Home / Solutions / Penetration Testing

Penetration testing, built around business impact.

Offensive security by OSCP-calibre testers, not scanner operators. Every engagement ends with a report your engineers can act on, your board can understand, and your regulator will accept — plus a 30-day retest included, because a finding you can’t remediate isn’t a finding.

Book a 15-min scoping call See what we test
OSCP, OSEP, OSWE & CRTO-certified testers
PTES, OWASP, MITRE ATT&CK aligned
Retest included, no upsell
What you get

A pen test that proves exploitability, not just presence.

Scanners find surface. We find chains. Every engagement is run by a human tester, chained to business impact, and handed off with a report your SOC can turn into detections.

100%
Human-led testing
Scanner-assisted, not scanner-delivered. Every finding is manually verified and exploited.
30 days
Retest window included
Fix it, we verify it, your report closes clean. No additional SOW, no hourly clock.
4
Severity tiers with POC
Every Critical/High finding comes with proof-of-concept, CVSS, and a remediation path.
1
Canadian team, clearable
Controlled Goods, CMMC, and ITAR-aligned testers. No offshore delivery.
What we test

Twelve services, three layers.

Foundational assessments cover the attack surface most organizations care about first. Advanced engagements extend into cloud, mobile, and adversary emulation. Strategic exercises validate your whole program.

Foundational Assessments

Attack surface

External Network Penetration Test

Internet-facing assets assessed the way an opportunistic attacker would — reconnaissance, enumeration, exploitation, chaining.

Aligns with: PTES, NIST SP 800-115, PCI-DSS 11.3

Internal Network Penetration Test

Assumed-access assessment from a rogue workstation or compromised credential. AD abuse, lateral movement, domain privilege escalation.

Covers: Kerberos, NTLM relay, GPO abuse, BloodHound paths

Web Application Pen Test

Authenticated and unauthenticated testing against OWASP ASVS. Logic flaws, auth bypass, IDOR, SSRF, and chained exploits.

Aligns with: OWASP Top 10, ASVS L2/L3, WSTG

API Penetration Test

REST, GraphQL, and gRPC endpoints assessed for broken object-level authorization, mass assignment, and business-logic abuse.

Aligns with: OWASP API Security Top 10

Wireless Penetration Test

WPA2/3 enterprise testing, rogue AP detection, guest-network segmentation validation, and 802.1X bypass attempts.

Covers: EAP, PMKID, evil-twin, captive-portal abuse

Advanced Engagements

Modern attack paths

Cloud Penetration Test

Azure, AWS, GCP, and Microsoft 365 tenant assessment. IAM abuse, misconfigurations, workload compromise, and lateral movement across services.

Aligns with: CIS Benchmarks, MITRE ATT&CK for Cloud

Mobile Application Pen Test

iOS and Android binary analysis, runtime instrumentation, cert-pinning bypass, and local-storage exposure testing.

Aligns with: OWASP MASVS, MSTG

Red Team Engagement

Goal-oriented adversary emulation. No scope — just an objective. Mapped to your threat model and TTPs from current intel.

Framework: MITRE ATT&CK, TIBER-EU

Social Engineering

Phishing, vishing, and physical entry tests with ethical rules of engagement. Trains your people as much as it tests them.

Includes: Executive-level spear-phishing, MFA-fatigue campaigns

Strategic Exercises

Program validation

Purple Team Exercise

Collaborative attack/defend with your SOC. We run TTPs, they hunt, gaps become backlog. Leaves behind detection rules, not just findings.

Assumed-Breach Simulation

We start inside as a compromised user. Your team measures how far we get, how fast, and whether anyone notices.

Offensive Security Program Advisory

vCISO-led guidance on pen-test cadence, threat modelling, remediation prioritization, and building an internal red team.

What sets us apart

A pen-test report your engineers, your board, and your regulator all trust.

Scanner-generated PDFs don’t move the needle. Every engagement is delivered by certified, Canadian testers — with executive summaries for the board, detailed proofs-of-concept for engineers, and mapped control references for audit.

  • Testers hold OSCP at minimum; senior staff hold OSEP, OSWE, and CRTO
  • Findings map to MITRE ATT&CK, OWASP, and CIS — so your GRC team can cite them directly
  • Every Critical/High finding includes a reproducible POC and validated remediation
  • Findings flow into your SOC as detection opportunities — not just a PDF
OSCPCertified Professional
OSEPExperienced Professional
OSWEWeb Expert
OSCE3Certified Expert
CRTORed Team Ops
GPENSANS/GIAC

Findings don’t just sit in a PDF. They become defence.

