Engagement Process
A repeatable, auditor-ready process for external penetration testing engagements supporting SOC 2 Type II compliance. Every phase is documented, timestamped, and deliverable-driven.
Initial Contact & NDA
First contact via web form, email, or referral. We schedule a 30-minute discovery call to understand your environment, compliance timeline, and testing goals. An NDA is executed before any sensitive information is exchanged.
- ▸Discovery call scheduled within 1 business day
- ▸Mutual NDA sent via DocuSign
- ▸Security questionnaire delivered to client
- ▸Client completes questionnaire (environment, stack, scope candidates)
- ▸NDA countersigned — engagement formally begins
Meetings
Discovery Call
30 min · Client CTO / CISO + SCSL Lead
Deliverables
Scoping & Statement of Work
Based on the questionnaire and a dedicated scoping call, we define the exact attack surface, testing boundaries, and Rules of Engagement. A Statement of Work is drafted with fixed deliverables, timeline, and pricing.
- ▸Scoping call — define IP ranges, domains, APIs, cloud accounts in scope
- ▸Out-of-scope systems formally documented
- ▸Testing methodology agreed (black-box / grey-box / white-box)
- ▸Rules of Engagement document drafted
- ▸Statement of Work + fixed-fee proposal sent
- ▸Contract signed by both parties
Meetings
Scoping Call
60 min · Client Engineering Lead + SCSL Lead
Deliverables
Kickoff & Access Provisioning
A formal kickoff meeting with all stakeholders. Test accounts, VPN access, and API credentials (for grey/white-box) are provisioned. Testing window is confirmed and emergency escalation contacts are established.
- ▸Kickoff meeting with client security & engineering teams
- ▸Emergency contact protocol agreed (24/7 escalation path)
- ▸Test accounts provisioned and verified
- ▸Network access / VPN credentials delivered securely
- ▸Testing window confirmed on shared calendar
- ▸Pre-engagement system baseline snapshot (where applicable)
Meetings
Kickoff Meeting
45 min · All stakeholders
Deliverables
Reconnaissance & Threat Modeling
Passive and active reconnaissance to build a complete picture of the attack surface before any exploitation attempts. We map authentication flows, identify trust boundaries, and prioritise high-risk targets aligned with SOC 2 CC controls.
- ▸OSINT — domains, emails, ASNs, leaked credentials, GitHub exposure
- ▸DNS enumeration, subdomain discovery, certificate transparency
- ▸Web application fingerprinting (tech stack, frameworks, versions)
- ▸API endpoint enumeration — documented vs undocumented
- ▸Cloud asset discovery (S3 buckets, exposed storage, misconfigured IAM)
- ▸STRIDE threat model per major trust boundary
- ▸Attack surface map delivered internally
Deliverables
Active Penetration Testing
The core testing phase. Manual exploitation combined with coverage-guided API fuzzing, business logic abuse, and authentication attacks. Every finding is documented in real-time with reproduction steps and CVSS scoring.
- ▸Authentication & session management testing (OWASP ASVS Level 2)
- ▸Broken Object Level Authorization (BOLA/IDOR) across all API endpoints
- ▸Injection testing — SQLi, NoSQLi, SSTI, command injection
- ▸API fuzzing with custom grammar-based harness (UpsideFuzzer)
- ▸Business logic abuse — pricing manipulation, rate-limit bypass, state machine attacks
- ▸Privilege escalation — horizontal and vertical
- ▸Cloud security — IAM policy review, S3 ACLs, secrets in environment variables
- ▸Infrastructure — exposed admin panels, default credentials, CVE-based exploits
- ▸All exploitation captured with HTTP request/response artifacts
Deliverables
Internal Review & CVSS Scoring
All findings undergo internal peer review before client delivery. Each vulnerability is assigned a CVSS v4.0 score, mapped to a SOC 2 Common Criteria control, and categorised by exploitability and business impact.
