Operator-led, end to end.
Six phases. One owner.
Every AxVeil engagement runs through the same six-phase methodology — discovery to retest — owned by a single named operator. No hand-offs to a junior. No black-box deliverable that no one on our side can defend in a debrief.
One continuous flow. One operator. Six gates.
Every engagement moves left to right through the same six phases. Each node carries its own exit gate — nothing advances until the previous gate is signed off.
- 01Scope
Discovery & Scoping
Written test plan
SOW signed - 02Recon
Reconnaissance
Attack-surface map
Scope delta agreed - 03Assess
Vulnerability Assessment
Triaged inventory
Same-day Critical alert - 04Exploit
Manual Exploitation
Reproducible PoCs
Attack-chain proven - 05Report
Reporting
Exec + technical pack
Live debrief - 06Retest
Retest
Closure proof
Within 30 days
Scope → Recon → Assess → Exploit → Report → Retest · retest ships within 30 days, included.
Methodology is the floor, not the ceiling.
Every reputable testing programme — CREST CHECK, the PTES, NIST SP 800-115, OWASP's testing guides — converges on roughly the same shape: scope it, look at it, scan it, exploit it, write it up, verify the fix. The interesting question is not whether you follow the shape. The interesting question is who runs each phase, what they reach for, and what they ship.
AxVeil's answer: a single named operator owns all six phases for any given engagement. The same person who writes your scope is the person who runs the manual exploitation, writes the report, and runs the retest. That continuity is the difference between a deliverable that sounds coherent because someone proofread it and a deliverable that is coherent because one mind built it end-to-end.
The phases below are not a sales artefact. They are the actual workflow our operators run, with the actual tools they reach for and the actual deliverables that ship at each gate.
Discovery → Recon → VA → Manual Exploitation → Reporting → Retest.
Each phase has a defined entry gate, a defined exit gate, and a defined deliverable. Nothing moves forward until the previous phase is signed off — most often by the client's technical lead during a short checkpoint call.
Discovery & Scoping
We start where most engagements skip — a structured scoping conversation that turns vague intent into a written test plan with explicit assets, exclusions, and success criteria.
What we do
- →Asset inventory walkthrough (web apps, APIs, mobile, infrastructure, cloud accounts, AD forests).
- →Threat-model triage — which adversary classes matter for this business, what data they would target.
- →Rules of engagement: testing windows, denial-of-service tolerances, escalation paths, evidence handling.
- →Compliance overlay — SOC 2, ISO 27001, PCI DSS, DPDP, RBI, SEBI CSCRF mapping where applicable.
Tooling
- Threat-modelling worksheets
- STRIDE / LINDDUN reference
- Internal scoping checklist (CSV)
Deliverables
- ▸Signed Statement of Work with itemised scope
- ▸Mutual NDA (if not already in place)
- ▸Test plan document with phase-by-phase milestones
Framework anchors
Reconnaissance
Passive and active surface mapping. We validate the supplied scope against what is actually reachable — and frequently expand the inventory before any exploitation begins.
What we do
- →Subdomain enumeration, certificate transparency mining, ASN and IP-range expansion.
- →Service fingerprinting, technology stack identification, version disclosure mapping.
- →OSINT on staff, leaked credentials, public code repositories, and document metadata.
- →Cloud asset enumeration (S3, blob storage, container registries) where in scope.
Tooling
- Amass
- Subfinder
- Nmap
- httpx
- Shodan
- GitHub Dorks
- ScoutSuite
- CloudFox
Deliverables
- ▸Recon report with discovered vs. supplied scope delta
- ▸Asset attack-surface map
- ▸OSINT findings memo (credentials, exposed code, leaked secrets)
Framework anchors
Vulnerability Assessment
Automated coverage. Authenticated and unauthenticated scanning across the validated surface, then aggressive triage to remove the false-positive noise scanners always produce.
What we do
- →Network and host scanning (Nessus, Nmap NSE) across the validated infrastructure scope.
- →Web and API scanning with Burp Suite Pro, Nuclei templates, and ZAP for cross-validation.
- →Static analysis (Semgrep, SonarQube, Fortify) when source code is in scope.
- →Mobile static and dynamic baseline checks via MobSF for iOS / Android binaries.
- →Dedupe, false-positive triage, severity normalisation against CVSS v3.1.
Tooling
- Nessus
- Nuclei
- Burp Suite Pro
- Nmap
- MobSF
- Semgrep
- SonarQube
- Fortify
- ScoutSuite
Deliverables
- ▸Triaged vulnerability inventory with confidence ratings
- ▸Scanner output archive (raw + normalised)
- ▸Initial Critical / High alert list issued same-day
Framework anchors
Manual Exploitation
The phase scanners cannot reach. Authenticated business-logic abuse, chained attacks, privilege escalation, and adversary emulation against the live target.