AlecTech is a full-stack MSP/MSSP. Every pen-test finding can be handed directly to the team running your SOC, managing your endpoints, or owning your compliance program — because that’s us, under the same contract. Remediation actually happens.

Pairs with
MDR & SOC

Findings become detection rules. TTPs observed in testing get hunted for in production.
Pairs with
Managed IT

Endpoint hardening, patch orchestration, and control remediation — executed by the same team.
Pairs with
GRC Advisory

Pen-test evidence mapped directly to SOC 2, ISO 27001, PCI, and CyberSecure Canada controls.
Pairs with
BreachGuard

If an exploit reveals exposed personal data, the Canadian-law privacy workflow spins up automatically.
Platforms we test. Frameworks we align with.
Tier-1 vendor partnerships across the stacks your business actually runs on — plus alignment with the methodology frameworks your auditors expect.
PTES
OWASP ASVS / WSTG
MITRE ATT&CK
NIST SP 800-115
PCI-DSS 11.3
OSSTMM
Engagement methodology

From scope to signed report in four phases.

Every engagement runs the same disciplined playbook. No surprises on timeline, no surprises on deliverables, no surprises on scope changes.

  • 01Week 1
    Scoping & Rules of Engagement Asset inventory, threat model, objectives, blackout windows, escalation contacts. Signed ROE before any packet leaves.
  • 02Weeks 2–3
    Active Testing Reconnaissance, exploitation, lateral movement, privilege escalation. Daily stand-ups; critical findings disclosed within 24 hours.
  • 03Week 4
    Reporting & Debrief Executive summary, technical report, POC artifacts, CVSS scores, remediation guidance. Live walkthrough with your team.
  • 0430 days
    Remediation Retest Fix the findings, we re-verify. Report updates to show closed items. Included in every engagement — never a separate SOW.

Every finding comes with: classification (Critical / High / Medium / Low / Info), CVSS v3.1 score, impact narrative, reproducible proof-of-concept, mapped controls (SOC 2, ISO 27001, NIST), and a prescribed remediation path your engineers can action without guessing.

Critical findings get a 24-hour verbal notification. You don’t wait for the final report to know there’s a fire.

Every report is delivered as both an engineer-grade PDF and a machine-readable JSON export — so your GRC platform, SOC, and ticketing system can ingest findings directly.

How we engage

Three models. You pick the fit.

Whether you need a single assessment for a release, an annual program for compliance, or ongoing adversary emulation as a retained partner — there’s a path that matches where you are.

Model A

Project-Based Assessment

Fixed scope, fixed price, fixed deliverable. Ideal for point-in-time needs.

  • External, internal, web, API, cloud, or mobile scope
  • Signed SOW with defined methodology
  • 30-day retest included
  • Executive + technical + JSON deliverables
  • Typical timeline: 3–4 weeks end-to-end
Best for: a new release, a specific compliance obligation, or a first-time assessment.
Model B

Annual Pen-Test Program

Quarterly or bi-annual assessments across your full attack surface, with trend tracking.

  • Rotating scope: external, internal, web, cloud, social
  • Year-over-year finding trends and control maturity scoring
  • Regulator-ready evidence package annually
  • Priority scheduling ahead of audits
  • Dedicated account lead and testing pod
Best for: organizations with ongoing compliance (SOC 2, ISO 27001, PCI) or board-level security reporting.
Model C

Red Team Retainer

Ongoing adversary emulation with quarterly campaigns. For mature security programs.

  • Objective-based campaigns aligned to current threat intel
  • Purple-team debriefs with your SOC
  • Detection coverage scoring against MITRE ATT&CK
  • Dedicated senior operator as campaign lead
  • Tabletop exercises and executive debriefs
Best for: teams with a mature SOC who want continuous validation against real TTPs.
Industries we serve

Regulated, high-value, or both.

Offensive security for sectors where a missed finding becomes a reportable incident — and we know the controls that apply.

Legal Firms

Legal Firms

Matter-portal, e-discovery, and document-management testing. Client-privilege aware methodology; Law Society-ready findings.
Financial Services

Financial Services

OSFI B-13, PCI-DSS 11.3, and FINTRAC-aligned assessments. Regulator-ready evidence with signed methodology attestations.
Aerospace & Defense

Aerospace & Defense

CMMC, ITAR, and Controlled Goods-cleared testers. Segregated evidence handling and Canadian-only data residency.

Stop paying for scanner PDFs. Get a real test.

A 15-minute scoping call with a senior tester — not a sales rep. We’ll walk through what we’d actually look at, what a realistic timeline looks like, and whether an assessment is even the right spend right now.

Book a 15-min scoping call Or email info@alectech.ca