Penetration Testing Services

Find out how an attacker would break in — before one does.

Senior-led penetration testing built on Fortune 500 offensive tradecraft. We attack your environment the way a real adversary would, then hand you a report you can actually fix. External, internal, web app, cloud, and social engineering — scoped to your business, priced for the mid-market.

Schedule a Scoping Call See the types of tests

Why a real pen test, not just a scan

A vulnerability scanner gives you a list of CVEs. A real penetration test tells you which of those CVEs an attacker can actually chain to reach the data that matters — and which ones look scary in a report but cannot be exploited in your environment. Scanners do not know your business. They do not know that one of those "medium" findings sits one hop away from the file share that holds every customer contract.

The companies that struggle the most after a breach are the ones who had scan reports but never tested the path. Our engagements simulate a determined attacker with a defined budget of time, and we tell you exactly how far they can get — and exactly what to fix first to stop them.

Signs you need this

  • A customer, auditor, or insurer is asking for a recent third-party penetration test report
  • You are pursuing SOC 2, HIPAA, PCI-DSS, ISO 27001, or CMMC and need annual independent testing
  • You launched a new web application, cloud workload, or product without a security review
  • You migrated to AWS, Azure, or GCP and are not sure your IAM and network controls hold up
  • Your last test was more than 12 months ago, or it was a scan dressed up as a pen test
  • You want to test whether your EDR, SIEM, or SOC actually catches a real attack

The tests we run

Six engagement types, each scoped to answer a different question about your security posture. We help you pick the right combination during the scoping call — most clients start with one or two and expand as they see value. Every engagement includes a kickoff, daily comms during active testing, a written report, an executive readout, and a free retest of any critical or high findings.

External network penetration test

Tests everything an attacker can reach from the internet — your perimeter, exposed services, mail and DNS infrastructure, VPN endpoints, and any cloud-facing systems. Combines automated discovery, manual exploitation, and credential attacks against externally-exposed authentication.

  • External asset discovery and attack surface mapping
  • Manual exploitation of exposed services and CVEs
  • Credential stuffing, password spray, and OSINT-driven attacks
  • Best for: annual compliance, SOC 2, cyber insurance renewal, M&A diligence

Internal network & Active Directory pen test

Simulates an attacker who already has a foothold — phished employee, malicious insider, compromised laptop. We test how far that foothold can go: lateral movement, privilege escalation, domain compromise, and access to crown-jewel data. This is where most real breaches actually unfold.

  • AD enumeration, Kerberoasting, AS-REP roasting, ACL abuse
  • Lateral movement, credential theft, and privilege escalation paths
  • Domain Admin and Domain Controller compromise scenarios
  • Best for: companies running Active Directory, regulated industries, post-IR validation

Web application penetration test

Manual, authenticated testing against your web app or SaaS product. Goes well beyond OWASP Top 10 scans — we test business logic, authorization boundaries, multi-tenant isolation, and the chains of small bugs that combine into account takeover or data exfiltration.

  • Authenticated testing across every user role
  • Business logic, IDOR, broken access control, and tenant isolation
  • Auth, session, token, and API security review
  • Best for: SaaS companies, customer-facing portals, fintech, healthtech

Cloud penetration test — AWS, Azure, GCP

Configuration and exploitation review of your cloud environment. We look at IAM, network architecture, exposed storage, secrets management, identity federation, and the privilege escalation paths between identities and resources. We test both from outside the tenant and from a "compromised developer" perspective.

  • IAM and privilege escalation path analysis
  • Exposed storage, secrets, and metadata service abuse
  • Cross-account, cross-tenant, and federation-trust review
  • Best for: cloud-native companies, recent cloud migrations, SaaS infrastructure

Social engineering — phishing & vishing

Controlled simulation of the attacks your people actually face: targeted email phishing, voice-based social engineering, and credential harvesting against MFA-protected logins. Reported by department and role so you know exactly where to invest in training and technical controls.

  • Custom phishing campaigns with realistic pretexts
  • Voice phishing (vishing) against IT, HR, and finance roles
  • MFA fatigue, push-bombing, and adversary-in-the-middle testing
  • Best for: organizations with credential-related incident history, security awareness validation

Red team engagement

An objectives-driven, multi-week simulation of a real targeted attack. We pick a goal — "exfiltrate the customer database" or "issue a fraudulent wire" — and combine phishing, infrastructure, internal pivoting, and stealth to test whether your detection and response stack actually works against a determined adversary. Best run after you already have a SOC or MDR in place.

