Fortress Offensive Security

Our services

Offensive assessments comprehensive and tailored

Every organization has a different surface. We group exposure discovery, line pentesting, and specialized scenarios—always with written frozen scope and black, gray, or white modalities aligned to your threat model.

Modalities

From black to white box, information you share, exercise time invested and, together, relative cost for the same closed scope.

Black box

Minimal internal context: agreed surface and rules; the team reconnoiters and validates without privileged credentials.

Information shared

Exercise duration

Relative cost

Gray box

Partial context: low-privilege accounts, segments, or scoped documentation to accelerate pivots with control.

Information shared

Exercise duration

Relative cost

White box

Maximum context: architecture, code, or credentials per policy; depth and coordination aligned to closed scope.

Information shared

Exercise duration

Relative cost

Fees and concrete timelines are set in a proposal after the briefing; the scale indicates relative effort, not a published rate card.

Surface and exposure

Before simulating attack paths: map what is visible from outside and prioritize for pentest scope.

Attack surface management (ASM)

Inventory and prioritization of Internet-exposed assets before or alongside the pentest.

  • Exposed asset identification
  • Public exposure analysis

Typical: black-box or scoped OSINT

runbook · asm

fortress@engagement:~$ assetmap --perimeter agreed_scope.json
hosts_discovered: 42 · tls_anomalies: 2
exposure_rank: HIGH svc-REDACTED:443
risk: exposure_map → pentest backlog updated

Secuencia ilustrativa bajo alcance acordado

Coverage
Subdomains, exposed services and applications, certificates, and scoped perimeter footprinting.
Typical deliverables
Risk-prioritized list, duplicates, and shadow IT where applicable; input for where to go deeper in testing.
Assumptions / modality
No internal credentials; legal and ethical limits set in writing in the SOW.

Offensive testing by line

Manual pentesting with frozen scope; black, gray, or white box modalities depending on context and risk.

Common line

AppSec and modern stack

Web apps, APIs, and mobile clients with a focus on business logic.

  • OWASP / APIs
  • REST and GraphQL
  • Auth and sessions
  • Business logic
  • iOS and Android

Typical: black to white box depending on scope

runbook · appsec

fortress@engagement:~$ surface_scan --auth-flow checkout
routes: 200=184 · 301=12 · 401=9
auth_surface: expanded (session + OAuth callbacks)
next: manual business-logic probes (SOW-bound)

Secuencia ilustrativa bajo alcance acordado

Coverage
Web applications, REST/GraphQL APIs, and iOS/Android clients.
Typical deliverables
Agreed surface map, business-logic abuse where applicable, findings with controlled reproduction.
Assumptions / modality
Black, gray, or white box / targeted review per scope.

Enterprise infrastructure

Internal/external network, AD, and lateral movement under signed rules.

  • Network and segmentation
  • Active Directory
  • Exposed services
  • Lateral movement

Usually gray or white box

runbook · infra

fortress@engagement:~$ nmap -sV -p 1-1024 --open 10.REDACTED.0.0/24
open_tcp: 7 · smb_signing: disabled (segment A)
lateral_move: requires written RoE + window
impact_chain: documented for readout

Secuencia ilustrativa bajo alcance acordado

Coverage
Internal and/or external network, segmentation, Active Directory, and lateral movement only under signed engagement rules.
Typical deliverables
Documented impact chains and escalation paths relevant to your threat model.
Assumptions / modality
Often combined with gray or white box to bound operational risk.

Cloud

IAM, configuration, and exposure across AWS, Azure, and GCP.

  • IAM and roles
  • Storage
  • Virtual networks
  • AWS / Azure / GCP

Gray or white box (test roles)

runbook · cloud

fortress@engagement:~$ iam_policy_sim --provider aws --read-only
overprivileged_role: 1 · s3_public: 0
finding: HIGH · trust-chain via assumed-role
remediation_hint: least-privilege + SCP review

Secuencia ilustrativa bajo alcance acordado

Coverage
AWS, Azure, and GCP: IAM, configuration, data exposure, and under-hardened surfaces.
Typical deliverables
Risk prioritization for identities and data; guidance aligned to provider best practices.
Assumptions / modality
Read-only accounts or test roles per client policy.

Specialized and high criticality

Sensitive surfaces, strict contractual frames, and coordination with legal and operations.

Emerging technology

In-app AI, biometrics, and MFA where legal frameworks allow.

  • In-app AI
  • Prompts and context leakage
  • Biometrics
  • MFA

Explicit scope in the SOW

runbook · emerging

fortress@engagement:~$ llm_probe --context-leak --budget 50req
context_leak: possible (confidence 0.62)
legal_surface: SOW clause 4.2 required
halt: pending dual approval

Secuencia ilustrativa bajo alcance acordado

Coverage
Applications with AI components (e.g., context leakage, prompt abuse), biometrics, and MFA where legal and contractual frameworks allow.
Typical deliverables
Findings scoped to the agreed design; no commitments beyond written scope.
Assumptions / modality
Requires explicit surface definition and ethical limits in the SOW.

Specialized

Reverse engineering, controlled phishing, and high-criticality scenarios.

  • Reverse engineering
  • Advanced phishing
  • High criticality
  • Legal coordination

Always closed scope and windows

runbook · specialized

fortress@engagement:~$ campaign_status --phish controlled_lab
delivery: 12 · click: 2 · cred_capture: 0
PASS ethics_guard (no production harvest)
evidence_pack: sealed for legal review

Secuencia ilustrativa bajo alcance acordado

Coverage
Binary reverse engineering, advanced phishing in a controlled environment, and high-criticality scenarios with prior authorization.
Typical deliverables
Reproducible evidence and remediation guidance; close coordination with your legal and security teams.
Assumptions / modality
Always under explicit scope and defined time windows.

Before choosing a line

Five questions that often come up in the briefing

Short answers aligned to authorized-scope pentesting, the engagement cycle, and how we work with your operations team.

Manual depthRequest a briefing