◎ 01The Practice
Four disciplines. One eye.
Every engagement begins with a question: what's the worst plausible day for this organization, and how close to it can we get without crossing the line? Below — the four ways we answer it, plus the advisory work that surrounds them.
Physical penetration.
Doors, badges, cameras, racks, dumpsters, and the receptionist who waves people through. The attack surface that ID-based security models pretend isn't there.
Physical engagements are short — typically two to five operating days — and deliberately quiet. We document every step, photograph every reached asset, and produce a chain-of-custody log for anything we acquired (badge clones, retrieved hardware, recovered documents). At end-of-engagement we return everything, on-camera if you want.
Typical objectives: reach an unmonitored network drop, photograph an open server cabinet, exfil a labeled hard drive, deposit a benign drop device on an executive's desk, or simply tailgate from lobby to controlled space and back out — undocumented.
Badge cloning & bypass
Proxmark / Flipper-class capture against HID, iCLASS, MIFARE, DESFire. Cloning success rate documented per credential class.
Lock & door bypass
Latch shimming, REX exploitation, under-door tools, mechanical pick, electric strike defeats. Photographed in situ.
Tailgate & pretext entry
Costume engagements with documented pretexts — vendor, courier, technician. Time-to-discovery measured.
Site report & remediation
Photographed timeline, prioritized control recommendations, and a board-ready summary. Optional re-test after 90 days.
Network penetration.
The path of least resistance from the public Internet to the data that matters — and the path of least resistance from a compromised endpoint to the same place.
Network engagements are scoped along the kill chain, not the asset list. External-only, assumed-breach, full-pivot, and red-team scopes are all available; the methodology adapts but the deliverable does not. Every finding is reproducible, every reproduction step is in the appendix, and every recommendation is sequenced by exploitability and blast radius — not by chapter order.
Frameworks & mappings: MITRE ATT&CK Enterprise & Cloud, NIST SP 800-115, PTES, OWASP ASVS. Findings are tagged by ATT&CK technique so your detection engineering team can build telemetry against what we actually used.
External attack surface
Internet-facing recon, OSINT, exposed credentials, edge service exploitation. Includes subsidiary and shadow-IT discovery.
Internal & pivot
Assumed-breach starting position. Active Directory and Entra ID abuse paths, Kerberos tradecraft, BloodHound graph analysis, segmentation reality-check.
Cloud posture
AWS, Azure, GCP. IAM mis-trust, exposed storage, runtime escalation, cross-tenant pivot, OIDC abuse. Output paired with CSPM remediation guidance.
Application & API
Web app and API surface against OWASP ASVS. Authorization-layer focus — IDOR, broken object property level auth, JWT and session crimes.
Wireless penetration.
The threat surface that walks past your firewall — and the one that flies, in pockets and parking lots, across every site visit.
Wireless engagements characterize the RF environment, hunt rogue and shadow access points, exercise the credentials behind 802.1X, and audit the auxiliary radios most security programs forget: Bluetooth headsets in conference rooms, BLE asset tags, NFC readers at side entrances, and the IoT and OT radios on the manufacturing floor.
Hardware: calibrated for legal RF capture in the engagement's regulatory domain. Software-defined radio, professional Wi-Fi adapters, BLE sniffers, Proxmark and Flipper for short-range work. We bring our own; you don't ship anything.
802.11 environment
Coverage survey, encryption baseline, PMKID/handshake capture, EAP downgrade tradecraft, 802.1X bypass, captive portal abuse.
Rogue & shadow AP
Karma-class attack simulation, evil-twin presence, employee personal hotspot mapping, vendor AP discovery on guest VLANs.
Bluetooth & BLE
Headset/conference audio surface, BLE asset and beacon characterization, pairing-mode vulnerabilities, BlueBorne-class checks.
OT / IoT radio
900 MHz, Zigbee, Z-Wave, LoRaWAN, proprietary ISM. Especially relevant in manufacturing and energy environments. Engagement scoped to be non-disruptive.
Fractional advisory.
When the testing is done, somebody has to make the decisions. We sit in that chair on retainer.
Ocutari's fractional CISO practice supports growth-stage and mid-market organizations that need a senior security voice but don't yet need (or want) a full-time executive. Typical engagements are 10–25 hours per month on retainer, with on-call coverage for incidents and board cycles.
What we own: the security program roadmap, the board narrative, the vendor and MSSP relationship, the incident command for material events, and the bridge between your engineering reality and your insurance, audit, and regulator narratives.
Engagements are accepted quarterly. Talk to us before the window closes.
Schedule a Scoping Call
Social engineering.
The human attack surface, measured. Not awareness theater — operationally realistic campaigns that produce numbers your CISO can put in front of a board.
Social engineering engagements are deliberately uncomfortable. We design pretexts that work against your specific organization, against your specific people, using the same OSINT and the same emotional levers a real adversary would. We brief your security operations team in advance so detections are exercised, and we exfiltrate nothing — proof of access is the artifact, not the data.
Ethics, in writing: no personal-account targeting, no targeting outside of normal business hours where contractually excluded, full debrief to participants when the engagement closes. We are testing the program, not the person.
Phishing waves
Detection-aware tradecraft. Custom domains, infrastructure that mimics current threat-actor TTPs, A/B variant testing. Click-rate, credential-rate, and report-rate measured.
Vishing & AiTM
Voice pretexts against named targets. Adversary-in-the-Middle phishing simulation against MFA-protected workflows. Especially important post-MFA-everywhere.
BEC simulation
Business Email Compromise tradecraft: vendor impersonation, wire-fraud lures, payroll redirect, MFA fatigue. Findings paired with the Ocutari BEC Readiness Assessment.
Executive simulation
Targeted engagement against C-suite and board adjacent staff. Includes deepfake / synthetic voice scenarios on request. Briefed at executive-protection level only.