Every Sentinel Point Systems engagement is scoped to your environment, your threat model, and your compliance obligations. We do not deliver a templated checklist of services pulled from a shelf.
Below is the full set of services we deliver. Most engagements combine two or more, sequenced to surface the highest-impact findings first. If you are not sure which combination fits your situation, schedule a scoping call and we will help you decide. We will tell you honestly when a service does not apply.
Identify what an internet-facing threat actor would discover and exploit against your perimeter.
An external penetration test simulates the perspective of a remote threat actor with no prior access. We assess everything an opportunistic or targeted threat actor could see and reach from the public internet, then attempt to gain initial access.
Executive summary with risk narrative, full technical findings with CVSS scoring and reproduction steps, and prioritized remediation guidance. Post-assessment debrief call and retest of remediated findings included.
Any organization with internet-facing infrastructure. Required by PCI-DSS (Requirement 11.3.1), expected by SOC 2 and ISO 27001 auditors, and a baseline for cyber insurance.
Assumed-breach assessment. What can a threat actor do once they have a foothold inside your network?
An internal penetration test simulates a compromised endpoint, malicious insider, or post-phishing scenario. We start with low-privilege access and demonstrate the realistic paths to domain takeover, sensitive data, and business-critical systems.
Attack chain diagrams showing realistic paths from initial foothold to high-value targets, prioritized findings with remediation guidance, and executive narrative connecting technical detail to business risk.
Any organization running Active Directory or a corporate network. Especially valuable for organizations preparing for compliance audits, validating EDR investments, or building an internal detection program.
OWASP-aligned assessment of your custom applications, with depth scanners cannot reach.
Web application testing focuses on the layers a network pentest cannot reach: business logic, authentication flows, authorization decisions, and application-specific vulnerabilities. Our work follows the OWASP Testing Guide and ASVS, applied with the depth real-world threat actors bring.
Findings with full reproduction steps, screenshots, request and response captures, CVSS scoring, and clear remediation guidance for engineering teams. Retest of remediated findings included.
Any organization that builds, customizes, or operates custom web applications, especially those processing sensitive data or supporting customer transactions.
REST, GraphQL, and gRPC. Where most modern attacks now actually happen.
Modern applications expose far more API surface than UI surface. Most automated scanners are blind to API-specific vulnerabilities. Our assessments cover the full OWASP API Security Top 10 and the API-specific attack patterns that scanners miss.
API-focused findings with reproduction steps via curl or Postman collections, plus architectural recommendations where applicable.
Any organization with public, partner, or internal-facing APIs supporting mobile apps, single-page apps, partner integrations, or service-to-service communication.
AWS, Azure, and GCP. Where identity is the new perimeter.
Cloud environments shift the attack surface from network to identity and configuration. Our cloud assessments identify the misconfigurations, privilege paths, and identity-based attack chains a threat actor would actually exploit, not just the noise from a CSPM tool.
Attack path narratives showing realistic privilege escalation through your cloud environment, prioritized remediation guidance, and IaC snippets where applicable.
Any organization operating workloads on AWS, Azure, GCP, or running Kubernetes. Especially valuable post-migration, pre-audit, or when adopting new cloud services.
Objective-driven, MITRE ATT&CK-aligned engagements emulating real threat actors.
An adversary simulation engagement is goal-oriented and stealth-focused. Rather than enumerating vulnerabilities, we model a specific threat group relevant to your industry and execute their tradecraft end-to-end. The outcome shows whether your detection, response, and defensive controls would actually catch a real attack.
Adversary emulation narrative aligned to MITRE ATT&CK, detection coverage gaps, recommended detections and playbook improvements, and a post-engagement debrief with your SOC and IR teams.
Mature security programs ready to validate detection and response, organizations preparing for high-stakes audits, or teams that want a realistic test of how a real attack would play out.
Schedule a scoping call and we will help you figure it out. No upsell, no pressure. If you do not need a service, we will tell you.