We test your systems the way an actual attacker would. Manual, targeted testing across your web applications, mobile apps, APIs, network infrastructure, cloud environments, and AI systems. Blackbox, greybox, or whitebox, scoped to whatever makes sense for your environment and threat model.
Automated scanners catch the low-hanging fruit. We go after the things they miss: business logic flaws, chained vulnerabilities, access control gaps that only show up when you actually understand how the application works. Every engagement pairs tooling with hands-on manual testing by experienced operators.
Foxhound Portal
Our pentest engagements run through Foxhound, the workflow and delivery platform behind our testing practice. On the client side, that shows up as the Fenko Security Portal: one place to track engagement progress, review published findings, inspect evidence, and download reports without waiting until the end of the test.
That lines up with how we actually work. Recon, scanning, exploitation, reporting, and retesting are structured into clear phases. Findings are published with severity, evidence, and remediation guidance, while exploitation steps still stay behind a human approval gate before anything moves past safe proof-of-concept validation.
Access the Foxhound Portal →
Web Application Testing
Full-depth testing against your web applications, covering the OWASP Top 10 and well beyond it. We test for injection flaws (SQL, NoSQL, LDAP, command), cross-site scripting, broken authentication and session management, insecure direct object references, server-side request forgery, and misconfigurations in web servers, frameworks, and CDNs. We also look at things like WebSocket handling, client-side storage, and CSP bypasses. If your app handles file uploads, payments, or multi-tenant data, those get dedicated attention.
Mobile Application Testing
iOS and Android. We reverse-engineer the application binary, inspect local data storage, analyse network traffic, and test the backend APIs the app relies on. Coverage includes certificate pinning validation, insecure data storage (Keychain, SharedPreferences, local databases), inter-process communication, deeplink handling, and runtime manipulation. We test against the OWASP Mobile Top 10 and flag platform-specific issues that scanners routinely miss.
API Testing
REST, GraphQL, gRPC, and SOAP. We map every endpoint, test authentication and authorisation at each layer, fuzz input parameters, and look for data exposure through verbose error messages, excessive response fields, and broken object-level access control (BOLA/IDOR). Rate limiting, mass assignment, and injection via serialised payloads all get covered. If you have API documentation (OpenAPI specs, Postman collections), we’ll use it. If you don’t, we’ll enumerate from scratch.
Network Infrastructure Testing
External and internal. On the perimeter side, we run port scanning, service enumeration, and protocol-level testing across your public-facing infrastructure. We look for exposed management interfaces, default credentials, outdated TLS configurations, DNS misconfigurations, and services that shouldn’t be internet-facing.
For internal testing, we assess what an attacker could do once inside your network. Active Directory attacks, lateral movement paths, credential harvesting, network segmentation validation, and privilege escalation. If you need it, we can simulate a full assumed-breach scenario starting from a standard user workstation.
Cloud Security Testing
AWS, Azure, and GCP. We review IAM policies, storage bucket permissions, network security groups, serverless function configurations, and container orchestration setups. Cloud pentesting is different from traditional network testing because the attack surface lives in configuration as much as in code. We test for privilege escalation through misconfigured roles, data exposure via overly permissive storage policies, and lateral movement between cloud services.
AI and LLM Security Testing
Prompt injection, jailbreak testing, training data extraction, agent tool abuse, and data exfiltration through model outputs. If you’re running autonomous agents with tool access, we test whether those tools can be manipulated into performing unintended actions. We also assess guardrail effectiveness, system prompt leakage, and whether your RAG pipeline can be poisoned through its data sources. This is the testing we built Fenko around.
How We Work
Every engagement follows the same structure:
- Scoping. We define targets, testing windows, rules of engagement, and communication channels before anything starts. You know exactly what we’re testing and how.
- Reconnaissance and discovery. We map your attack surface, identify technologies in use, and build a testing plan tailored to your stack.
- Testing and exploitation. Manual testing combined with targeted tooling and Foxhound-driven workflow. Every finding is verified with a safe proof-of-concept. Nothing gets exploited beyond what’s needed to demonstrate impact, and never without your approval.
- Reporting. Published findings and evidence are tracked in the Fenko Security Portal, and you also get a detailed report with CVSS v4.0 scoring, CWE references, evidence captures (screenshots, request/response pairs, reproduction steps), and specific remediation guidance. Written so your engineers can fix the issues and your leadership can understand the risk.
- Retesting. Once you’ve remediated, we retest the findings at no extra cost to confirm they’re properly resolved.
What You Get
A client portal and a professional PDF report structured for two audiences. The executive summary gives leadership a clear picture of risk posture without requiring technical background. The technical findings section gives your engineering team everything they need to reproduce, understand, and fix each issue, including severity ratings, affected components, evidence, and step-by-step remediation guidance.
We’re also available throughout the engagement and after delivery to answer questions, clarify findings, or help your team prioritise remediation.