What we do
- →Authentication and authorisation bypass — IDOR, SSRF, race conditions, session-handling flaws.
- →Server-side injection chains (SQLi, command, template, deserialisation) with reproducible PoC.
- →Active Directory attack-path mapping — Kerberoasting, AS-REP roasting, ACL abuse, delegation chains.
- →Cloud privilege-escalation enumeration across IAM, KMS, and metadata services.
- →Mobile runtime tampering (Frida, Objection) for jailbreak detection, certificate pinning, secure storage.
- →MITRE ATT&CK technique coverage for adversary-emulation engagements (Enterprise + Cloud matrices).
Tooling
- Burp Suite Pro
- BloodHound
- Mimikatz
- Impacket
- Metasploit
- Frida
- Pacu
- CloudFox
- Custom Python tooling
Deliverables
- ▸Per-finding reproducible PoC (commands, scripts, screenshots)
- ▸Attack-chain narrative — how findings combine into business impact
- ▸Live demonstration of Critical findings on request
Framework anchors
Reporting
Two reports, one debrief. The executive summary fits on one page; the technical report ships every reproducible step your engineers need to fix and validate.
What we do
- →Executive summary draft — risk verdict, top three findings, business-language remediation priorities.
- →Technical report build — per-finding cards with CVSS v3.1 vector, CWE, OWASP mapping, evidence, remediation.
- →Compliance crosswalk — mapping findings to SOC 2 / ISO 27001 / PCI DSS / DPDP control IDs.
- →Live engineer debrief (60–90 min) — walk through findings, answer the 'why this matters' question in person.
Tooling
- Internal report generator
- Markdown + LaTeX pipeline
- PDF / JSON / CSV export
Deliverables
- ▸Executive summary (1 page, board-ready)
- ▸Technical findings report (PDF + JSON + CSV)
- ▸Compliance crosswalk table
- ▸Recorded debrief session (on request)
Framework anchors
Retest
Same operator. Same scope. Within 30 days of remediation. Closure rates documented — not assumed. The retest report ships alongside the original deliverable.
What we do
- →Per-finding re-validation against the documented remediation steps.
- →Regression check on adjacent surface that may have been touched during the fix.
- →Updated CVSS scoring where partial fixes change exposure.
- →Closure summary — what was fixed, what remains open, and the recommended next step for each.
Tooling
- Original test plan
- Per-finding PoC scripts
- Regression scanner runs
Deliverables
- ▸Retest report — closure status per finding
- ▸Updated executive summary reflecting post-remediation posture
- ▸Audit-ready evidence pack (closure proofs)
Framework anchors
Established standards, not invented vocabulary.
We do not invent risk scoring, methodology phases, or coverage taxonomies. The industry has spent two decades building these — adopting them keeps deliverables comparable across vendors, auditors, and internal security teams.
Below: every framework that influences how we scope, test, and report. Each link points to the canonical source — not a paraphrased internal page.
CREST CHECK
↗Methodology and operator-skills baseline for technical security testing engagements.
OWASP ASVS / MASVS / API Top 10
↗Application security verification, mobile equivalents, and API-specific risk taxonomy.
NIST SP 800-115
↗Technical guide to information security testing and assessment — programme structure baseline.
PTES
↗Penetration Testing Execution Standard — phase ordering and scoping discipline.
MITRE ATT&CK
↗Adversary tactics and techniques matrix — coverage map for red-team and purple-team work.
TIBER-EU
↗Threat-intelligence-based ethical red-teaming framework for financial-sector engagements.
OSSTMM
↗Open Source Security Testing Methodology Manual — operational-security metrics and the rav scoring model for measuring attack-surface controls.
CIS Benchmarks
↗Hardening baselines for OS, database, container, and cloud configuration audits.
The toolbelt — commercial, open-source, and a fair amount of custom.
Tools are means, not ends. The list below is the standard kit our operators reach for; specific engagements may add bespoke instrumentation (e.g. a custom Frida hook for a thick-client app, or a Nuclei template authored for a one-off pre-auth path). We hold a current Burp Suite Professional licence and Nessus Professional licence per active operator.
Web & API
- Burp Suite Pro
- Nuclei
- ZAP
- ffuf
- sqlmap
Network & Host
- Nessus
- Nmap
- Metasploit
- CrackMapExec
Active Directory
- BloodHound
- Mimikatz
- Impacket
- Rubeus
Mobile
- MobSF
- Frida
- Objection
- apktool
Cloud
- ScoutSuite
- CloudFox
- Pacu
- Prowler
Code Review
- Fortify
- SonarQube
- Semgrep
Two reports, one debrief, one crosswalk.
