How is a real pentest different from a vulnerability scan?

Vulnerability scans run automated tools (Nessus, Qualys) and produce a list of CVEs flagged in your environment. Pentests are manual: senior testers exercise judgment about which findings actually matter, chain low-severity findings into critical attack paths, exploit business-logic flaws scanners miss, and document exactly what an attacker would do with each finding. If your last pentest was a scanner export with a cover page, you have not had a real one.

What does the pentest report include?

Executive summary (business impact, key findings, prioritized remediation), technical body (every finding with proof-of-concept, exploitation steps, screenshots/artifacts), remediation guidance per finding, attack-path diagrams for chained findings, and a methodology section that satisfies SOC 2, ISO 27001, PCI, or audit-of-record requirements. Plus a debrief call with your engineers.

How long does a pentest take?

Single web app or API pentest: 1-2 weeks of testing + 1 week of reporting. Internal + external network pentest, mid-market: 2-3 weeks of testing + 1 week reporting. Cloud pentest single account: 2 weeks total. Multi-product hybrid scope: scoped per engagement. Critical findings get reported in real-time during testing so you can patch in flight, not held back to the report.

Do you do retests after we remediate?

Yes. included free within 30 days of the original report. Retest is manual on the actual finding in your actual environment, not a re-scan. Final clean report goes to your auditor or board after retest. Beyond the 30-day window, retests are at hourly rate.

What about audit-required pentests (SOC 2, ISO 27001, PCI)?

Yes. scoped, evidenced, and reported to satisfy your audit's requirements. Methodology section in the report is structured to map to the framework's pentest requirements (SOC 2 CC4.1 / CC7.1 evidence, ISO 27001 A.12.6.1 evidence, PCI DSS Requirement 11.4 evidence). Auditor coordination if helpful. we'll join the audit call if asked.

Penetration Testing Services | GIAC-Certified Pentest Company

Pentests that prove what an attacker can actually do

We run manual, GIAC-led penetration tests for web applications, networks, cloud environments, APIs, and mobile apps. The deliverable is a narrative report. what an attacker would do, the chain of findings that gets them there, the proof-of-concept artifacts, and prioritized remediation. Not a scanner dump with an executive summary.

If your last "pentest" was a Nessus scan with a cover page, you have not had a real one. See our explainer on penetration testing vs vulnerability scanning for the buyer's diagnostic.

What we test

Web application pentests. OWASP-aligned testing across authentication, session management, authorization, business logic, IDOR, SSRF, and supply-chain dependencies. Tested both unauthenticated and across each user role.
External network pentests. Internet-facing assets, exposed admin interfaces, VPN concentrators, mail servers, DNS, web servers. what a remote attacker actually has to work with.
Internal network pentests. Assumed-breach engagements simulating a compromised endpoint or insider. Active Directory escalation, lateral movement, data-exfiltration paths.
Cloud pentests. AWS, Azure, GCP. IAM misconfigurations, exposed storage, secret leakage, lateral movement across accounts/projects, container and serverless surface.
API pentests. REST, GraphQL, gRPC. Authorization at object level, rate limiting, mass assignment, broken object property level authorization (OWASP API Top 10).
Mobile pentests. iOS and Android. runtime, IPC, certificate pinning, local data storage, jailbreak/root detection, MASVS-aligned.
SOC 2 / ISO 27001 / PCI-aligned pentests. Scoped, evidenced, and reported to satisfy your audit's requirements without paying enterprise prices.

Engagement structure

Scoping call. 30-60 minutes. We map the attack surface, agree on rules of engagement, schedule the test window, and give you a fixed-fee proposal.
Test execution. 1-3 weeks of testing depending on scope, with daily Slack updates if you want them. Critical findings get reported immediately so you can patch in flight.
Reporting. Written narrative report (executive summary + technical body + remediation guidance) plus a debrief call with your engineers. Each finding includes proof-of-concept, business impact, and a remediation plan.
Retest included. 30-day window for free retest of every finding once you've remediated. Final clean report goes to your auditor or board.

What you get that most pentests skip

Manual chaining of findings. Five medium-severity findings combined into one critical attack path. Scanners cannot do this. We do this on every engagement.
Business-logic testing. Authorization, workflow bypasses, financial-logic errors. Where real damage lives.
GIAC-certified testers. No exceptions, no junior staff handoff after the kickoff.
Audit-quality documentation. Methodology section, tool list, hash-verified evidence, written for FRE 902(13)/(14) self-authentication when needed for litigation.
Retest, not "rescan." Manual retest of the actual finding in your actual environment.

What we will not do

Run a Nessus scan, package the output, and call it a pentest
Charge for findings we did not actually exploit or could not demonstrate
Out-source testing to junior staff or third parties without your written consent
Test outside the agreed scope or rules of engagement
Hold your retest hostage as a separate purchase

How we price

External web app pentest, single product: $15K-$30K fixed fee
Internal + external network pentest, mid-market: $25K-$60K fixed fee
Cloud pentest, single AWS/Azure account: $20K-$45K fixed fee
SOC 2 / ISO 27001 readiness pentest: $18K-$40K fixed fee
Multi-product or hybrid scope: custom quote, fixed fee or hourly with milestone caps

Available as referral or white-label

We deliver penetration tests directly to enterprise clients, and we sub-contract delivery for security firms, MSSPs, MSPs, and IT consultancies whose clients need an offensive specialist on call. Two structures:

Referral partnership. You introduce. We deliver under the Witness brand and report to the client. Compensation negotiable per relationship.
White-label / sub-contracted. We deliver under your brand on your paper. Co-branded or invisible, your call. Quoted as a discount off our retail card.

Red team & adversary simulation. multi-week, goal-based, beyond pentest scope
Phishing simulation. pairs with a network pentest in many engagements
Penetration testing vs vulnerability scanning (blog)

A confidential, structured engagement.

Confidential Consultation

A direct conversation with Quinn, the founder and CEO who oversees every engagement. NDA-protected. No sales process.

Scoped Engagement

A clear written proposal with defined deliverables, timeline, and pricing. No hidden costs.

Investigation and Findings

Forensic work conducted to court-admissible standards, with regular communication and a written summary you can act on.

Same firm. Same legal entity. Same Quinn.
Also available through varcoe.ai for B2B buyers.

Both brands are operated by Blueberry Security Global, Inc., a Delaware C-corporation. Quinnlan Varcoe (Founder and CEO) sets the methodology, oversees Alex Riffenburgh and the practitioner team that executes the work, and reviews every case before findings leave the practice under either brand. The split is by audience and brand voice, not by capability.

Witness (you are here)

The parent brand for the practice. Court-admissible methodology, senior practitioner on every engagement, NDA-protected consultations. Right front door for consumer, attorney, family- office, and most enterprise buyers who want to talk to Quinn directly.

Varcoe (B2B sister brand)

Offensive Security

The B2B front door for the same practice. Procurement workflows, vendor onboarding, MSA paper, RFP responses. Useful when your buying process expects a B2B website and a B2B sales motion for Penetration Testing Services.

Visit varcoe.ai/penetration-testing-services

Quinnlan Varcoe

Founder & CEO

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded Witness in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response