Shield of Steel Cyber runs external and internal vulnerability scans, OWASP Top 10 web-application testing, black / gray / white-box penetration tests, physical intrusion assessments, and full red-team engagements for organizations in Tennessee and Mississippi. Every engagement ends with a CVSS-ranked technical report, an executive summary for your board, a remediation roadmap with named owners and realistic timelines, and a free re-test once your team closes the findings. The goal is the fix — not the finding.
Every engagement is scoped before it's signed. The grid below is the catalog — your statement of work picks and combines. Scans establish coverage; pen tests establish proof; red-team engagements establish what an adversary would actually do with the access they could gain.
Unauthenticated scan of everything visible from the open internet — IPv4 + IPv6 ranges, domains, cloud endpoints, forgotten subdomains. Tooling is commercial-grade: Tenable Nessus, Qualys VMDR, or Rapid7 InsightVM depending on your environment.
Credentialed authenticated scan of the segments you authorize — Windows, Linux, network appliances, virtualization, and industrial-control zones on request. Authenticated scans find three to five times more real issues than unauthenticated probes.
Manual plus automated testing of one application or API against the current OWASP Top 10 and ASVS. Authenticated and unauthenticated passes; role-based access-control validation; authorization bypass; logic-flaw hunting no scanner can do.
Human operator attempts real exploitation against a defined objective — domain admin, data exfiltration, ransomware precursor. Black-box, gray-box, or white-box depending on the threat you want simulated and the budget you have.
Authorized attempts to defeat physical controls — tailgating, badge cloning, lock bypass, rogue-device drops, paper-record exfiltration. Every operator is briefed, carries a signed letter of authorization, and is prepared for any encounter with law enforcement.
Phishing, vishing, smishing, and pretext-based on-site engagement against named targets you approve. Campaigns use modern adversary tradecraft — typosquat domains, cloned login portals, business-email-compromise scripts, MFA-fatigue flows.
Objective-based adversary emulation combining every vector above — network, web, cloud, physical, social. Goals are defined in advance; impact is measured against them. Typical objectives: domain admin, data exfil, payroll redirect, ransomware staging. Our team carries prior military cyber experience including adversarial-simulation and red-team operational roles — the practice is led accordingly.
Approved Scanning Vendor partnership delivers your quarterly external vulnerability scan with attestation package suitable for your acquirer, your QSA, and your PCI self-assessment questionnaire. We add manual review of every finding above informational.
Six stages, each with a named deliverable and a live point of contact. The stages are the same on a one-week web-app engagement as on a six-week red-team — the difference is depth and duration, not rigor.
Kickoff call confirms targets, time windows, emergency contacts, production-vs-non-prod boundaries, out-of-scope systems, and pass / fail objectives for red-team or pen-test engagements. Rules of engagement are signed before a single packet is sent.
Passive recon via public records, certificate transparency logs, DNS archives, leaked-credential indexes, and open-source intelligence. Active enumeration where authorized — port scanning, service fingerprinting, directory brute-forcing, subdomain expansion.
Commercial scanners baseline the environment — Nessus or Qualys for infrastructure, Burp Suite Professional plus OWASP ZAP for web, specialized tooling for cloud, wireless, Active Directory, and industrial control systems. Raw output is triage fuel, not a report.
Human operator confirms every finding worth confirming — most scanner output is noise, a meaningful minority is real, and a handful of real issues chain into something critical. Exploitation goes only as far as the rules of engagement allow, and evidence is captured every step.
Executive summary, technical findings with reproduction steps, and remediation roadmap drafted by the operator who did the work — never ghost-written, never offshored. Each finding carries a CVSS v3.1 score, business-context severity, and remediation guidance specific to your stack.
Once your team closes the findings, we re-test the specific items — not the whole environment — and update each finding with a new status. The deliverable is an attestation letter suitable for your SOC 2 auditor, customer security questionnaire, or board report, and it's included in the engagement fee.
The difference is disclosure — what the operator starts with. Pick the tier that matches the adversary you most want to defend against, not the one that feels most thorough. Most organizations get the best value from gray-box.
The operator starts with only what a random internet attacker would know — company name, public URLs, public social footprint. Maximum simulation realism; maximum time spent on reconnaissance rather than exploitation.
The operator starts with limited insider context — a low-privilege user account, high-level architecture documentation, and the kind of information a compromised employee or supply-chain partner would have. The sweet spot for most organizations.
The operator starts with complete visibility — source code, architecture diagrams, admin credentials, network topology, and in-depth technical briefings. Finds the maximum number of real issues in the minimum amount of time; no reconnaissance tax.
Cyber Command is led by a director with prior military cyber-operations experience — including adversarial-simulation and red-team operational roles. That means the red-team program here is designed by someone who ran objective-based adversary emulation under rules of engagement before leading it as a civilian practice: threat modeling against defended infrastructure, operator-level familiarity with how mature defenders respond, and discipline around the difference between noise and signal when a hunt team starts pulling thread.
