Offensive Security — Recurring Service · NEW

PTaaS — Penetration Testing as a Service

Stop testing once a year. Test every time something changes. Continuous OSCP-led coverage, a live findings portal, on-demand re-tests, and an included annual deep-dive — bundled into one monthly subscription.

AED 6,000 – 14,000 / month OSCP · CPTS · CEH 12-month minimum · cancel anytime after

Book a 20-min scoping call →

Jump to FAQ

What it is

An annual penetration test produces a snapshot. The day after the report is delivered, your codebase changes, your infrastructure drifts, and the snapshot starts going stale. Twelve months later you find out what's broken — usually right before a customer audit, or after a breach.

PTaaS is a continuous, OSCP-led testing programme with a live findings portal, on-demand re-tests when you push fixes, and a deep-dive annual engagement that satisfies your compliance pen-test obligation. You pay one monthly fee; we keep your offensive-security posture current.

Same operators who deliver our one-off engagements. Same depth. Just continuous, with a portal between you and us instead of a PDF every twelve months.

What this is not

Not a vulnerability scanner subscription. Scans are part of the toolkit; the work and the findings are human.

Not 24/7 SOC monitoring or incident response. We test attackers' paths; we don't watch your alerts. SOC / IR is a separate offering on the 2027 roadmap.

Not unlimited testing. Each tier has a defined hours envelope per month; out-of-scope work is quoted separately.

Not red-team / adversary emulation. Full-scope adversary simulation (physical, social, multi-week campaigns) is a separate engagement on the 2028 roadmap.

Who this is for

You're probably here because one of these is true:

You're a SaaS or product team that ships code weekly or daily and can't wait 12 months between pen tests.

You're under continuous compliance pressure (ISO 27001, ADHICS, PCI DSS) — this satisfies the annual pen-test requirement plus continuous control validation.

You're a mid-market firm without an internal red team — you want offensive coverage without the headcount.

You've been burned by a scan-and-PDF "VAPT" vendor and want live, named-practitioner testing with evidence trails.

An enterprise client or bank requires periodic pen-test attestation as a continuing onboarding condition.

What you get every month

OSCP / CPTS-led active testing — hours envelope sized to your tier (8 / 16 / 28 hours per month).
Continuous reconnaissance — daily passive monitoring of your in-scope external surface (new subdomains, exposed services, certificate changes, leaked credentials).
Live findings portal — every finding with PoC, screenshots, severity, remediation guidance, and history. New findings are visible the day they're discovered.
On-demand re-tests within 5 business days of remediation; unlimited free re-tests for critical/high findings within 14 days.
Slack / Teams channel direct to the operator — same-day weekday response on critical findings.
Monthly testing dashboard — what was tested, what was found, what was fixed.
Annual deep-dive engagement (Standard & Pro) — full-scope manual penetration test against your primary asset, with executive readout. Same depth as our standalone Professional tier.
Compliance attestation letter — signed letter mapping our testing to ISO 27001 Annex A 8.8, UAE IA V2 T3.6.1, ADHICS v2, PCI DSS 11.3, and SOC 2 CC7.1.

How we deliver

Onboarding & perimeter mapping

Week 1

Asset inventory, rules of engagement signed, escalation contacts, blackout windows, portal account provisioned, Slack/Teams channel opened.

Baseline test cycle

Weeks 2 – 4

First active test cycle covering your primary asset. Establishes baseline finding inventory in the portal.

Continuous monitoring + active cycles

Recurring

Daily passive recon. Active test cycles per tier (quarterly on Lite, monthly on Standard, fortnightly on Pro). On-demand re-tests when you push fixes.

Critical-finding response

Same-day on weekdays

PoC + remediation guidance for critical/high findings the day they're discovered. Slack/Teams coordination until fix is verified.

Annual deep-dive (Standard & Pro)

Month 11 – 12

Full-scope manual pen test, executive readout, signed attestation letter for your auditor. Same depth as our standalone Professional engagement.

Quarterly scope review

Every 90 days

Review asset list, add new launches, retire decommissioned systems, refresh attestation letter.

Cycle: 12-month rolling, renewing automatically unless cancelled with 30 days' notice. SLAs in writing.

Pricing — three tiers

Lite

AED 6,000/month

Single primary asset (one web app OR external network up to 30 IPs). Up to 8 hours/month testing. Quarterly active test cycles.

What drives the tier choice

Number and type of in-scope assets (web, network, API, AD, cloud, mobile)
External IP range size
Release cadence (more deploys = more re-test workload)
Compliance obligation (annual deep-dive required = Standard or Pro)
Sector regulation (regulated sectors typically land on Pro)

Commercial terms

Billing: Monthly in advance
Minimum term: 12 months
After minimum: Cancel anytime with 30 days' notice
Tier upgrade: Pro-rated, takes effect next billing cycle
Quote validity: 30 days
Hours over envelope: Quoted separately, never auto-billed

Your cert-backed team

Same named operator across every cycle — continuity, not lottery.

Lead Operator

Nelson Durairaj

OSCP · eJPT · CEH · BlackHat Linux · HTB Omniscient

Focus: Continuous reconnaissance, active web/API/network testing, on-demand re-tests, finding triage on Slack/Teams.

Supervising Practitioner

Manoj Prabhakaran

CPTS · CDSA · Security+ · Azure Cloud Security · ISO 27001 Lead Auditor

Focus: Annual deep-dive oversight, attestation letter sign-off, audit-evidence alignment, complex AD/cloud engagements.

See the full team →

Frequently asked questions

How is this different from a one-off pen test?

A one-off annual pen test gives you a snapshot. PTaaS gives you continuous coverage — when you push code or change infrastructure, we re-test the affected attack surface within days, not 12 months later. Findings appear in a live portal as we discover them, not in a PDF six weeks after fieldwork.

Who runs the tests?

Same OSCP / CPTS practitioners who deliver our one-off engagements — Nelson Durairaj leads. No anonymous offshore juniors, no scan-and-PDF outsourcing. Every test action is logged with the operator's name.

How do you scope which assets to test?

At onboarding we define your perimeter: web apps, external network ranges, APIs, optional internal/AD, optional cloud config. Asset list is updated quarterly (or on-demand for major launches). Out-of-scope assets are never touched.

What if we find a critical issue between engagements?

Critical findings get a same-day PoC + remediation guidance via the portal. We coordinate with your team on Slack/Teams until the fix is verified. No waiting for the next 'engagement window'.

Can we cancel?

After the 12-month minimum, you can cancel with 30 days' notice. Before then, only with cause (e.g., we fail to deliver against the SLA).

Is this a replacement for compliance pen tests?

Yes — the annual deep-dive included on Standard and Pro tiers satisfies ISO 27001 Annex A 8.8, UAE IA V2 T3.6.1, ADHICS v2, PCI DSS 11.3, and SOC 2 CC7.1. We provide a signed attestation letter for your auditor.

Do you use automated tools?

Yes — Nuclei, Nessus, Burp Suite Pro, Nmap, BloodHound, custom recon tooling. Tools handle coverage; manual testing handles depth. Tools never write the report or decide what to exploit next.

What about destructive testing?

Never on production without explicit per-finding approval. Default rules of engagement exclude DoS, destructive exploits, and data-modifying actions. Anything risky is staged on copies first.

You might also need

Tired of one-shot pen tests that go stale in a month?

Book a 20-minute scoping call. We'll inventory your attack surface, recommend a tier, and give you a written quote within 48 hours.