Methodology
How we test,
from scope to proof
Good testing starts with a defined scope and a proven standard. Every engagement is manual-first, aligned to PTES, OWASP, and MITRE ATT&CK,
and applied consistently from scoping through reporting and retest.
Standards we align to
Grounded in recognized frameworks
We don’t improvise. Our process maps to the standards your auditors, customers, and engineers already trust.
PTES
Penetration Testing
Execution Standard
The seven-phase backbone of every engagement, from pre-engagement to reporting.
OWASP
Open Web Application
Security Project
Testing guides for web, API, and mobile — the Top 10 and the deeper WSTG/MASVS checks.
ATT&CK
MITRE ATT&CK
Adversary Knowledge Base
Real-world adversary tactics and techniques, so we test the way attackers actually operate.
CVSS
Common Vulnerability
Scoring System
Consistent, defensible scoring every finding is rated against, so fixes are prioritized by real risk.
The engagement
Seven phases, zero surprises
From first call to final retest, you always know where things stand and what comes next.
Getting started
Steps 01–03- 01
Discovery & scoping call
30–45 minWe learn your environment, drivers, and constraints, then define exactly what is in and out of scope: targets, testing windows, rules of engagement, and success criteria, in writing.
- 02
Fixed proposal
Same dayYou receive a clear, fixed-scope proposal with timeline and cost. No hourly surprises, no vague deliverables.
- 03
Platform onboarding
Before testingYour engagement goes live in the Invadel platform: follow findings in real time and track remediation and retests.
Explore the platform
Testing & delivery
Steps 04–06- 04
Execution
1–3 weeksCertified testers run the engagement to PTES and OWASP standards, with agreed communication checkpoints and immediate escalation of anything critical.
- 05
Reporting
2 days after testingAn executive summary plus technical findings with reproduction steps, CVSS ratings, and remediation guidance.
- 06
Retest
IncludedAfter you remediate, we verify the fixes with a complimentary retest so you can prove the risk is actually closed.
07 · Final deliverable
Final report & attestation letter
On completionOnce your retest clears, we issue the closing deliverables you can share with customers, partners, and auditors.
Updated final report
Reflecting your remediated findings
Attestation letter
Shareable proof of testing
How we rate risk
Every finding scored on CVSS
Severity isn’t a gut call. Each finding is rated against the Common Vulnerability Scoring System
so your team can fix what matters most, first.
Immediate, unauthenticated path to sensitive data or full compromise.
Serious exposure that a motivated attacker could exploit with modest effort.
Meaningful risk, often requiring specific conditions or chaining to exploit.
Limited impact or hard-to-reach issues worth fixing as hygiene.
Every report pairs these ratings with reproduction steps, evidence, and prioritized remediation.
See a sample reportLet’s define your scope.
A 30-minute call is usually enough to shape a first proposal.