We break inbefore the attackers do.— manual
first
BurgSec is an atelier of penetration testers, red-teamers and adversary simulators. We work in months, not weeks — chaining findings into proofs that survive a boardroom and a runbook.
240+
Engagements shipped
14/17
Critical chains landed last year
~96h
Median time-to-domain-admin
Six disciplines, one standard of craft.
Every engagement is manual, methodology-driven, and shaped to your attack surface. No automated scan reports disguised as pentests — only proofs we'd be proud to walk a board through.
A four-act play, rehearsed for a decade.
Our methodology is built on PTES, OWASP, and MITRE ATT&CK — stitched together with the muscle memory of operators who have worked across finance, healthcare, and platform tech.
Scoping & Reconnaissance
We define the engagement scope, rules of engagement, and conduct passive reconnaissance to map your external attack surface.
— Rules of engagement first. Always.
Enumeration & Analysis
Active enumeration of targets, technology fingerprinting, and identification of potential attack vectors through manual and automated techniques.
— Read the application before exploiting it.
Exploitation & Pivoting
Controlled exploitation of identified vulnerabilities. We chain findings, escalate privileges, and pivot through your environment — just like a real adversary.
— Findings only matter when chained.
Reporting & Remediation
Detailed technical report with proof-of-concept evidence, risk ratings, and actionable remediation guidance. We debrief your team and support re-testing.
— Writing is half of the work.
What we believe,
on the record.
Practitioners,
not paper auditors.
Our team holds OSCP, OSCE, CEH, and CRTP — credentials earned in front of a shell, not behind a slide deck. We've shipped real engagements across finance, healthcare, and platform tech.
Manual-first.
Every finding chained.
We don't lean on automated scanners. Every issue is manually verified, chained into a working attack path, and demonstrated with proof-of-concept exploits a defender can replay.
Reports that read
like field notes.
Written for both executives and engineers. Each finding carries business impact, technical context, and step-by-step remediation — no boilerplate, no autogenerated filler.
A partnership,
not a transaction.
Security is not a one-time event. We offer retesting, ongoing PTaaS engagements, and advisory hours — so your defenses keep pace with the threat model.
Anonymized files from the field.
A handful of dossiers, lightly redacted. These are the kinds of vulnerabilities we uncover — not theoretical risks, but exploitable attack chains.
Authentication Bypass via JWT Manipulation
Discovered a JWT algorithm confusion vulnerability allowing any authenticated user to forge admin tokens. Combined with an IDOR on the user management API, this granted full administrative access to all tenant accounts.
Business Impact
Complete account takeover across 2,400+ tenant organizations.
Domain Admin via Kerberos Delegation Abuse
Starting from a compromised workstation, we abused unconstrained Kerberos delegation on a print server to capture a Domain Controller TGT. This was leveraged to perform a DCSync attack and extract all domain credentials.
Business Impact
Full domain compromise from a single workstation in under 4 hours.
SSRF to Internal Network Pivot
An SSRF vulnerability in the document processing endpoint allowed us to reach internal microservices. We chained this with a misconfigured Redis instance to achieve remote code execution on the internal network.
Business Impact
Access to PHI data stores and internal infrastructure from an unauthenticated endpoint.
Ready to test
your defenses?
Tell us about your environment and goals. We'll scope an engagement that fits — no generic proposals, no wasted time.
- Direct line
- contact@burgsec.net
- Encrypted
- PGP key available on request
- Response
- Within 24 hours, business days
- Atelier
- Remote-first, on-site when needed