Methodology — CyberGrid

Family 01 · Automated

Automated Security Assessment

Scanner toolchain run against a customer-verified target. Detects a defined subset of issues: missing headers, TLS misconfigurations, known CVEs, exposed surfaces, info disclosure. Findings normalized to a common severity scale (CVSS v3.1 informed).

Toolchain — every report names what ran

nuclei v3.3

Template-based vulnerability scanning. Templates cover CVEs, misconfigurations, exposed paths, default credentials, OWASP-style checks. Rate-limited to 50 req/s by default.

httpx v1.6

HTTP probing and technology fingerprinting. Identifies server stack, framework, and surface that informs the rest of the toolchain.

testssl.sh v3.2

TLS configuration audit. Cipher suites, certificate chain, protocol versions, HSTS, known TLS vulnerabilities.

nmap v7.x

External TCP port discovery (top-1000) for the full profile. Identifies forgotten endpoints and shadow infrastructure.

subfinder + dnsx

Subdomain enumeration on the full profile to surface forgotten hosts before scanning them.

OWASP ZAP (passive)

Passive analysis on intercepted responses for additional header / cookie / info-disclosure signals.

Severity model (CVSS v3.1 informed)

Critical · 9.0–10.0

Direct remote exploitation possible with no auth. Pre-auth RCE, public secret disclosure of credentials.

High · 7.0–8.9

Significant exploitable issue, often auth-adjacent. Severe data exposure, known-exploit CVEs in stack.

Medium · 4.0–6.9

Defense-in-depth gap or moderate exposure. Missing security headers, weak TLS, info disclosure.

Low · 0.1–3.9

Minor hardening opportunity. Cosmetic or framework-default issue with limited real-world impact.

Informational

Observation with no direct security impact, worth noting for audit context (e.g., server version disclosure).

What automated tooling can and can't see

Vulnerability class	Family 01 (automated)	Family 02 (pen test)
Missing security headers (CSP, HSTS, X-Frame-Options)	✓	✓ (baseline)
TLS / cipher misconfiguration	✓	✓ (baseline)
Exposed admin panels, .env, .git	✓	✓ (baseline)
Known CVEs in stack / dependencies	✓	✓ (baseline)
IDOR / broken access control (OWASP A01)	—	✓
Business logic flaws (BUSL)	—	✓
Authentication bypass / MFA bypass / session attacks	—	✓
Chained exploits (low → critical via multi-step)	—	✓

Service 02 · Penetration Testing

Penetration Testing

A senior engineer manually probes the target, following documented public standards. The engagement is broken into the seven PTES phases, with OWASP WSTG test cases tracked per phase and findings mapped to OWASP ASVS controls + MITRE ATT&CK techniques + CVSS v3.1 scores.

PTES — Penetration Testing Execution Standard

01 · PRE

Pre-engagement

Scope, rules of engagement, authorization letter, NDA, success criteria.

02 · INT

Intelligence gathering

Surface enumeration, OSINT, technology fingerprinting, attack surface mapping.

03 · THM

Threat modeling

Trust boundaries, abuse cases, asset criticality, likely-attacker profile.

04 · VLA

Vulnerability analysis

Automated + manual identification of likely issues across the documented surface.

05 · EXP

Exploitation

Validating each likely issue with a working PoC; chaining where applicable.

06 · POE

Post-exploitation

Impact assessment — what could the attacker reach from here?

07 · REP

Reporting

Findings with PoCs, remediation, compliance mapping; retest follow-up.

Standards we map findings to

OWASP Web Security Testing Guide v4.2

~100 documented test cases organized in 12 categories — configuration, identity, authentication, authorization, session, input validation, error handling, cryptography, business logic, client-side, API.

CONFIDNTAUTHNAUTHZSESSINPVERRHCRYPBUSLCLNTAPIT

OWASP ASVS v4.0.3

Application Security Verification Standard. Each finding is mapped to specific ASVS controls (Level 1 / 2 / 3) so the report drops directly into your compliance evidence package.

V1 ArchitectureV2 AuthV3 SessionV4 AccessV5 ValidationV14 Config

MITRE ATT&CK

Exploitation paths mapped to the MITRE ATT&CK matrix so your detection & response team can replay the chain in their telemetry.

Initial AccessExecutionPersistencePriv EscLateral

CVSS v3.1

Every finding gets a CVSS base score and full vector (AV/AC/PR/UI/S/C/I/A). Auditors and risk teams can re-score against environmental modifiers themselves.

