Skip to content

Methodology

How we test, from scope to proof

Good testing starts with a defined scope and a proven standard. Every engagement is manual-first, aligned to PTES, OWASP, and MITRE ATT&CK, and applied consistently from scoping through reporting and retest.

Standards we align to

Grounded in recognized frameworks

We don’t improvise. Our process maps to the standards your auditors, customers, and engineers already trust.

PTES

Penetration Testing
Execution Standard

The seven-phase backbone of every engagement, from pre-engagement to reporting.

OWASP

Open Web Application
Security Project

Testing guides for web, API, and mobile — the Top 10 and the deeper WSTG/MASVS checks.

ATT&CK

MITRE ATT&CK
Adversary Knowledge Base

Real-world adversary tactics and techniques, so we test the way attackers actually operate.

CVSS

Common Vulnerability
Scoring System

Consistent, defensible scoring every finding is rated against, so fixes are prioritized by real risk.

The engagement

Seven phases, zero surprises

From first call to final retest, you always know where things stand and what comes next.

Getting started

Steps 01–03
  1. 01

    Discovery & scoping call

    30–45 min

    We learn your environment, drivers, and constraints, then define exactly what is in and out of scope: targets, testing windows, rules of engagement, and success criteria, in writing.

  2. 02

    Fixed proposal

    Same day

    You receive a clear, fixed-scope proposal with timeline and cost. No hourly surprises, no vague deliverables.

  3. 03

    Platform onboarding

    Before testing

    Your engagement goes live in the Invadel platform: follow findings in real time and track remediation and retests.

    Explore the platform

Testing & delivery

Steps 04–06
  1. 04

    Execution

    1–3 weeks

    Certified testers run the engagement to PTES and OWASP standards, with agreed communication checkpoints and immediate escalation of anything critical.

  2. 05

    Reporting

    2 days after testing

    An executive summary plus technical findings with reproduction steps, CVSS ratings, and remediation guidance.

  3. 06

    Retest

    Included

    After you remediate, we verify the fixes with a complimentary retest so you can prove the risk is actually closed.

07 · Final deliverable

Final report & attestation letter

On completion

Once your retest clears, we issue the closing deliverables you can share with customers, partners, and auditors.

Updated final report

Reflecting your remediated findings

Attestation letter

Shareable proof of testing

How we rate risk

Every finding scored on CVSS

Severity isn’t a gut call. Each finding is rated against the Common Vulnerability Scoring System so your team can fix what matters most, first.

Critical
9.0 – 10.0

Immediate, unauthenticated path to sensitive data or full compromise.

High
7.0 – 8.9

Serious exposure that a motivated attacker could exploit with modest effort.

Medium
4.0 – 6.9

Meaningful risk, often requiring specific conditions or chaining to exploit.

Low
0.1 – 3.9

Limited impact or hard-to-reach issues worth fixing as hygiene.

Every report pairs these ratings with reproduction steps, evidence, and prioritized remediation.

See a sample report

Let’s define your scope.

A 30-minute call is usually enough to shape a first proposal.

Book a scope call