Clear Answers From People Who Actually Do the Work

We start with a scoping call — not a form. We work with you to define what matters, what's in scope, and what isn't. That includes URLs, IP ranges, domains, credentials (if applicable), and any constraints we need to respect. No assumptions, no surprises.

Our work is grounded in the Penetration Testing Execution Standard (PTES). For web and SaaS testing, we also use the OWASP Testing Guide (OTG v4.2) to ensure thorough coverage where it matters most. Methodology gives structure — experience determines how it's applied.

Yes. Individual findings are only the starting point. Once we identify vulnerabilities, we look at how they can be chained together to escalate privileges, move laterally, or achieve real impact. That's how real attackers operate — and that's how we test.

Checklists don't break into systems — people do. We combine automated tooling with hands-on manual testing and attacker-led exploration. Findings are scored using CVSS 3.1, but prioritization also considers exploitability, complexity, and real business impact — not just a number.

All testing is performed by full-time EliteSec employees. No outsourcing. No hand-offs. No mystery testers.

John holds OSCP, CISSP, CISM, and OSWP certifications, backed by decades of hands-on experience. Certifications matter — but they don't replace real-world judgment.

We maintain a formal training program and continuous skills development throughout the year. This includes hands-on labs and platforms like PortSwigger Academy, Hack The Box, and TryHackMe, alongside real-world research and testing.

Yes. EliteSec is fully CREST accredited for penetration testing.

CREST reviews how we operate — not just what we claim. That includes tester competency, documented processes, report quality, contracts, policies, and insurance coverage. It's about reducing risk for our clients, not ticking a box.

Absolutely. Reach out and we'll connect you.

Yes. Threat modeling is a core part of our PTES-based approach and informs how we prioritize and test throughout the engagement.

Yes — when there's a clear objective. If you're concerned about a particular actor, technique, or scenario, we'll confirm feasibility during scoping and tailor the test accordingly.

Yes. Where scope allows, we test all three. We also ensure everything is cleaned up at the end of the engagement so nothing is left behind that could be abused later.

We use CVSS 3.1 as a baseline, then layer in exploitability, attack complexity, and business impact — including customer and operational risk. The result is prioritization you can actually act on.

Yes. You can request sanitized sample reports directly from our website.

We provide two versions of our reports by default: A client-facing report with full technical detail, reproduction steps, screenshots, and remediation guidance. A public, shareable summary suitable for leadership or external stakeholders, without sensitive detail.

Yes. Every finding includes clear remediation recommendations and references engineers can follow without guesswork.

Yes. Our technical reports include step-by-step reproduction details, and we're available after the engagement to walk teams through findings and answer questions.

Yes. Every engagement includes five free retests over 12 months. We want our clients to be able to prioritize fixes based on severity, schedule availability, and without financial penalty. The focus is to improve your security, not punish you for any issues discovered.

Most retests are completed within 2–3 business days once scheduled, with updated reports available within 5 business days.

Yes. Retesting verifies that vulnerabilities are no longer exploitable — not just that a configuration changed.

We use non-destructive payloads, current tooling, and agreed testing windows. Outages are rare, but if something happens, we stop immediately and escalate using the emergency contact defined during scoping. Many clients also choose to test in production-equivalent non-prod environments.

Testing halts immediately. We contact the emergency point of contact, explain what occurred, and resume only once the issue is resolved.

Yes. EliteSec carries full professional liability and E&O coverage.

Each engagement is isolated and secured with multiple layers of authentication. Sensitive data is only retained where necessary for documentation, is obfuscated, and is removed once no longer required.

We focus on clarity and follow-through. Our reports explain not just what we found, but why it matters and what to do next. The included retests remove financial friction so teams can improve without rushing.

Yes. If we see recurring issues or patterns, we raise them and help clients address root causes — not just symptoms.

Yes. Reports include both tactical fixes and longer-term strategic recommendations.

