About Time.
We break things on purpose, so attackers don’t. And you avoid the breach multiplier.
Boutique penetration testing and security engineering, focused on identity and application-layer compromise.
We’re comfortable working with small, senior teams where decisions are made quietly and responsibility is taken seriously.
Where things usually break
- The “temporary” admin role that never went away
- One legacy service still trusted by everything
- CI pipelines with write access they don’t need
- Secrets rotated yearly because quarterly felt risky
- Identity systems that passed audits but failed adversarial testing under realistic conditions
- Logs that exist but can’t answer “what just happened?”
What we’ve actually seen
Observed across real environments, not theoretical models.
- Domain Admin reachable without ever being explicitly assigned
- MFA deployed, but bypassable via service accounts and legacy flows
- Web portals protected by SSO, but trusting unverified claims
- Incident logs present, but unable to reconstruct an attack chain
- Environments compliant on paper, fragile in practice
These aren’t rare edge cases. They’re what normal systems look like under pressure.
How we document findings
- Step-by-step reproduction (clear exploit narrative)
- Concrete impact, not theoretical risk
- Conditions required to reproduce
- Root-cause remediation guidance (minimal, targeted)
No screenshots for drama. No CVSS inflation. Just enough detail to fix the problem and prove it’s fixed.
Our penetration testing philosophy
- Exploit beats enumerate
- Impact beats severity labels
- Reproduction beats speculation
- Remediation beats alarmism
- Fewer findings beat longer reports
How we engage (no theater)
- Rules of Engagement: scope, timing, and data handling. Short and explicit.
- We try to get in: real attacker mindset, real exploitation, real proof.
Bounty model: we only bill if we find actual exploitable holes.
If you want a guaranteed invoice, there are vendors who sell PDFs.
Bonus points if their main deliverable is making sure their previous client’s name doesn’t show up in the footer.
What counts as an actual hole
- Authentication bypass and privilege escalation
- Active Directory attack paths to high-privilege access
- Web and API authorization failures with real data impact
- Secrets or token theft that widens blast radius
- CI/CD or identity-linked supply chain compromise
Not counted: theoretical issues, scanner noise, or anything we can’t reproduce.
Security engineering, not security theater
- Safe paths made easier than unsafe ones
- Controls that survive production, not just audits
- Evidence that exists without PowerPoint
- Automation that removes reliance on memory and vigilance
The Field Manual (AD + web)
Ransomware is usually boring: one credential, one foothold, then identity-driven spread until critical systems are compromised.
Entry
- Web apps and APIs: auth logic flaws, IDOR, token mistakes
- SSO edges: OAuth/SAML trust boundary failures
- Leaked or reused credentials and service accounts
Spread
- Kerberoasting, delegation abuse, stale AD trusts
- User-to-admin and admin-to-domain escalation paths
- Lateral movement across systems, apps, and tooling
- CI/CD pipelines abused once identity boundaries break
Impact
- Data access, exfiltration, and destruction
- Secret theft extending persistence and blast radius
- Whether the entire chain is visible or silently succeeds
We don’t start with servers. We start with identities. Because that’s where compromise scales.
Designing for recovery (optional follow-on)
If we find identity-driven blast radius, we can help you design recovery so a breach doesn’t become a hostage situation.
We don’t promise attackers won’t get in. We design systems so they can’t hold you hostage.
- Identity-isolated backup and recovery paths
- Immutable (write-once) backups where it matters
- Backup credentials that cannot authenticate to production
- Separation between “operate” access and “restore” access
- Recovery drills tested under realistic conditions
A backup you can’t restore under pressure is not a backup.
What we assume about you
- You already have capable people
- You know security matters
- You’re tired of advice that collapses in production
- You want confirmation, not persuasion
- You’re operating under increasing regulatory expectations (including NIS2), and you want evidence, not optics
Who we’re not for
- Organizations buying pentests for audit optics
- Teams looking for guaranteed findings
- Anyone who wants a long report instead of fewer problems
There are many good vendors for that. We’re not one of them.
Discretion
We don’t publish client-specific incidents or stories.
What we describe are recurring technical patterns observed across many environments.
We don’t reuse client work as marketing material.
Our work stays where it belongs.
After the breach
Incident response always finds budget.
Forensics is rarely optional.
Downtime invoices don’t negotiate.
ops@abouttime.engineering