StaatseSEC.OPS
Contact us
Our services

A complete offensive security capability - on call.

From a one-off application test to a continuous, embedded security partnership - choose the engagement model that fits the risk you're managing today.

Scope an engagement Browse services
Our approach

Four principles that hold across every engagement.

01
Principle 01
Manual-first testing

Tools chart the surface; humans find the exploits that matter.

Every finding manually verified
02
Principle 02
Business-context scoring

Findings ranked by what they cost you, not just CVSS.

Exploitability × impact
03
Principle 03
Fixed scope, fixed price

No mid-engagement surprises. Ever.

Signed before kickoff
04
Principle 04
Developer-friendly handoff

Fixes written for the engineers shipping them - reproductions, owners, acceptance criteria.

Jira / Linear ready
Service catalogue

Six services, six clearly-defined outcomes.

SVC-01

Network Penetration Testing

Identify exploitable vulnerabilities across internal and external network environments - before adversaries do.

  • External & internal perimeter assessment
  • Network compliance review & hardening
  • Lateral-movement and privilege-escalation mapping
Black boxGray boxWhite box
Typical · 2–4 weeks Read more
SVC-02

Web Application Security

OWASP-aligned testing of business logic, authentication flows, authorization boundaries and API surfaces.

  • OWASP ASVS / WSTG coverage
  • Business-logic and IDOR testing
  • API security (REST, GraphQL)
SaaSFinTechHealthcare
Typical · 1–3 weeks Read more
SVC-03

Mobile App Penetration Testing

iOS and Android application assessments covering binary, transport security and platform misuse.

  • MASVS / MASTG aligned
  • Runtime instrumentation & reverse engineering
  • Backend API and SDK testing
iOSAndroidHybrid
Typical · 2 weeks Read more
SVC-04

Cloud Penetration Testing

AWS, Azure and GCP environment audits - IAM, networking, workloads and CI/CD pipelines.

  • IAM and privilege boundary review
  • Misconfiguration & exposure analysis
  • Kubernetes & container security
AWSAzureGCPK8s
Typical · 2–3 weeks Read more
SVC-05

CIS Benchmark Assessment

Configuration hardening reviews against the latest CIS benchmarks - OS, cloud and container baselines.

  • OS, database and container baselines
  • Cloud Foundations Benchmark coverage
  • Remediation playbooks per control
LinuxWindowsK8sCloud
Typical · 2 weeks Read more
SVC-06

Managed Security Services

Continuous monitoring, vulnerability management and on-call response - an extension of your security team.

  • Continuous vulnerability management
  • 24/7 monitoring & alert triage
  • Quarterly assessment & advisory
Retainer24/7SLA-backed
Ongoing · 12-mo commit Read more
Pick the right engagement

Three ways to work with us.

From a single targeted assessment to a continuous security partnership - choose the model that matches the risk you're managing today.

Tier · 01

One-off Assessment

A defined, fixed-scope engagement against a single environment or application.

Best when you have a deadline - a release, an audit, an investor diligence cycle - and need a thorough, defensible assessment delivered on time.
  • Manual testing depth - every finding verified
  • Executive & technical reports
  • Engineering debrief session
  • Audit-ready attestation letter
Duration2–4 weeks
CadenceOne-time
Scope an assessment
Tier · 02 Most chosen

Quarterly Programme

A rolling testing programme that keeps assurance current as your environment changes.

Best when your environment ships regularly, you serve regulated customers, or you need continuous audit evidence - without standing up an in-house red team.
  • Four assessments per year on rotation
  • Quarterly executive review
  • Named senior consultant on your account
  • Rolling remediation tracker
Duration12 months
CadenceQuarterly
Start a programme
Tier · 03

Managed Security

An embedded security capability - testing, advisory, and on-call response together.

Best when you don't have an in-house security team (or you want to multiply the one you do) - and need continuous monitoring plus a consultant on speed-dial.
  • Continuous vulnerability management
  • Quarterly assessments included
  • On-call security advisory
  • Incident response retainer
Duration12-mo commit
CadenceAlways-on
Talk to us

Not sure which tier fits? A 30-minute scoping call is enough to figure it out - no commitment.

Not sure where to start?

We'll help you scope it.

A 30-minute call is enough to map your environment to the right engagement - no commitment, no pressure.