How is a real pentest different from a vulnerability scan?

Vulnerability scans run automated tools (Nessus, Qualys) and produce a list of CVEs flagged in your environment. Pentests are manual: senior testers exercise judgment about which findings actually matter, chain low-severity findings into critical attack paths, exploit business-logic flaws scanners miss, and document exactly what an attacker would do with each finding. If your last pentest was a scanner export with a cover page, you have not had a real one.

What does the pentest report include?

Executive summary (business impact, key findings, prioritized remediation), technical body (every finding with proof-of-concept, exploitation steps, screenshots/artifacts), remediation guidance per finding, attack-path diagrams for chained findings, and a methodology section that satisfies SOC 2, ISO 27001, PCI, or audit-of-record requirements. Plus a debrief call with your engineers.

How long does a pentest take?

Single web app or API pentest: 1-2 weeks of testing + 1 week reporting. Internal + external network pentest, mid-market: 2-3 weeks of testing + 1 week reporting. Cloud pentest single account: 2 weeks total. Critical findings get reported in real-time during testing so you can patch in flight, not held back to the report.

Do you do retests after we remediate?

Yes — included free within 30 days of the original report. Retest is manual on the actual finding in your actual environment, not a re-scan. Final clean report goes to your auditor or board after retest. Beyond the 30-day window, retests are at hourly rate.

What about audit-required pentests (SOC 2, ISO 27001, PCI)?

Yes — scoped, evidenced, and reported to satisfy your audit's requirements. Methodology section maps to the framework's pentest requirements (SOC 2 CC4.1 / CC7.1 evidence, ISO 27001 A.12.6.1 evidence, PCI DSS Requirement 11.4 evidence). Auditor coordination if helpful — we'll join the audit call if asked.

Penetration Testing Services — GIAC-Led Manual Pentesting | Varcoe.ai

Penetration Testing Services — GIAC-Led Manual Pentesting

Penetration testing services. GIAC-led manual pentesting — web, network, cloud (AWS, Azure, GCP), API, mobile, internal, external. Free retest. Court-admissible reporting. Fixed-fee from $15K. Quarterly external + annual full-scope cadence inside the partnership.

Schedule Consultation Call (239) 241-8095

Pentests that prove what an attacker can actually do

We run manual, GIAC-led penetration tests for web applications, networks, cloud environments, APIs, and mobile apps. The deliverable is a narrative report — what an attacker would do, the chain of findings that gets them there, the proof-of-concept artifacts, and prioritized remediation. Not a scanner dump with an executive summary.

If your last "pentest" was a Nessus scan with a cover page, you have not had a real one. See our explainer on penetration testing vs vulnerability scanning for the buyer's diagnostic.

What we test

Web application pentests. OWASP-aligned testing across authentication, session management, authorization, business logic, IDOR, SSRF, and supply-chain dependencies. Tested both unauthenticated and across each user role.
External network pentests. Internet-facing assets, exposed admin interfaces, VPN concentrators, mail servers, DNS, web servers — what a remote attacker actually has to work with.
Internal network pentests. Assumed-breach engagements simulating a compromised endpoint or insider. Active Directory escalation, lateral movement, data-exfiltration paths.
Cloud pentests. AWS, Azure, GCP — IAM misconfigurations, exposed storage, secret leakage, lateral movement across accounts/projects, container and serverless surface.
API pentests. REST, GraphQL, gRPC. Authorization at object level, rate limiting, mass assignment, broken object property level authorization (OWASP API Top 10).
Mobile pentests. iOS and Android — runtime, IPC, certificate pinning, local data storage, jailbreak/root detection, MASVS-aligned.
SOC 2 / ISO 27001 / PCI-aligned pentests. Scoped, evidenced, and reported to satisfy your audit's requirements without paying enterprise prices.

Engagement structure

Scoping call. 30-60 minutes. We map the attack surface, agree on rules of engagement, schedule the test window, and give you a fixed-fee proposal.
Test execution. 1-3 weeks of testing depending on scope, with daily Slack updates if you want them. Critical findings get reported immediately so you can patch in flight.
Reporting. Written narrative report (executive summary + technical body + remediation guidance) plus a debrief call with your engineers. Each finding includes proof-of-concept, business impact, and a remediation plan.
Retest included. 30-day window for free retest of every finding once you've remediated. Final clean report goes to your auditor or board.

What you get that most pentests skip

Manual chaining of findings. Five medium-severity findings combined into one critical attack path. Scanners cannot do this. We do this on every engagement.
Business-logic testing. Authorization, workflow bypasses, financial-logic errors. Where real damage lives.
GIAC-certified testers. No exceptions, no junior staff handoff after the kickoff.
Audit-quality documentation. Methodology section, tool list, hash-verified evidence, written for FRE 902(13)/(14) self-authentication when needed for litigation.
Retest, not "rescan." Manual retest of the actual finding in your actual environment.

What we will not do

Run a Nessus scan, package the output, and call it a pentest
Charge for findings we did not actually exploit or could not demonstrate
Out-source testing to junior staff or third parties without your written consent
Test outside the agreed scope or rules of engagement
Hold your retest hostage as a separate purchase

How we price

External web app pentest, single product: $15K–$30K fixed fee
Internal + external network pentest, mid-market: $25K–$60K fixed fee
Cloud pentest, single AWS/Azure account: $20K–$45K fixed fee
SOC 2 / ISO 27001 readiness pentest: $18K–$40K fixed fee
Multi-product or hybrid scope: custom quote, fixed fee or hourly with milestone caps

Referral partnerships welcome

We work with security firms hitting capacity, MSSPs whose clients need testing depth, IT consultancies placing assessments for compliance, and law firms placing testing in litigation matters. You introduce the client, we sign a mutual NDA and a referral agreement, and we deliver under the Varcoe.ai brand directly to the client.

Compensation is negotiated per partnership, calibrated to volume, scope, and ongoing co-marketing. Recurring referral partners earn richer terms than one-off introductions.

Red team & adversary simulation — multi-week, goal-based, beyond pentest scope
Phishing simulation — pairs with a network pentest in many engagements
Penetration testing vs vulnerability scanning (blog)

Quinnlan Varcoe

CEO and Founder

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded Varcoe.ai in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response

A confidential, structured engagement.

Introduction

A first conversation with Quinn directly. No sales pipeline, no junior account staff. We talk about whether the partnership is the right fit, both ways.

Diagnostic

Four to eight weeks. We look at IT, security, and AI together. The output is an honest map of the modernization work — what to do, in what order, with what budget.

Partnership

Six-month minimum, typically multi-year. We become the operating partner — accountable, single contract, senior practitioners, knowledge transfer contractual.

From the senior people
who’ve worked alongside Quinn.

The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.

“The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.”

Aaron Birnbaum

Managing Partner

Seron Security

“Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.”

Caroline Lombard

Threat Specialist

aws

“I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.”

Justin Cox

Senior AWS Security Analyst

PayPal

“One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.”

Soufiane Jihadi

Senior Incident Response Consultant

Deloitte.

Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request

Penetration Testing Services — GIAC-Led Manual Pentesting