Written scope
Each exercise is defined with surface, windows, and agreed limits. No implicit expansions: scope changes are documented before execution.
About us
Offensive security firm: traditional pentesting with written scope and senior teams prioritizing clarity for leadership and engineering.
Fortress Offensive Security is built on the belief that offensive security must be explainable, defensible, and aligned with real business risk. We do not sell context-free vulnerability lists: we document hypotheses, reproducible evidence, and severity using criteria your organization can review with audit or legal.
We work as a technical partner on bounded engagements: explicit engagement rules, careful handling of sensitive data, and zero public client portfolio on the web. That lets us focus on report quality and knowledge transfer to your teams.
Principles
Working principles
Four commitments that shape every report and every interaction with your team.
Rigor and traceability
Findings with evidence and reproducible steps; dual reading for leadership (risk) and engineering (remediation).
Confidentiality
Evidence and communications limited to agreed channels; respect for internal policies and legal requirements from kickoff.
Senior teams, not a factory
Small teams with senior experience on the campaign. No generic templates or timeline promises that depend on scope not yet closed.
Experience
Sectors where we have performed pentesting
Overview of contexts and surfaces common in our campaigns. We do not publish a client portfolio: this describes environment types, not specific contracts.
Primary specialty
PCI DSSCNBVRegulated environment
Financial, banking, and fintech
Applications, APIs, and digital channels under regulatory pressure: deep testing focused on controls, segregation, and evidence defensible in audit.
Public sector and government
Evaluations bounded to explicit scope, coordination with internal teams, and respect for information classification in agencies and bodies.
Retail
POS, e-commerce, promotions, and associated logistics chains: business-rule abuse, fraud, and cardholder data exposure.
Logistics, transport, and telemetry
Tracking platforms, fleets, and third-party APIs: identity abuse, telemetry, and location or cargo data leaks.
FMCG and food
ERP, plant, and distribution partners: campaigns focused on order integrity, promotion fraud, and cold-chain documentation.
Education and research
Campus, federated identity, and labs: hardening reviewed with offensive testing on exposed services and research data.
Training
Team certifications
Training and technical validation in offensive pentesting: web, mobile, cloud, and industry-recognized practical certifications.