Critical 9.0+High 7.0–8.9Medium 4.0–6.9Low 0.1–3.9

Engine phases — what runs on every pen-test engagement

Engine version v4.0 (current). Every phase listed here runs by default; phases that need a specific input (auth credentials, schema, OpenAPI spec) skip gracefully with the reason recorded in the report's coverage matrix.

Phase 0 — OAuth2 token mint. Mints customer A / customer B / admin tokens at scan start so authenticated phases run end-to-end without re-mint overhead.
Phase 1 — Automated baseline. subfinder + httpx + testssl.sh + crt.sh + nuclei (full template set, ~3000 templates).
Phase 2 — Authenticated nuclei. Re-runs the nuclei pack with the customer Bearer token in every request header.
Phase 3 — ffuf parameter + directory fuzz. Common sensitive paths against the live host.
Phase 4c — IDOR replay. Customer A vs Customer B token replay across ~20 authenticated paths.
Phase 4e — Role separation. Customer-vs-admin token replay across ~20 admin-suggestive paths.
Phase 4f — GraphQL pen-test pack. Introspection, depth-bomb, alias batching, error-message leakage, Relay node enumeration.
Phase 4g — Django pack. Admin reachability, DEBUG state, DRF browsable, static-admin disclosure.
Phase 4i — Mass-assignment auto-probe. Tries PATCH/POST of is_admin / is_staff / role injection on /api/me-style endpoints.
Phase 4j — HTTP request smuggling (TE.CL desync).
Phase 4k — Cache poisoning. Canary-reflection probe against cache-keyed headers.
Phase 4n — SSRF probe with OAST callbacks. Out-of-band confirmation via thecybergrid.com/oast.
Phase 4o — OAuth2 token lifecycle. Refresh-token rotation, post-logout reuse, cross-user replay.
Phase 4p — Schema-driven mutation enumeration. Per-mutation cross-tenant authorization tests (requires GraphQL schema).
Phase 4q — Authenticated SSRF/XXE/file-upload probes. Extends 4n with Bearer auth.
Phase 4r — Stress-test wrapper. When GraphQL alias DoS is flagged, auto-fires 100 sequential queries and embeds p50/p95/p99 + RPS in the finding evidence.
Phase 4t — OpenAPI ingestion + per-endpoint authz probe. Enumerates every endpoint, probes each with customer + admin + no-auth tokens to find BFLA boundary violations.
Phase 4u — Custom GraphQL fuzz pack. Directive abuse (@skip / @include / @deprecated edge cases), fragment cycles, batch query side effects, subscription auth tests.
Phase 4v — Multi-host boundary testing. When 2+ target hosts + 2+ role tokens, cross-replays each token against each host to find audience-claim gaps.
Phase 4w — Shadow GraphQL endpoint probe. Probes /graphiql, /graphiql.php, /playground, /altair, /gql for forgotten Apollo Federation gateways leaking schema.
Phase 4x — Sequential-ID fuzz on numeric-arg operations. Catches the IDOR-via-sequential-id class — fuzz id=1..100 under customer token, flag when 5+ sequential IDs return user-data-shaped responses.
Phase 4y — Mutation-diff user enumeration. resetPassword / forgotPassword / sendInvite / requestMagicLink — diff valid vs invalid email responses.
Phase 5 — LLM business-logic agent. gpt-4o-mini proposes test cases per the customer's tech stack.
Phase 6 — Attack-chain narrative. LLM weaves highest-severity findings into the executive risk paragraph.
Phase 6b — Per-finding tester analysis. LLM writes a senior-engineer-voice analysis paragraph per non-info finding.
Phase 7 — Multi-step exploit chain detection. LLM looks for pairs/triples that combine into serious chains.
Phase 7b — Attack-path storyline. Prose narrative connecting findings into a coherent risk story (placed under exec summary).
Phase 8 — Customer-specific exec opener. LLM writes the customer-named opening paragraph of the exec summary.
Phase 9 — Screenshot capture. Puppeteer + headless Chromium captures each URL-located finding with Bearer auth applied.
Phase Q — Pre-publication verification gate. Four anti-fabrication controls applied to every finding: PoC re-fire, schema-name verification, infrastructure grounding, HTTP capture provenance stamping.

Remediation & retest

All three services include retest. Automated: unlimited re-scans included in the annual subscription. Pen test: every open finding is retested after your remediation and a separate signed Remediation Report is issued — its own dated artifact, its own letter grade (green A if all fixed), the single-document proof of remediation that procurement teams ask for. SOC 2 readiness: remediation support is included if the audit firm identifies findings during fieldwork (covered under the original engagement scope).

Documented methodology. Auditable from the report.