Pricing is based on time and complexity, typically structured as 1-, 2-, or 3-week engagements. Scope is confirmed during a scoping call so pricing is clear upfront.

By default, we exclude: Denial-of-service attacks. Known destructive activity. Social engineering of employees or families. Excessive data exfiltration. Storage or removal of highly sensitive data (PCI, PHI, etc.). Any additional exclusions are agreed on during scoping.

Scope changes require written approval from both parties and may affect timelines or cost.

Yes. All testing is time-boxed to the agreed schedule and can be limited to specific operating hours if required.

A tabletop exercise is a structured, discussion-based simulation of an incident — such as a ransomware attack, office impact due to natural disaster, or data breach. Leadership and operational teams walk through a realistic scenario to evaluate decision-making, communication, escalation paths, and incident response readiness.

It is not a technical penetration test — it evaluates people, process, and governance, not just controls.

A traditional tabletop exercise normally follows the pattern of: face a situation, make a decision, assume the decision works, and move on to the next decision. Unfortunately, in a live incident, that assumption isn't always true — not all decisions made during an incident are correct.

At EliteSec, we developed gamified tabletop exercises to combat this. We call it "following the happy path," and we introduce dice rolling with certain decisions to determine if they were successful or not, adding a sense of randomness that mirrors the unpredictability of real incidents.

We're so confident in this approach that our CEO even wrote the book on gamified tabletop exercises.

A penetration test attempts to exploit technical vulnerabilities. A tabletop exercise simulates how your organization responds after an incident is discovered — focusing on:

Executive decision-making — who decides what, and when.
Legal and regulatory considerations — notification obligations, evidence handling.
Communications strategy — internal and external messaging.
Business continuity — keeping critical operations running.
Third-party coordination — insurers, law enforcement, vendors.

Think of it as testing your incident response muscle memory rather than your firewall.

Typically:

CISO / Security leadership
CIO / IT leadership
Legal counsel
Communications / PR
HR (if insider scenarios are tested)
Risk / Compliance
Executive leadership (CEO/COO/CFO)

Board participation is highly recommended for mature programs.

Common scenarios include:

Ransomware attack
Business email compromise (BEC)
Cloud data exposure
Insider threat
Third-party supply chain compromise
Regulatory investigation following breach

Many exercises incorporate adversary behaviors aligned to the MITRE ATT&CK framework for realism.

Typically a tabletop exercise takes approximately half a day (4 hours) to complete, but may vary depending on the complexity of the scenario chosen. Preparation typically takes 4 weeks prior to the session, to design and develop the exercise itself.

Best practice:

Annually at minimum.
Semi-annually for regulated industries.
After major organizational changes — M&A, cloud migration, new leadership.

Many compliance frameworks (e.g., NIST guidance and ISO 27001) recommend regular testing of incident response plans.

While not always explicitly required, tabletop exercises are often expected as evidence of:

Incident response plan testing
Board-level cyber oversight
Operational resilience

They are commonly used to support SOC 2, ISO 27001, PCI-DSS, and regulatory audit readiness.

No — but if one exists, the exercise will validate it. If you do not have a documented IR plan, the exercise often reveals gaps that become the foundation for building one.

No. Tabletop exercises are discussion-based simulations and do not affect production systems.

Injects are new pieces of information introduced during the exercise — for example, "media is calling," "ransom note appears," or "customer data confirmed exfiltrated" — to simulate real-world escalation and force decision-making under pressure.

A well-run tabletop should provide:

Executive summary
Observations and gap analysis
Decision log
Maturity assessment
Materials used for the tabletop exercise including notes, decision maps, etc.

Success is not "winning" the scenario. Success is:

Identifying gaps in your response capabilities.
Improving coordination across teams and leadership.
Clarifying decision rights — who owns what during an incident.
Reducing response ambiguity so teams act faster.
Strengthening executive confidence in crisis management.