanced Windows kernel driver vulnerability scanner using symbolic execution and taint analysis that discovers critical buffer overflows with controllable program counters in widely deployed drivers. We find what automated tools miss because we build the tools that find what other tools miss.
AI applications tested by AI builders
Most pen test firms apply standard web app testing to AI applications. We have trained LLMs from scratch, published research on AI agent architectures, and built production agentic systems. We test prompt injection, model extraction, and adversarial attacks because we understand how these systems actually work.
Offensive depth across the stack
From kernel exploits and binary reverse engineering through network covert channels, web application logic, and cloud misconfigurations. Published technical references on DNS tunneling, ICMP covert channels, QUIC connection ID exfiltration, and protocol abuse techniques used by APT groups.
Why licens.io?
| Big 4 | licens.io | |
|---|---|---|
| Testers | Junior staff running automated scans | Published vulnerability researchers doing manual testing |
| Kernel & binary | Out of scope | Built driver vulnerability scanners, published malware detection research |
| AI applications | Generic web app test applied to AI | Built and trained LLMs; tests prompt injection, extraction, and adversarial attacks |
| Covert channels | Not assessed | Published reference on DNS, ICMP, QUIC, and protocol tunneling techniques |
| Research | Marketing whitepapers | 4,000+ citations, published in Science and Royal Society |
| Pricing | $75K-$300K+ | Fixed-fee $10K-$50K |
Testers
Big 4
Junior staff running automated scans
licens.io
Published vulnerability researchers doing manual testing
Kernel & binary
Big 4
Out of scope
licens.io
Built driver vulnerability scanners, published malware detection research
AI applications
Big 4
Generic web app test applied to AI
licens.io
Built and trained LLMs; tests prompt injection, extraction, and adversarial attacks
Covert channels
Big 4
Not assessed
licens.io
Published reference on DNS, ICMP, QUIC, and protocol tunneling techniques
Research
Big 4
Marketing whitepapers
licens.io
4,000+ citations, published in Science and Royal Society
Pricing
Big 4
$75K-$300K+
licens.io
Fixed-fee $10K-$50K
Who this is for
- ✓ B2B SaaS companies whose enterprise customers require annual penetration test reports
- ✓ Companies pursuing SOC 2 or ISO 27001 that need independent penetration testing to satisfy auditor requirements
- ✓ AI companies that need adversarial testing of their models, APIs, and pipelines
- ✓ PE/VC portfolio companies undergoing security assessments as part of due diligence
- ✓ Organizations after a security incident that need to understand what went wrong and validate remediation
- ✓ Companies with cloud-native infrastructure that need AWS, Azure, or GCP security assessments
Frequently asked questions
What is the difference between a penetration test and a vulnerability scan?
A vulnerability scan is automated software that checks for known weaknesses. A penetration test is a manual engagement where a human tester actively exploits vulnerabilities, chains findings together, and tests business logic flaws that scanners cannot detect. Most compliance frameworks require both.
Do I need internal and external penetration testing?
SOC 2 (CC7.1) and ISO 27001 (A.8.8) expect vulnerability assessment appropriate to your threat landscape, which in practice means both. External testing assesses what an internet attacker can reach. Internal testing simulates what happens after a phishing click or compromised VPN credential. Most enterprise buyers and auditors expect evidence of both.
How often should we get a penetration test?
Annually at minimum for compliance (SOC 2, ISO 27001, PCI DSS). After major releases, infrastructure changes, or M&A events. Many organizations move to quarterly or continuous testing as they mature.
Do you test AI applications differently than traditional web apps?
Yes. Standard web application tests miss AI-specific attack vectors: prompt injection, jailbreaking, model extraction, training data exfiltration, and adversarial inputs. Our team has built production LLMs and published research on AI agent architectures, so we test what matters.
What do we receive at the end of the engagement?
A detailed report with an executive summary, methodology, every finding with severity rating (CVSS), proof-of-concept evidence, and specific remediation guidance. We also include a retest window so you can verify your fixes.
Can penetration testing satisfy our SOC 2 or ISO 27001 requirements?
Yes. SOC 2 CC7.1 requires detection of vulnerabilities including through penetration testing. ISO 27001 A.8.8 requires technical vulnerability management. Our reports are formatted for auditor consumption and map findings to specific control objectives.
Related articles
The EU Cyber Resilience Act Enters Into Force: SBOM Mandates for All Digital Products
The EU Cyber Resilience Act is now in force, turning SBOMs, vulnerability reporting, and support-period planning into baseline product discipline.
Read moreThe CrowdStrike Outage: When Your Security Tool Becomes the Incident
A faulty CrowdStrike update is a reminder that vendor risk is not a footnote; it can become your outage, your grounding order, and your recovery plan.
Read moreThe xz-utils Backdoor: The Most Sophisticated Supply Chain Attack We've Ever Seen
A hidden backdoor in xz-utils shows how a patient supply chain attack can turn a routine dependency into a pre-authentication SSH risk.
Read moreFind out what's actually exposed
Fixed-fee penetration testing with manual expert testing, not automated scan reports. Reports formatted for your auditors, your board, and your engineering team.