BBPen · Other
Advanced Black Box Penetration Testing
Care for a game of capture-the-flag? A goal-based, adversary-style engagement with no internal knowledge, no whitelisting, and minimal scope restrictions. The closest thing to a real attack short of one.
When PSA isn't enough
A standard penetration test asks: which vulnerabilities exist on this scope? A black-box engagement asks: can a determined adversary achieve this objective? The two answer different questions. BBPen is for organizations that already do regular PSA-style testing and need to know whether their actual defensive program — people, process, technology, detection, response — works against an attacker who refuses to follow the script.
Boards and audit committees increasingly ask a single question: "if a serious adversary targeted us, would we know? Would we stop them?" BBPen is how you find out before they do.
The kill chain
Goal definition
We define the 'flags' with you in advance: domain admin? PII exfiltration? Wire transfer? Source code? Production database? The goal drives everything that follows.
OSINT & reconnaissance
Public footprint, employee enumeration, exposed credentials, third-party trust relationships, physical site scouting. Same playbook as a real adversary.
Initial access
Multi-vector — perimeter exploitation, phishing & vishing, malicious USB drops, physical pretext, supplier compromise. Whichever vector works first wins.
Foothold & evasion
Establish C2 with techniques designed to evade your EDR, SIEM, and SOC. We measure detection and response as a core deliverable.
Lateral movement
Credential harvesting, AD attack paths, Kerberoasting, ticket abuse, privilege escalation across cloud and on-prem boundaries.
Objective & exfiltration
Reach the flag. Demonstrate impact safely. Exfiltrate using techniques real attackers use — DNS tunneling, cloud sync abuse, encrypted channels.
Debrief & remediation
Full timeline, the kill chain that worked, the controls that fired (or didn't), and prioritized remediation tied to your detection gaps.
Attack vectors
Network
Perimeter exploitation, exposed services, VPN abuse, supply-chain pivots.
Web & API
Auth bypass, SSRF to cloud metadata, IDOR chains to admin functions.
Social
Spear-phishing, vishing, pretext-based on-site engagements, malicious USB.
Wireless
Evil-twin AP, WPA2/3-Enterprise relay, BLE attacks against badge systems.
Physical
Tailgating, badge cloning, lock bypass, planted implants and rogue devices.
Supply chain
Compromise of trusted third parties, malicious package vectors, vendor accounts.
Rules of engagement
- Black-box, goal-driven scoping defined with you up front
- No internal knowledge provided to the testing team
- No source IPs whitelisted in detection tooling
- Defined out-of-scope assets and safety lanes
- Designated 'trusted agents' inside your org for emergency contact only
- Daily go/no-go check-ins with the lead tester (not your SOC)
- Optional 'purple team' phase after the engagement to walk through what worked
Highlights
- Black-box, goal-driven scoping
- OSINT-led attack planning
- Multi-vector attack chains (network, web, social, physical)
- Stealth, evasion, and persistence techniques
- Custom-built tooling and exploits where needed
- Detection and response measurement
- Full kill-chain timeline in deliverable
Pairs well with
Vector-specific testing that feeds a BBPen.
PSA
Perimeter Security Assessment & Penetration Testing
Find the weaknesses in your perimeter before hackers do.
WASA
Web Application Security Assessment
OWASP-aligned testing of the apps your business runs on.
SocEng
Social Engineering
Test employee awareness of cyber-security threats.
PhySA
Physical Security Assessment
Locks, badges, cameras, and the humans guarding them.
BVEA
Blind Visibility and Exposure Analysis
See what attackers see — without giving them anything.
CASA
Critical Asset Security Assessment
Test the systems that, if breached, would hurt the most.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.