Home Services Methodology Sample Report About Careers Contact
How We Test

Methodology built for
real adversaries

Every Rimrock engagement is led end-to-end by a senior consultant — the same person scopes the work, runs the test, and writes your report. Aligned to PTES, NIST SP 800-115, and OWASP so your results are repeatable, defensible, and accepted by auditors and cyber-insurers.

The Process

7 Phases. No shortcuts.

From the first scoping call to the final debrief, here is exactly what happens and why each step matters.

Phase 01
Scoping & Authorization
  • Define objectives, targets, in-scope / out-of-scope assets, testing windows, and emergency contacts.
  • Sign a written Rules of Engagement and an Authorization Letter before any testing begins. Nothing is touched without your written go-ahead.
  • Map the engagement to the relevant compliance driver (e.g., NIST 800-171 control families, cyber-insurance requirements).
Phase 02
Reconnaissance & Intelligence
  • Passive and active discovery of your external footprint, exposed services, and attack surface (per NIST 800-115 / PTES intelligence-gathering).
  • For social-engineering and physical engagements: open-source intelligence on people, locations, and process.
Phase 03
Threat Modeling & Vulnerability Analysis
  • Identify likely attack paths the way a real adversary would prioritize them — not just a scanner's raw output.
  • Manual validation of every finding to remove false positives — the step automated tools skip.
Phase 04
Exploitation & Attack-Path Chaining
  • Safely demonstrate real impact: chaining lower-severity issues into a meaningful breach, privilege escalation, and lateral movement.
  • This is the core of what a human does that a scanner cannot — proving exploitability, not just presence.
Phase 05
Physical & Social Engineering
Optional add-on
  • Physical intrusion assessment: tailgating, badge cloning, lock bypass, unattended-workstation access.
  • Phishing simulation / pretext calls to test the human layer (96% of breaches start with phishing).
Phase 06
Post-Exploitation & Risk Demonstration
  • Document what an attacker could reach, exfiltrate, or disrupt — framed in business terms (downtime, data loss, contract and compliance impact).
  • All access is documented and cleaned up; no production data is exfiltrated or retained.
Phase 07
Reporting & Debrief
  • A report written for two audiences: an executive summary your leadership can read, and technical detail your IT team or MSP can act on.
  • Findings rated by severity (CVSS), each with clear, prioritized remediation steps.
  • Compliance readiness mapping: findings cross-referenced to NIST 800-171 / CMMC controls so the report supports your audit evidence package.
  • A live walkthrough so you actually understand the results — and a no-charge re-test option to confirm fixes.
Deliverables

What you receive

Every engagement produces a complete evidence package — readable by your leadership and actionable by your technical team.

Executive summary — business-language risk overview your leadership can read and share with the board or insurer.
Detailed technical findings with evidence screenshots, reproduction steps, and CVSS severity ratings.
Prioritized remediation roadmap — what to fix first, ranked by exploitability and business impact.
NIST 800-171 / CMMC control mapping — findings cross-referenced to relevant controls to support your readiness posture and audit documentation.
Remediation re-test — verifies your fixes actually worked so you don't guess.
Direct consultant access — talk to the person who did the work, throughout the engagement and after the report is delivered.
Standards & Frameworks

How we stay accountable

Every engagement aligns to recognized industry standards — not proprietary checklists — so results are defensible to auditors, insurers, and customers.

PTES
Penetration Testing Execution Standard
Defines the full engagement lifecycle from pre-engagement through reporting. Ensures consistency across every test.
800-115
NIST SP 800-115
NIST's Technical Guide to Information Security Testing. Underpins our reconnaissance, discovery, and vulnerability-analysis phases.
OWASP
OWASP Testing Guide / ASVS
Applied to all web-application and API assessments. ASVS provides the verification level criteria for each finding.
CMMC
NIST SP 800-171 / CMMC
Control mapping for Defense Industrial Base and compliance-driven engagements. Findings map directly to control families to support readiness efforts.
Our Commitments

What you can count on

Not marketing copy — specific, verifiable commitments that protect you before, during, and after every engagement.

Senior-Led, Capped Load

You get a senior consultant — not a hand-off to a junior analyst. Client load is intentionally capped so every engagement receives full attention.

Authorization First

Written Rules of Engagement and a signed Authorization Letter are required before any testing activity begins. No exceptions.

Fully Insured

Professional liability and Technology E&O coverage is in force for every engagement. Ask to see the certificate of insurance — no hesitation.

Plain-English Reporting

A finding nobody understands gets nobody fixed. Every report is written so your leadership understands the risk and your team knows how to act.

One-Week Report Turnaround

Full report delivered within one week of testing completion. You won't be left waiting weeks to understand your risk exposure.

Re-Test Included

A no-charge remediation re-test is included to confirm your fixes held. The engagement isn't over until your team has verified the exposure is closed.

See what a report looks like
Review a redacted sample engagement report — executive summary, technical findings, CVSS ratings, and NIST 800-171 control mapping included.
View Sample Report →

Ready to know what's actually exposed?

Schedule a free consultation. No pitch, no obligation — just a straight conversation about your environment and what an assessment would cover.

Schedule a Free Call → See All Services