The practice lead holds CompTIA SecurityX (formerly CASP+) for senior-technical practitioner work, ISACA CISM for management and governance, and CompTIA CySA+ for SOC and analyst depth — three ANSI-accredited credentials, each a DoD 8140 baseline for senior technical, governance, and SOC-analyst roles. That stack is what sits behind the signature on every red-team report we deliver, and it is what we bring to scoping when your environment has to resist both a cost-constrained criminal and a patient, well-resourced adversary.
Most cyber firms buy their physical-testing capability from a subcontractor. We don't have to. Our operators come out of the same training culture that produced our armed and unarmed officer corps — law-enforcement and military backgrounds, real lock-bypass training, real covert-entry practice. When an engagement calls for tailgating a keycard reader at 6:57 a.m., our operator has done it in uniform before doing it in plainclothes.
That matters because the strongest attacks chain digital and physical. A phishing email that installs a drop-box requires someone to walk the drop-box into a conference room. A badge clone is worth nothing without someone who can look like they belong. We bring the cyber tradecraft, and we bring the physical-security discipline — and we write the report as one document.
Every paid assessment ends with three signed documents: an executive summary for the board, a technical findings report for the operations team, and a remediation roadmap that names the owner, the timeline, and the verification method for each finding. Re-test is included.
| Engagement | Timeline | Deliverable | Typical fee |
|---|---|---|---|
| External scan (one-time) | 3–5 business days | Signed external scan report CVSS-ranked | $2,500 – $6,000 |
| Internal scan (authenticated) | 5–10 business days | Authenticated scan report Per segment | $4,500 – $12,000 |
| OWASP Top 10 web-app test | 1–2 weeks | ASVS-aligned web-app report Per application | $9,500 – $28,000 |
| Network pen test (gray-box) | 2–4 weeks | Full pen-test report + exec brief Scoped network | $18,000 – $55,000 |
| Physical pen test | 1–3 weeks | Signed LOA + physical report Per facility | $12,000 – $38,000 |
| Red-team engagement | 4–8 weeks | Objective-based adversary emulation ATT&CK-mapped | $60,000 – $180,000 |
| PCI-DSS ASV quarterly scan | Ongoing quarterly | PCI-ready attestation package Acquirer-filed | $4,800 – $14,000 / yr |
| Remediation re-test | 3–7 business days | Updated findings + attestation letter Auditor-ready | Included |
Quarterly external ASV scans, annual internal penetration testing per Req 11.4, segmentation validation for CDE boundaries.
Annual third-party pen-test evidence, quarterly scan cadence, attestation letter in the format your auditor expects.
Risk analysis and evaluation under §164.308(a)(1)(ii)(A) and §164.308(a)(8); technical safeguards validation.
CA.L2-3.12.1 security assessments and RA.L2-3.11.2 vulnerability scans for defense-contractor environments.
If your question isn't answered here, the senior operator who would run your engagement will take the call directly — not a sales rep, not a gatekeeper. Dispatch will route you in under five minutes.
Most organizations should run an external vulnerability scan at least quarterly and an internal authenticated scan at least monthly, with additional scans triggered by any material infrastructure change, a new public-facing asset, a patch-Tuesday cycle that hit systems you run, or a disclosed critical CVE in software you have deployed.
Merchants in PCI-DSS scope are required to perform an external ASV scan at minimum once per quarter and after any significant change. Mature programs run continuous internal scanning with daily external attack-surface monitoring and treat quarterly as a floor rather than a target.
A vulnerability scan is breadth-first and mostly automated — a scanner queries your assets, compares what it sees against a database of known CVEs and misconfigurations, and produces a list of findings ranked by CVSS. A penetration test is depth-first and mostly manual — a human operator tries to achieve a defined objective, chains vulnerabilities together, exploits real weaknesses, and demonstrates impact.
A scan tells you what could be exploited; a pen test tells you what would be exploited and how far an attacker could go. You want both — scans for coverage, pen tests for proof. If your budget only covers one in a given year, the pen test is the one whose findings change behavior.
Our default posture is aggressive scanning on non-production, conservative on production, and we confirm the boundary in writing during scoping. For production targets we disable denial-of-service modules, throttle request rates, coordinate a change window, and maintain a live channel — usually a dedicated Slack or Teams room — with your on-call so we can pause within minutes if anything misbehaves.
Real damage is rare but possible, especially on fragile legacy applications. We carry professional-liability insurance, name a test-lead point of contact, and require a signed rules-of-engagement document before any packets fly. In the last two years our engagements have caused zero production incidents worth reporting.
An ASV scan is an external vulnerability scan performed by an Approved Scanning Vendor — a firm certified by the PCI Security Standards Council to conduct the external scans required by PCI-DSS Requirement 11.3.2. If you store, process, or transmit cardholder data, your acquiring bank requires passing ASV scans at least quarterly and after any significant change.
We deliver ASV scanning via a PCI SSC-approved partner and wrap it in our own manual review, so you get both the attestation your acquirer wants and a usable remediation narrative — not just a 400-page scanner export with a pass / fail stamp on the cover page.
