A vulnerability scanner produces a list. A penetration test produces a story - how an attacker moves from an exposed endpoint to a domain controller, which controls failed, and which assumptions in your architecture turned out to be wrong. The value is in the path, not the individual findings.

Red teaming goes further. Where a penetration test validates whether specific controls work, a red team exercise tests whether your detection, response, and coordination capabilities hold under a sustained, goal-directed attack. The attacker does not announce their scope. Neither does a red team.

NIS2 has driven a wave of compliance-oriented testing - assessments designed to satisfy an audit requirement rather than reveal actual exposure. The result is a growing gap between documented security posture and operational reality. Gradion does not run checkbox tests. Every engagement is scoped to answer a question the organisation actually needs answered.

Web application penetration testing

Two tiers depending on depth required. Standard/Lean: one week per application - covers OWASP Top 10, authentication and session management, access control logic, injection vulnerabilities, API endpoint exposure, and business logic flaws. Deep Dive: two to four weeks per application - full manual testing including REST, GraphQL, and legacy SOAP interfaces, chained attack paths, and advanced business logic analysis.

Testing is manual-first. Automated scanners find the surface; humans find the exploits.

Deliverables for both tiers: Executive Report, Technical Deep Dive with proof-of-concept exploits, Remediation Roadmap.

Web security hardening

Finding vulnerabilities is only half the job. After a pentest, we implement the fixes: WAF configuration, code-level remediation, and full validation that the changes hold. Seven-day turnaround from finding to fix. This is not a separate engagement bolted on - it is the natural continuation of the test.

External and internal network penetration testing

External testing assesses internet-facing infrastructure from a realistic attacker position - no internal knowledge, no prior access. Exposed services, authentication mechanisms, configuration weaknesses, and chained attack paths.

Internal testing assumes attacker presence inside the perimeter - the most common scenario following phishing or supply chain compromise. Lateral movement opportunities, privilege escalation paths, Active Directory exposure, and segmentation effectiveness across Windows, Linux, cloud-connected, and hybrid environments.

OT and ICS penetration testing

Industrial control system environments require a different approach. Active exploitation that disrupts a production line is not an acceptable test outcome. We run passive reconnaissance, protocol analysis, and targeted active testing within agreed safety boundaries. IEC 62443 provides the risk and zone framework; the test validates whether the controls defined in that framework are actually enforced.

This capability is rare in the DACH market. Most pen test firms approach OT environments with IT methodology and stop when they encounter Modbus or PROFINET. We do not.

Red team exercises

Full-scope adversary simulation: phishing, physical intrusion attempts, social engineering, persistent access establishment, and lateral movement to defined objectives. Red team engagements run over two to four weeks using MITRE ATT&CK as the adversary behaviour framework. The output is an attack timeline, a detection gap analysis, and a structured debrief with the blue team. We do not deliver a findings list and exit - the debrief is where the real work happens.

Mobile application testing

iOS and Android applications handling sensitive data or acting as authentication entry points. Static analysis, dynamic testing, traffic interception, and backend API review from the mobile client’s perspective.

How findings are delivered

Every engagement produces a technical report and an executive summary. The technical report is written for the engineers who will fix the issues - reproduction steps, tool output, code snippets where relevant, and specific remediation guidance. The executive summary is written for the board or CISO: risk exposure, business impact framing, and prioritised action.

Remediation validation - retesting fixed findings - is included in scope for all standard engagements. If a fix introduces a new issue, we find it.

Broader IT/OT assessment

For organisations that need a full picture across both IT and OT systems before scoping targeted testing, our Cybersecurity & Infrastructure Safety Check is the starting point: a ~3-week engagement covering network segmentation, remote access risks, legacy system exposure, and access controls across both domains. Output includes an Executive Risk Scorecard and prioritised Remediation Action Plan. 6–7 consulting days. Details on the Cybersecurity landing page.

Engagement model

Initial scoping call within 48 hours. Engagement scoped and quoted within one week. Testing windows coordinated with your operations team to avoid production impact. Standard web application or network test delivered in two to three weeks from kick-off. Red team exercises scoped separately based on objectives and environment size.

We operate across Germany, Vietnam, Singapore, Egypt, and Thailand. For clients requiring testing in multiple regions or across multi-country infrastructure, we run coordinated parallel assessments without the scheduling overhead that single-office firms face.

Methodology

Testing follows PTES and OWASP methodology for applications. OT testing references IEC 62443-3-3 security level assessment. Red team exercises use MITRE ATT&CK. Tools include Burp Suite Pro, Metasploit, Cobalt Strike (licensed), Nessus, and custom tooling for OT protocols.

Share your environment and objectives. We will return a test plan and quote within one week.