Fortress Offensive Security

Offensive testing

Manual pentesting by surface

Exposure discovery, business-line pentesting, infrastructure and cloud, and high-criticality scenarios — always black, gray, or white box per the SOW.

Modalities

From black to white box, information you share, exercise time invested and, together, relative cost for the same closed scope.

Black box

Minimal internal context: agreed surface and rules; the team reconnoiters and validates without privileged credentials.

Information shared

Exercise duration

Relative cost

Gray box

Partial context: low-privilege accounts, segments, or scoped documentation to accelerate pivots with control.

Information shared

Exercise duration

Relative cost

White box

Maximum context: architecture, code, or credentials per policy; depth and coordination aligned to closed scope.

Information shared

Exercise duration

Relative cost

Fees and concrete timelines are set in a proposal after the briefing; the scale indicates relative effort, not a published rate card.

Exposure and reconnaissance

Before simulating attack: inventory what's visible from outside and prioritize pentest scope.

Attack surface management (ASM)

Inventory and prioritization of Internet-exposed assets before or alongside the pentest.

  • Exposed asset identification
  • Public exposure analysis

Typical: black-box or scoped OSINT

runbook · asm

fortress@engagement:~$ assetmap --perimeter agreed_scope.json
hosts_discovered: 42 · tls_anomalies: 2
exposure_rank: HIGH svc-REDACTED:443
risk: exposure_map → pentest backlog updated

Secuencia ilustrativa bajo alcance acordado

Coverage
Subdomains, exposed services and applications, certificates, and scoped perimeter footprinting.
Typical deliverables
Risk-prioritized list, duplicates, and shadow IT where applicable; input for where to go deeper in testing.
Assumptions / modality
No internal credentials; legal and ethical limits set in writing in the SOW.

Business surfaces

Manual pentesting on applications, APIs, and mobile clients with a focus on business logic.

Common line

AppSec and modern stack

Web, REST/GraphQL APIs, and iOS/Android mobile with a focus on business logic.

  • Web applications
  • REST / GraphQL APIs
  • Auth and sessions
  • Business logic
  • iOS and Android

Typical: black to white box depending on scope

runbook · appsec

fortress@engagement:~$ surface_scan --auth-flow checkout
routes: 200=184 · 301=12 · 401=9
auth_surface: expanded (session + OAuth callbacks)
next: manual business-logic probes (SOW-bound)

Secuencia ilustrativa bajo alcance acordado

Coverage
Web applications, REST/GraphQL APIs, exposed microservices, and iOS/Android clients.
Typical deliverables
Agreed surface map, business-logic abuse where applicable, findings with controlled reproduction.
Assumptions / modality
Black, gray, or white box / targeted review per scope.

Looking for SDLC work (threat modeling, code, pipelines)? View AppSec across the SDLC

Infrastructure and cloud

Internal/external network, Active Directory, and identities and configuration across AWS, Azure, and GCP.

Enterprise infrastructure

Internal/external network, AD, and lateral movement under signed rules.

  • Network and segmentation
  • Active Directory
  • Exposed services
  • Lateral movement

Usually gray or white box

runbook · infra

fortress@engagement:~$ nmap -sV -p 1-1024 --open 10.REDACTED.0.0/24
open_tcp: 7 · smb_signing: disabled (segment A)
lateral_move: requires written RoE + window
impact_chain: documented for readout

Secuencia ilustrativa bajo alcance acordado

Coverage
Internal and/or external network, segmentation, Active Directory, and lateral movement only under signed engagement rules.
Typical deliverables
Documented impact chains and escalation paths relevant to your threat model.
Assumptions / modality
Often combined with gray or white box to bound operational risk.

Cloud

IAM, configuration, and exposure across AWS, Azure, and GCP.

  • IAM and roles
  • Storage
  • Virtual networks
  • AWS / Azure / GCP

Gray or white box (test roles)

runbook · cloud

fortress@engagement:~$ iam_policy_sim --provider aws --read-only
overprivileged_role: 1 · s3_public: 0
finding: HIGH · trust-chain via assumed-role
remediation_hint: least-privilege + SCP review

Secuencia ilustrativa bajo alcance acordado

Coverage
AWS, Azure, and GCP: IAM, configuration, data exposure, and under-hardened surfaces.
Typical deliverables
Risk prioritization for identities and data; guidance aligned to provider best practices.
Assumptions / modality
Read-only accounts or test roles per client policy.

Need cloud posture or IAM/PAM review without offensive testing? View cloud advisory

High criticality and novelty

Emerging technology, reverse engineering, and sensitive scenarios under strict contractual framing.

Emerging technology

In-app AI, biometrics, and MFA where legal frameworks allow.

  • In-app AI
  • Prompts and context leakage
  • Biometrics
  • MFA

Explicit scope in the SOW

runbook · emerging

fortress@engagement:~$ llm_probe --context-leak --budget 50req
context_leak: possible (confidence 0.62)
legal_surface: SOW clause 4.2 required
halt: pending dual approval

Secuencia ilustrativa bajo alcance acordado

Coverage
Applications with AI components (e.g., context leakage, prompt abuse), biometrics, and MFA where legal and contractual frameworks allow.
Typical deliverables
Findings scoped to the agreed design; no commitments beyond written scope.
Assumptions / modality
Requires explicit surface definition and ethical limits in the SOW.

Specialized

Reverse engineering, controlled phishing, and high-criticality scenarios.

  • Reverse engineering
  • Advanced phishing
  • High criticality
  • Legal coordination

Always closed scope and windows

runbook · specialized

fortress@engagement:~$ campaign_status --phish controlled_lab
delivery: 12 · click: 2 · cred_capture: 0
PASS ethics_guard (no production harvest)
evidence_pack: sealed for legal review

Secuencia ilustrativa bajo alcance acordado

Coverage
Binary reverse engineering, advanced phishing in a controlled environment, and high-criticality scenarios with prior authorization.
Typical deliverables
Reproducible evidence and remediation guidance; close coordination with your legal and security teams.
Assumptions / modality
Always under explicit scope and defined time windows.