Sandline — Risk Based Security
Services

Penetration Testing

Targeted, scope-bounded testing of an application, network segment, cloud account or product. Hands-on attack work that produces audit evidence and a fix plan.

How we work

Penetration testing is the most common engagement we run. We test web applications, mobile apps, internal and external network ranges, cloud accounts (AWS, Azure, GCP), Active Directory environments, and bespoke APIs. Every engagement is run by a senior engineer end-to-end — no junior subcontracting — and every finding is reproduced with a working proof-of-concept and a remediation recommendation that the engineering team can actually implement.

Outcomes

  • A reproducible inventory of vulnerabilities, scored by real business risk in your environment
  • Working proof-of-concept exploits for every issue, captured in a way that does not retain sensitive data
  • Clear remediation guidance per finding, including secure-coding examples where relevant
  • Audit evidence ready to hand to ISO, PCI, NIS2 or DORA assessors

Deliverables

  • Executive summary (1-2 pages, board-ready)
  • Technical report with full findings, CVSS, business-risk score, PoC and remediation
  • Retest report after fixes are deployed
  • Letter of attestation suitable for customer security questionnaires

Engagement Workspace · 90 days free

Included with this engagement: a Centraleyezer SaaS deployment for 90 days where you generate reports on demand. At day 90 it either closes (your DOCX/PDF reports and attestation letter stay with you) or extends as a paid SaaS subscription if you want to keep using it.

Frequently asked

What gets tested in a Sandline pentest?

External and internal networks, web and mobile applications, REST and GraphQL APIs, AWS / Azure / GCP cloud accounts, Active Directory environments, and bespoke products. Scope is agreed upfront in writing; we do not silently expand mid-test.

Black-box, grey-box or white-box?

We default to grey-box — you give us minimal context (a low-privilege account, sometimes a network diagram) so the engagement spends time on real findings, not on reconnaissance you have already paid us to redo. Black-box and white-box are available on request.

How long does a pentest take?

A typical web-app pentest is 1–2 weeks; an external network range is 1 week; a full Active Directory engagement is 2–3 weeks. We share a precise estimate during scoping.

Do you provide an attestation letter?

Yes. The letter is suitable for customer security questionnaires and for ISO 27001, PCI-DSS, NIS2 and SOC 2 evidence. It states what was tested, when, by whom, with what methodology, and the outcome — it does not leak the findings themselves.

Do you retest fixes?

Yes — a single retest is included in the base price. Additional retests (e.g. iterative remediation cycles) are quoted as small fixed-price add-ons.

Book a 30-minute call

Tell us about the regulation you need to satisfy and the systems in scope. We will come back with a scoping note and a fixed-price proposal within three working days.

Book a consultation