Capability · 01
Network and infrastructure testing
External perimeter, internal segmentation, wireless, lateral-movement scenarios. Real exploit chains, not just a Nessus dump.
NIST 800-53CMMC L2ISO 27001 A.12.6
Penetration Testing — CREST-Certified Offensive Security
CREST-certified penetration testing across network, application, API, and cloud surfaces. Every finding mapped to CMMC, FedRAMP, and NIST 800-53. POAM-ready. Retest included.
CREST-certified
Framework-mapped findings
30-day retest included
Most pen-test reports get filed and forgotten.
They list findings, assign generic CVSS scores, and leave your team to figure out which ones actually matter for your environment. We do the opposite: we test the way an attacker who knows your sector would, we map every finding to the controls you’re already accountable for, and we stay engaged through remediation so the report becomes a closed loop, not a PDF in a SharePoint folder.
What’s included.
Capability · 02
Web application testing
OWASP Top 10 + business-logic flaws. Authenticated and unauthenticated paths. API surface tested separately when scoped.
OWASP ASVSNIST 800-218 SSDFPCI DSS 4.0
Capability · 03
API and integration testing
REST, GraphQL, SOAP. Authentication, authorization, rate-limiting, and data-exposure analysis.
OWASP API Top 10NIST 800-115
Capability · 04
Cloud configuration testing
AWS, Azure, GCP. IAM trust paths, S3/Blob/GCS exposure, KMS misuse, control-plane lateral movement.
CIS BenchmarksCSA CCMFedRAMP
Capability · 05
Red team engagements
Adversary-emulation against your detection and response stack. Mapped to MITRE ATT&CK technique coverage.
MITRE ATT&CKCREST methodology
Capability · 06
POAM-ready remediation guidance
Every finding includes a control reference, a remediation path, and a retest commitment included in scope.
NIST 800-53CMMC L1–L3FedRAMP
From scoping call to closed findings. A clear path.
PHASE 01 · 1 WEEK
Scoping
ROE, target list, exclusions, communication plan, and a kickoff with your security and IT leads.
PHASE 02 · 2–4 WEEKS
Reconnaissance + Testing
Depending on scope. Daily check-ins on critical findings; weekly status calls.
PHASE 03 · 1 WEEK
Findings + Evidence
Written report, executive summary for leadership, technical detail with reproduction steps. POAM-ready on request.
PHASE 04 · 30 DAYS
Remediation Support + Retest
We stay engaged for 30 days post-report. Retest of critical and high findings is included.
Framework mapping.
| Capability | Frameworks |
|---|---|
| Network and infra testing | NIST 800-53 (RA-5, CA-8) · NIST 800-115 · CMMC L2 (RA.L2-3.11.2) · ISO 27001 A.12.6 |
| Application + API testing | OWASP ASVS · NIST 800-218 (SSDF) · PCI DSS 4.0 (11.4) |
| Cloud testing | CIS Benchmarks · CSA CCM · FedRAMP RA-5 · NIST 800-53 (CA-8) |
| Red team / adversary emulation | MITRE ATT&CK · NIST 800-53 (CA-8(2)) · CREST methodology |
Outcomes.
- A single PDF report sized for the room: 2-page exec summary, 30–80 page technical detail, framework-mapped POAM-ready findings spreadsheet.
- A 30-day remediation support window — async questions, code review on fixes, control language for your auditors.
- A retest of all critical and high findings, included in the scoped fee.
Frequently asked questions.
Are you actually CREST-certified?
Yes — through our partnership with SecureLayer7 (CREST-accredited, SOC 2 compliant). The pen-test team is CREST-certified; the engagement, scoping, and remediation support are managed by Connvertex.
Do you do red team or just pen test?
Both. Pen testing is scoped to find vulnerabilities; red team is scoped to test detection and response. We'll recommend the right mode based on what you're trying to learn.
How long does a typical engagement take?
A focused application test runs 2–3 weeks. A multi-environment scoped test runs 4–6 weeks. Retest happens 30–60 days after report delivery.
Can you map findings to CMMC controls?
Yes. POAM-ready CMMC L1 / L2 / L3 mapping is standard, no extra cost.
What if I need a re-test outside the included scope?
Re-tests of new findings or expanded scope are billed at the original day rate, scoped up front.