https://yetisecurity.cz/services/Recent content in Services on Yeti.Security — Pen-testing & security consultingHugoen-usThu, 15 Jan 2026 00:00:00 +0000https://yetisecurity.cz/services/penetration-testing/Thu, 15 Jan 2026 00:00:00 +0000https://yetisecurity.cz/services/penetration-testing/<p>A scoped, time-boxed assessment against a defined surface. The most common engagement shape we run.</p> <h2 id="whats-in-scope">What&rsquo;s in scope</h2> <ul> <li><strong>Web applications</strong> — production-grade SPAs, APIs, admin consoles</li> <li><strong>Mobile</strong> — native iOS and Android binaries plus their backends (OWASP MASTG)</li> <li><strong>REST &amp; GraphQL APIs</strong> — including auth-token replay, IDOR, rate-limiting</li> <li><strong>Cloud configuration</strong> — AWS, GCP, Azure (read-only review)</li> </ul> <p>We do not test customer-leased on-premises hardware, third-party SaaS we don&rsquo;t host, or anything you don&rsquo;t have written authorization to test.</p>https://yetisecurity.cz/services/red-team/Thu, 15 Jan 2026 00:00:00 +0000https://yetisecurity.cz/services/red-team/<p>A simulated adversary campaign with a defined objective (&ldquo;exfiltrate the customer-PII bucket&rdquo;, &ldquo;deploy ransomware to the build server&rdquo;, &ldquo;obtain a production AWS access key&rdquo;), tested across as many vectors as it takes.</p> <h2 id="what-gets-tested">What gets tested</h2> <ul> <li><strong>Initial access</strong> — phishing, smishing, OSINT, supply-chain via dependency</li> <li><strong>Lateral movement</strong> — once in, can we move? what&rsquo;s logged?</li> <li><strong>Privilege escalation</strong> — IAM, group policy, sudoer files, the lot</li> <li><strong>Detection &amp; response</strong> — does your SOC see us? in how long? what gets paged?</li> <li><strong>Exfiltration</strong> — the final boss: can we leave with what we came for?</li> </ul> <h2 id="how-it-runs">How it runs</h2> <p>Four-week minimum, six-week typical. We coordinate timing with a single point of contact on your side (usually CISO or VP Eng) who is <em>not</em> in the SOC. The SOC doesn&rsquo;t know we&rsquo;re coming — that&rsquo;s the point.</p>https://yetisecurity.cz/services/consulting/Thu, 15 Jan 2026 00:00:00 +0000https://yetisecurity.cz/services/consulting/<p>A monthly retainer for teams who want senior security guidance without hiring a full-time security engineer. The right shape for most Series A–B companies.</p> <h2 id="whats-included">What&rsquo;s included</h2> <ul> <li><strong>Fractional CISO</strong> — a named senior practitioner who attends your weekly security/eng review and answers Slack</li> <li><strong>Threat modeling</strong> — quarterly half-day sessions to map what you&rsquo;re shipping against what attackers want</li> <li><strong>Architecture review</strong> — every major system gets a read before it ships</li> <li><strong>SDLC integration</strong> — we set up the linters, the dependency scanning, the secret-detection in your CI, and tune them so they don&rsquo;t get ignored</li> <li><strong>Incident retainer</strong> — on-call coverage for the first 24 hours of any declared incident; we then hand off to a forensics partner</li> </ul> <h2 id="how-it-works">How it works</h2> <p>Eight hours/week, billed monthly. We don&rsquo;t track hours within the month — this isn&rsquo;t an agency.</p>