  • Objective-based, time-boxed adversary simulation
  • Combined external, internal, and human-element attack chains
  • Tests detection, response, and runbook execution
  • Best for: mature security programs, post-MDR validation, board-level assurance

How an engagement runs

A predictable five-phase process with no surprises. We send you the rules of engagement before testing starts, give you a daily heartbeat during active testing, and deliver a written report you can hand to an auditor, a customer, or your board. Every engagement is fixed-fee against a written statement of work — you know the cost before we touch anything.

The five phases

  • Scoping. 30-minute call. We define targets, business objectives, rules of engagement, and timeline. You get a written SOW and a fixed fee.
  • Kickoff. Confirm scope, exchange technical contacts, agree on emergency procedures, and align on what gets reported in real time vs. at the end.
  • Active testing. Typically 1 to 3 weeks. Daily status updates. Any critical or actively-exploitable finding is reported within 24 hours so you can start fixing immediately.
  • Reporting. Written report with executive summary, technical findings ranked by real business impact, reproducible evidence, and prioritized remediation guidance — not a 200-page vendor template.
  • Retest. Free retest of every critical and high finding once you have remediated, so your final report shows the closed state. Helpful for auditors and customers who ask for evidence of fix.

What you get at the end

  • Executive summary written for non-technical readers — share it with auditors and customers
  • Technical findings with evidence, reproduction steps, and business-impact reasoning
  • Prioritized remediation plan that calls out the top three fixes, not a flat list of fifty
  • Attestation letter you can hand to procurement, compliance, or your cyber insurer
  • Live readout with engineering and leadership to walk through findings and answer questions

Why Red Hound for offensive testing

Our team has spent two decades inside Fortune 500 red teams, Big Four offensive practices, and global incident response. We are practitioners who write our own tooling, publish our own research, and have stood in front of clients on the worst day of their year. SMBs and mid-market companies get the same tradecraft that enterprises pay six figures for — without the consulting overhead.

What makes us different

  • Senior operators on the keyboard. You are not the training ground for a junior. Every engagement is led by an operator with a decade or more of offensive experience.
  • Manual depth, not just tooling. Scanners find the obvious. Our value is the chain of low-and-mediums that combine into a real compromise — that takes hands on keys.
  • Findings you can actually fix. Every finding includes a clear, environment-aware remediation path. We tell you what to fix first and why.
  • Free retest. Once you remediate the criticals and highs, we retest them at no extra cost so your final report shows closed status.
  • Fixed fee, written SOW. No scope creep, no daily-rate billing surprises. You know the cost before testing begins.
  • Vendor-neutral remediation. No reseller relationships. If you need new tooling we tell you what fits — not what pays us.

Frequently asked

The questions every buyer asks before a pen test engagement. If yours is not here, ask it on the scoping call.

How long does a pen test take?

Most engagements run 1 to 3 weeks of active testing, plus a week for reporting. External and web app tests are usually faster; internal AD and red team engagements run longer. You will have a firm timeline in the SOW before you sign.

What does it cost?

Pen tests are fixed-fee, scoped during the call. Cost depends on the type of test, the number of targets, and the depth requested. Most SMB engagements land in a range your auditor and CFO will recognize as reasonable for the scope. We quote in writing before any work starts.

Will the testing impact production?

We design every engagement to minimize operational risk. Denial-of-service style testing is off the table unless you specifically scope it in. We coordinate active testing windows, share IP allowlists in advance, and stay on call during the engagement so anything unexpected can be paused immediately.

Can the report be shared with customers and auditors?

Yes. The report is structured for that purpose: executive summary safe for external sharing, attestation letter on request, and detailed technical sections that auditors and customers expect to see. Many of our clients ship the report straight into SOC 2 evidence and customer trust portals.

Do you test cloud-only environments?

Yes. Many of our clients run fully on AWS, Azure, or GCP with no traditional perimeter. Our cloud engagement covers IAM, network, identity federation, exposed data, and the application layer on top — scoped to whichever provider you run on.

Can you re-test after we fix things?

Yes — and it is included. Once you remediate criticals and highs, we re-run the relevant attack paths at no additional cost so your final report shows closed status. Procurement and auditors love this.

Find out what an attacker would actually do to your business.

A 30-minute scoping call, no obligation. We help you pick the right test, give you a written SOW with a fixed fee, and answer every question before you commit.

Schedule a Scoping Call