Most pentest reports are written to be filed, not used. Ours are written to be acted on — by an engineer in the morning and a board member in the afternoon. The report pack ships in four pieces:
- →One-page executive summary. Risk verdict, top three findings, remediation priorities. Written so a non-technical board member can read it in a single sitting.
- →Technical findings report. Per-finding entries with title, CVSS v3.1 base score and vector string, CWE reference, OWASP / API Top 10 category, affected endpoint, request / response evidence, attack-chain narrative, and remediation steps mapped to your stack.
- →Compliance crosswalk. Findings mapped to SOC 2 (CC6 / CC7), ISO 27001 Annex A, PCI DSS v4.0, and DPDP Act 2023 control IDs. Suitable for direct hand-off to your auditor.
- →Retest report. Closure status per finding once remediation is complete. Ships within 30 days of the original delivery, included in scope.
Format options: PDF (default, signed), JSON (for ingestion into your vulnerability-management platform), and CSV (for spreadsheet triage). All three are produced from the same source — there is no version skew between them.
The technical report is structured to be reproducible. Anyone reading it should be able to re-run the exact PoC the operator captured — request URL, headers, body, expected response, screenshot. If the PoC requires a script, the script ships with the report under the engagement's NDA.
How long does it take, end to end?
Calendar timing per tier — already costed on the pricing page. The breakdown below shows how the six phases distribute across the agreed window. Retest sits outside the active engagement window because remediation is on your side — most clients ship the fix within two weeks and we run the retest immediately after.
Starter VAPT
Scoping → 1 day · Recon + VA → 1–2 days · Manual exploitation → 2 days · Reporting → 1 day · Retest within 30 days.
Professional VAPT
Scoping → 2 days · Recon → 2 days · VA → 3 days · Manual exploitation → 5–7 days · Reporting → 2 days · Retest within 30 days.
Enterprise / Red Team
Wave-based execution. Scoping → 1 week · Recon → 1 week · VA + manual → 2–6 weeks per wave · Reporting + debrief per wave · Retest cadence agreed with SOC liaison.
Methodology deep dives and the report it produces.
Threat Modeling
STRIDE, PASTA, LINDDUN, attack trees, and a MITRE ATT&CK overlay — the design-time methodology that feeds Phase 01 scoping.
Read the deep dive →Sample Report
What Phase 05 actually ships — exec summary, per-finding cards, CVSS vectors, and the compliance crosswalk.
See the format →Our Security Posture
How we protect the data your engagement exposes — NDA, encryption, least-privilege access, and evidence destruction.
How we handle your data →Methodology questions, answered.
How does AxVeil's methodology differ from a Nessus-style scan?+
Scanning is one phase of six. Nessus, Nuclei, and Burp's automated scanner cover the breadth — manual exploitation covers the depth that matters: chained business-logic flaws, authentication bypasses, IDOR, privilege escalation, and adversary emulation against your specific stack. Every finding ships with a reproducible PoC built and validated by a human operator.
Which compliance frameworks does the report support?+
Each finding is mapped to OWASP Top 10 / ASVS / API Top 10 categories, the relevant CWE, and a CVSS v3.1 vector. The compliance crosswalk maps findings to SOC 2 (CC6, CC7), ISO 27001 Annex A controls, PCI DSS v4.0 requirements, and DPDP Act 2023 obligations. RBI, SEBI CSCRF, and CERT-In mappings ship for regulated-sector engagements on request.
Is the retest really included or is it a paid add-on?+
Included. Every engagement ships with one retest within 30 days of the original delivery, run by the same operator who tested initially. Closure status is recorded per finding. If remediation extends past 30 days, retests can be scheduled at the operator's day rate — but most clients ship inside the window.
Do you test in production or only staging?+
Both, agreed in scoping. Most engagements run against staging environments that mirror production data shape, with a controlled production validation pass for findings whose impact depends on production-only data (e.g. live billing, real authentication providers). Rules of engagement for production testing are written into the SOW.
How are zero-day discoveries handled?+
Coordinated disclosure. If the engagement surfaces a previously unreported vulnerability in third-party software, we write to the vendor under the timelines published on our /disclosure page. The client is briefed first; the vendor is briefed second; public disclosure follows the agreed embargo. CVE coordination is handled via MITRE.
Want this methodology applied to your stack?
Book a 30-minute scoping call. We'll come back with a written test plan, fixed price, and timeline within one business day.