Cipherbreak Labs runs client-authorized penetration tests, red team operations, and code reviews against your environment — under a signed scope and rules of engagement — then hands you a remediation roadmap your engineers can actually execute.
14 findings · 3 chained to domain admin✓ retest passed
OSCP·OSCE³·CISSP·CREST
310+ authorized engagements completed
0 client breaches post-remediation
100% written RoE before first packet
// capabilities
Every path an attacker would take. Taken first, with permission.
Fixed-scope, fixed-price engagements executed by senior testers — never outsourced, never automated-scan-and-ship. Every service ends with a prioritized report, a live debrief, and a free retest window.
External & Internal Network Pentest
Perimeter-to-crown-jewels testing of your network: exposed services, Active Directory attack paths, lateral movement, and privilege escalation — mapped to MITRE ATT&CK and scored with CVSS v4.
deliverable: attack-path map + remediation plan
Web App & API Pentest
Manual, authenticated testing against the OWASP Top 10 and beyond: broken access control, injection, SSRF, business-logic abuse, and multi-tenant isolation failures in modern SPAs and REST/GraphQL APIs.
deliverable: per-finding PoC + fix guidance
Cloud Security Review
Configuration and identity review across AWS, Azure, and GCP: IAM privilege sprawl, public storage, metadata-service abuse, CI/CD secrets exposure, and Kubernetes workload hardening.
Objective-based adversary emulation over weeks, not days: initial access, persistence, and exfiltration of an agreed trophy — quietly, so your detection and response gets a real exam. Purple team debriefs included.
deliverable: timeline of ops vs. your detections
Social Engineering Assessment
Authorized phishing, vishing, and physical-entry exercises with strict pretexting rules. We measure click-through, credential capture, and badge-tailgating — then train the humans, never shame them.
deliverable: campaign metrics + awareness plan
Compliance Readiness
Gap assessments and evidence-grade pentests for SOC 2, PCI DSS 4.0, HIPAA, ISO 27001, and NIST 800-53 — reports your auditors accept the first time, with control mappings baked in.
deliverable: auditor-ready attestation package
// anatomy of an engagement
Six phases. Zero surprises.
Every engagement follows the same disciplined kill chain — scoped in writing before a single packet is sent, and closed only when your retest comes back clean. Select a phase to inspect it.
$ phase 01/06 — scope_and_roe
Scope & Rules of Engagement
We define targets, exclusions, test windows, emergency contacts, and safe-harbor language in a signed Rules of Engagement. Nothing is touched until legal authorization is countersigned by your leadership.
// deliverable quality
The report is the product.
A finding you can't reproduce or fix is worthless. Here's a real entry format from a Cipherbreak report — client identifiers redacted under NDA.
SQL Injection in Invoice Export Endpoint → Full Tenant Data Access
AV:N / AC:L / PR:L / UI:N / S:C / C:H / I:H / A:N
Impact
An authenticated low-privilege user could inject through the sort parameter of /api/v2/invoices/export, breaking tenant isolation and reading billing records, hashed credentials, and API keys for every tenant in the shared database. Chained with finding FND-047-004, this reached the production admin console.
Evidence (sanitized)
GET /api/v2/invoices/export?sort=id;SELECT+...--
HTTP/1.1 200 OK
rows_returned: 1,847,203 tenant_scope: * (all)
Remediation
Replace string-built ORDER BY with an allowlist of sortable columns; parameterize all remaining query fragments.
Enforce tenant scoping at the data layer (row-level security), not per-endpoint.
Rotate all tenant API keys issued before the fix date; invalidate active export tokens.
Add WAF rule as a stopgap only — do not treat it as the fix.
REMEDIATED · DAY 6RETEST: PASSED
0
validated findings surfaced
0
median time to first critical
0
retest pass rate after remediation
0
engagements under signed RoE
// philosophy
Why authorized offense works.
Defense tells you what should hold. Offense tells you what actually does. A scanner enumerates known CVEs; a senior operator chains a medium-severity misconfiguration into your payroll system — and then shows your team exactly how to sever the chain.
Everything we do is bounded by written authorization, safe-harbor terms, and responsible disclosure. When we find a zero-day in third-party software during your engagement, we coordinate disclosure with the vendor and keep you shielded the entire time. That discipline is why security teams invite us back.
SOC 2PCI DSS 4.0HIPAAISO 27001NIST 800-53CIS v8
Their red team lived in our network for three weeks and our SOC caught two of eleven techniques. Six months after the purple-team debrief we catch nine. The report paid for itself before the retest — I've never had a security spend this defensible in front of the board.
Mara VellinCTO, Ridgeline Health Systems (fictional)
// initiate
Scope your engagement.
Thirty minutes, an NDA, and a scoping worksheet. You'll leave with a fixed price, a test window, and a signed Rules of Engagement — no retainer, no upsell, no scan dressed up as a pentest.