- ▸All findings reviewed by second SCSL engineer
- ▸False positive elimination — every finding manually re-verified
- ▸CVSS v4.0 scoring assigned per finding
- ▸Findings mapped to SOC 2 CC controls (CC6.1, CC6.6, CC7.1, etc.)
- ▸Executive impact statements written per Critical/High finding
- ▸Remediation guidance reviewed for accuracy and actionability
Deliverables
Draft Report Delivery
A comprehensive draft report is delivered via encrypted channel. The report contains an executive summary suitable for board presentation, a full technical findings section, and actionable remediation guidance prioritised by risk.
- ▸Draft report delivered as encrypted PDF
- ▸Executive summary — risk posture, critical findings, overall rating
- ▸Technical findings — title, severity, CVSS score, description, PoC, remediation
- ▸Findings appendix — raw HTTP artifacts, screenshots
- ▸SOC 2 evidence summary — what the auditor will see
- ▸48-hour client review window before report call
Deliverables
Report Review Call
A 60-minute walkthrough call where SCSL engineers present every finding, answer technical questions, and clarify remediation priorities. Client engineering teams can dispute findings — all disputes are formally reviewed and documented.
- ▸Structured walkthrough of all Critical and High findings
- ▸Q&A on reproduction steps and remediation options
- ▸Finding dispute process — client submits in writing, SCSL responds within 48h
- ▸Remediation timeline agreed with client
- ▸Prioritisation guidance — what to fix before the audit window
Meetings
Report Walkthrough Call
60–90 min · Client Engineering + Security + SCSL team
Deliverables
Remediation Period
Client engineering team remediates findings. SCSL is available for optional remediation advisory calls and pull request reviews for security-sensitive code changes. A remediation tracker is shared for real-time progress visibility.
- ▸Shared remediation tracker updated by client
- ▸Optional: 2 × 30-min advisory calls included at no additional cost
- ▸SCSL available for async Q&A via secure channel (encrypted email / Signal)
- ▸Client marks findings as resolved with evidence (PR link, config diff, screenshot)
- ▸SCSL reviews evidence before scheduling retest
Meetings
Remediation Advisory (optional)
2 × 30 min · Client Engineering + SCSL
Deliverables
Retest & Verification
Every Critical and High finding is retested in production or a staging environment that mirrors production. Medium/Low findings are verified via evidence review. Retest results are formally recorded.
- ▸All Critical and High findings retested against patched system
- ▸Medium/Low findings verified via evidence (code diff, config screenshot)
- ▸Regression check — confirm no new attack surface introduced
- ▸Retest results documented (Resolved / Partially Resolved / Open)
- ▸Acceptance criteria confirmed for auditor package
Deliverables
Final Report & Attestation
The final signed report reflects all retest outcomes. A Letter of Attestation on SCSL letterhead confirms the scope, methodology, and overall remediation status — the primary artifact your SOC 2 auditor requires.
- ▸Final report updated with retest status per finding
- ▸Cover page updated with final engagement dates
- ▸Letter of Attestation drafted and signed
- ▸Auditor evidence package assembled
- ▸All documents delivered via encrypted channel
- ▸Retention: SCSL retains encrypted copies for 2 years
Deliverables
Auditor Support
After report delivery, SCSL remains available to answer auditor questions, join auditor calls, and provide supplementary evidence. This is included at no additional cost for 90 days post-delivery.
- ▸SCSL point of contact available for auditor Q&A (email / call)
- ▸Auditor questionnaire responses drafted on request
- ▸Optional auditor call — SCSL engineer joins to answer technical questions
- ▸Supplementary evidence issued if scope clarification is needed
- ▸Included for 90 days post final report delivery
Meetings
Auditor Call (if needed)
Up to 60 min · Auditor + Client + SCSL Lead
Deliverables
Find your vulnerabilities
before attackers do.
Schedule a no-commitment scoping call. We'll discuss your environment, threat model, and what a security assessment looks like for your organization.