SYSTEM ACTIVE//auth: corporate · scope: enterprise

OFFENSIVE SECURITY · PENTEST · RED TEAM

We think like the attacker.We operate for your company.

We simulate real attacks against your infrastructure, applications and people — before someone actually does it. Reports that drive action, not fear.

Request assessment→See methodology

frameworks:OWASPMITRE ATT&CKNISTPTESLGPD

basilisk@recon ~ /pentestLIVE

200+

pentests delivered

4,500+

vulnerabilities reported

99%

enterprise satisfaction

24h

SLA on critical

// RECON ACTIVE◆// 24/7 SOC◆// 24H SLA ON CRITICAL◆// NDA BY DEFAULT◆// GDPR READY◆// OWASP · MITRE · NIST · PTES◆// TECHNICAL + EXECUTIVE REPORT◆// RETEST INCLUDED◆// RECON ACTIVE◆// 24/7 SOC◆// 24H SLA ON CRITICAL◆// NDA BY DEFAULT◆// GDPR READY◆// OWASP · MITRE · NIST · PTES◆// TECHNICAL + EXECUTIVE REPORT◆// RETEST INCLUDED◆

[01_sobre]ABOUT BASILISK

We know how attackers operate. We use that in your favor.

We are a team of pentesters working exclusively for enterprises. Every engagement is conducted with technical rigor and auditable methodology — the kind of discipline boards and auditors recognize.

We don't sell fear. We deliver clarity on what is exploitable today, what it costs when exploited, and the shortest path to closing the door.

>_You can't protect what you don't know.

// pillar

Full visibility

We map your surface the way a real attacker would: from exposed DNS to the forgotten staging endpoint.

// pillar

Absolute secrecy

NDA by default, end-to-end encrypted deliverables and certified destruction of artifacts.

// pillar

Ethics as method

Formal authorization, documented scope, signed evidence. No surprises, no gray area.

[02_servicos]SERVICES

Three vectors. Full coverage.

Offensive operations with clear scope, signed evidence and deliverables the risk committee approves without needing a translator.

01 /

Professional Pentest

Manual and automated tests against web apps, APIs, mobile, networks and infrastructure. Dual deliverable: technical and executive.

▸ Web · API · Mobile
▸ Internal · External · Wi-Fi
▸ Black · Grey · White box

view details→

02 /

Red Team Engagement

Full adversarial simulation: defense evasion, social engineering, privilege escalation and lateral movement. We measure the blue team.

▸ Targeted phishing
▸ C2 & controlled persistence
▸ Optional purple team

view details→

03 /

Cloud Audit

Deep analysis of AWS, Azure and GCP: misconfiguration, excessive privilege, data exposure and benchmark compliance.

▸ IAM · network · data
▸ CIS Benchmarks · Well-Architected
▸ Prioritized remediation

view details→

[03_metodologia]METHODOLOGY

Replicable process. Consistent results.

Every engagement follows an auditable pipeline. The client sees progress in real time and receives an artifact that holds up to audit, diligence and board review.

01/recon

Reconnaissance

OSINT, DNS enumeration, stack fingerprinting, leaked credential collection and exposed surface mapping.

02/exploit

Exploitation

Tests with industry-standard tools and proprietary scripts. Every finding is manually validated — zero scanner noise.

03/post-exploit

Post-Exploitation

Privilege escalation, lateral movement, cloud pivot and real impact measurement in a controlled environment.

04/report

Reporting & Remediation

Technical + executive deliverables, calculated CVSS, proof of concept and risk-prioritized recommendations. Retest included.

[04_setores]SECTORS

Every industry has its threats. We know them all.

We work with security, IT and compliance teams at regulated enterprises and startups in due-diligence. Scope changes; rigor doesn't.

Finance & Banking

fraud, payments, open finance

→

Health & Healthtech

HIPAA, records, API

→

E-commerce

payments, fraud, API

→

Education & Government

sensitive data, integrations

→

Telecom & ISPs

core, OSS/BSS, CPE

→

Industry & OT

ICS, SCADA, segmentation

→

Legal & Insurance

confidentiality, DLP

→

SaaS & Startups

multi-tenant, scale, due-diligence

→

Logistics & Supply

EDI, tracking, integrations

→

[05_diferenciais]WHY BASILISK

Four commitments. No fine print.

// commitment

Absolute confidentiality

NDA before the first handshake, encrypted channel for delivery and certified destruction of artifacts at project end.

// commitment

Retest included

We revalidate for free after the fix. Your team closes the loop without paying twice for the same attack.

// commitment

Dual-view report

Technical version for engineering (with CVSS, PoC, payload) + executive version for the board. No translation needed.

// commitment

24h SLA on critical

Critical vulnerabilities are reported within 24 hours, outside of the final report. Risk doesn't wait for engagement closure.

[06_faq]FREQUENTLY ASKED

Before you hire, what you need to know.

// didn't find it?

open a direct channel →

The practice of testing systems from a real attacker's perspective — discovering flaws, exploitation chains and impact paths before they are used against you.

Pentest focuses on finding and proving the most vulnerabilities within a technical scope. Red Team simulates a full adversary with a defined business goal — focus on evasion, persistence and measuring defense effectiveness.

We operate with windows, scopes and rules of engagement agreed in writing. Destructive tests only happen with explicit authorization in prepared environments. The rule is zero operational impact.

From startups in due-diligence to regulated corporations. Scope and deliverable adjust — methodological rigor does not.

A standard pentest runs 2 to 4 weeks. Red Team runs 6 to 10. A detailed timeline is sent in the free initial scoping.

Scoping call, NDA, contract, rules of engagement, technical kickoff, execution, report and retest. Everything documented, no noise.

Yes. We process personal data under contract-execution legal basis, apply minimization, encryption and certified destruction at project end.

Yes. The deliverable is accepted by audit firms, investors in due-diligence and risk committees — with evidence, methodology and CVSS calculated.

[07_contato]OPEN CHANNEL

Ready to uncover your flaws?

First scoping call is free and covered by NDA. Within 48 hours you receive technical proposal, scope and timeline. No bureaucratic forms.

e-mail

contato@basilisk.com.br

phone

+55 11 96978-9917

base

São Paulo · BR

average response time: < 2h during business hours