Every category in the current OWASP Top 10 is exercised by hand, not just flagged by a scanner. That means real input fuzzing against injection vectors, manual authorization testing with multiple user roles for broken-access-control, session-handling review, SSRF probing against internal metadata endpoints, deserialization testing where applicable, component-inventory cross-reference for vulnerable dependencies, and logic-flaw hunting that scanners cannot do.
We align with OWASP ASVS Level 2 by default and Level 3 on request, and we note every ASVS control we tested so your auditors can see coverage rather than just a pass / fail roll-up. The final report lists not only what we found — which matters — but also what we tested and did not find, which matters more to most auditors.
Yes. Wireless testing covers rogue-AP detection, WPA2 / WPA3 key-exchange attacks, evil-twin and karma-style client exploitation, guest-network segmentation validation, and Bluetooth / BLE device review in operational-technology environments.
We will walk your physical perimeter with spectrum analyzers and directional antennas, map signal bleed beyond your controlled space, and test whether an attacker parked in your lot can reach sensitive segments. Wireless is typically a module inside a broader pen test rather than a standalone engagement, because the findings are most useful in combination with network and physical context.
Black-box means we start with only what a random internet attacker would have — a company name and public URLs. Gray-box means we start with limited insider knowledge, typically a low-privilege user account and some documentation, which simulates a compromised employee or a malicious insider. White-box means full disclosure — source code, architecture diagrams, admin credentials — which lets us find the maximum number of real issues in the minimum amount of time.
Most organizations get the best value from gray-box. It simulates a realistic threat and avoids paying an operator to spend the first three days on reconnaissance a real attacker would do on their own clock. Black-box is worth the money when the executive question is "what does a total stranger on the internet see?", and white-box is worth it at product launches when the goal is maximum defect discovery before a release ships.
Yes, and this is where our physical-security roots actually matter. A physical pen test is an authorized attempt to defeat your physical controls — tailgating employees through badge readers, cloning proximity credentials at close and long range, bypassing sensitive locks, dropping rogue network devices under desks or in conference rooms, exfiltrating paper records from shared printers, and combining those techniques with social engineering at reception and on the phone.
Every engagement runs under a signed letter of authorization naming the approved targets and a get-out-of-jail card the operator carries in case local law enforcement is called. We do not do covert testing without written authorization from an executive who has the authority to grant it, and we brief a named "reveal contact" at your organization who can confirm the engagement if any employee or responder asks.
For scanning, Tenable Nessus, Qualys VMDR, and Rapid7 InsightVM, depending on what your environment and your auditor expect. For web testing, Burp Suite Professional, OWASP ZAP, sqlmap, and a stack of manual proxy and fuzzing tools. For network and infrastructure, Nmap, Responder, Impacket, CrackMapExec, BloodHound, and Metasploit on the exploitation side. For wireless, Kismet, Aircrack-ng, and Bettercap. For social engineering, Gophish, custom pretext sites, and cloned portals.
Tooling is secondary. The report depends on the operator's judgment, not the scanner's output. Two engagements against the same target with the same tools and two different operators will produce materially different reports — the skill is reading what a chained set of minor findings actually means, and that is not something a scanner does.
Three documents per engagement. An executive summary — typically four to six pages — written for a non-technical board or executive sponsor, covering business-level risk and the handful of issues that matter most. A technical findings report — typically forty to a hundred twenty pages depending on scope — with every finding CVSS-ranked, reproduction steps included, evidence screenshots attached, and remediation guidance written specifically for your stack. And a remediation roadmap — typically one to two pages — listing each finding with an assigned owner, a realistic timeline, and the verification method we will use at re-test.
Every deliverable is signed by the operator who authored it, reviewed by our cyber lead, and timestamped on firm letterhead. Nothing is subcontracted or ghost-written. If your auditor, carrier, or customer-security questionnaire requires a specific format, send the template at scoping and we will match it.
Yes. Every paid engagement includes one remediation re-test at no additional cost, provided it is requested within ninety days of the final report and the scope is limited to the items we originally flagged. The re-test updates each affected finding in your technical report with a new status — fixed, partial, accepted, or still open — and produces a short attestation letter suitable for auditors, boards, or customer security questionnaires.
We include the re-test because an unfixed report is a paperweight. The point of an assessment is to close the findings; the vendor that closes them does not have to be us, but the firm that wrote the report should come back to verify the fix without charging again for the privilege.
Most SOC 2 auditors expect to see two things: a current vulnerability-scan cadence with evidence of remediation, and an annual third-party penetration test of your production environment with a letter of attestation. Our standard engagement package covers both.
We deliver a signed attestation letter on firm letterhead summarizing scope, methodology, finding counts by severity, and re-test status — in the format the Big Four, Schellman, A-LIGN, and most regional SOC 2 firms ask for. If your auditor has a custom template, send it during scoping and we'll match it before delivery so you don't spend the last week of the audit cycle chasing paperwork.
Tell us the scope — an app, a network segment, a facility, a full red-team objective — and the deadline. A senior operator, the one who would run the engagement, will be on a scoping call inside two business days. Every paid assessment includes a remediation re-test and an attestation letter written in the format your auditor expects.
