Penetration testing and security advisory with a signed Letter of Authorization, recognised methodology and reports built for boards. From web applications to critical infrastructure.
Every engagement starts with a Letter of Authorization signed by the legal representative, defining IPs, domains and time window. No activity outside the agreed scope.
We combine internationally recognised standards with manual verification. Automation finds the noise; human analysis finds what really matters.
Enumeration of exposed surfaces, services and technologies. We precisely define what is actually attackable.
Testing conducted per OWASP Top 10, PTES and NIST SP 800-115: systematic, repeatable and documented coverage.
Vulnerabilities are not just reported: where authorised, real impact is demonstrated without harming the systems.
Technical report with evidence and remediation for operators, a clear executive summary for decision-makers.
Definition of scope, objectives and timeline with the company contact.
Signature of the legal representative: authorised IPs, domains and period, put in writing.
Assessment within the agreed perimeter. No out-of-scope activity, continuous communication.
Delivery of technical report and executive summary within the agreed deadlines.
Presentation to decision-makers and a prioritised remediation roadmap.
We are integrating next-generation models able to reason about source code, finding classes of vulnerabilities that traditional pattern-based scanners miss.
Studio Cociu is in the accreditation process for advanced-access programs in the Anthropic ecosystem, whose presentations it followed closely at Google Cloud Next 2026.
Research published by Anthropic has shown models able to find vulnerabilities that stayed latent for over twenty years in mature software. We bring this approach to professional assessment.
Request early accessAnswers to the questions we are asked most often before an engagement.
It is the document, signed by the organisation's legal representative, that formally authorises the testing activities specifying IP addresses, domains and time window. Without a LoA we start no activity: it is what makes the penetration test legal and traceable.
OWASP Top 10 for web applications, PTES (Penetration Testing Execution Standard) for the overall process and NIST SP 800-115 as a technical reference. Coverage is systematic, repeatable and documented.
Always and exclusively. Every activity takes place within the perimeter defined by the LoA. No test is ever conducted on third-party systems or outside the agreed scope.
A technical report with evidence and prioritised remediation guidance, and an executive summary readable by the board. For larger engagements a direct presentation to decision-makers is included.
It depends on scope: a Web Application Assessment takes 5–7 days, an Infrastructure Assessment 10–15 days, a Full Red Team 3–6 weeks. The precise timeline is agreed in the initial phase.
The service is exposed via frontier agentic-commerce protocols: an AI agent can discover the catalogue and initiate the engagement autonomously. Every engagement still starts with a scoping retainer and a signed Letter of Authorization.
Universal Commerce Protocol for Gemini and AI Mode./.well-known/ucp
Agentic Commerce Protocol for ChatGPT and Operator, via Stripe./.well-known/acp
Native HTTP 402 payments for agents./.well-known/x402
€500 scoping retainer to start the assessment. Balance after the signed Letter of Authorization and agreed scope. Humans: payment via SumUp. AI agents: payment via Stripe (ACP).
Describe your scope and you will get a reply within 24 hours with the proposal and the Letter of Authorization template.