Book a scoping call
Cybersecurity servicesOffense · Defense · Education

Find the gaps.Stop the bleed.Train the team.

Cyberfy runs offensive testing, blue-team defense, and live-fire training for security teams that need to win — not look busy.

30-minute scoping call to agree the scope
What we do

Offense, defense, and the people who run both.

01Offense

Penetration testing

Reports name the path, the privilege, and the patch — written for the team that has to fix it.

  • External + internal network
  • Web · API · mobile
  • Cloud (AWS · Azure · GCP)
  • Full-spectrum red team
View pentest scopes
02Defense

Blue team / SOC

Detection, dwell-time hunting, and incident response — run by operators who have worked the other side of the table.

  • Continuous detection coverage
  • Detection engineering
  • Threat hunting
  • Incident response on retainer
Talk to a defender
03Educate

Training & ranges

Tabletop scenarios, live-fire ranges, and certification tracks for blue, red and purple teams. No slideware. No cert mills.

  • Live-fire cyber range
  • Tabletop scenarios
  • Certification prep tracks
  • Custom team workshops
Browse the catalogue
The engagement loop

We test it. You fix it.
We retest.

Every engagement closes with a free retest. The deliverable is a hardened environment — not a PDF that ages in a drive.

  1. 01

    Scope

    30-minute call. We confirm a pentest is the right tool.

  2. 02

    Kickoff

    NDA in place, target locked, daily standups scheduled.

  3. 03

    Test

    Manual exploitation. You see what we see, when we see it.

  4. 04

    Deliver

    Written report with exploit chain, evidence, patch path.

  5. 05

    Retest

    Within 60 days. Each finding closed or formally accepted.

Always on

We watch what's coming so you don't have to.

Continuous monitoring, threat hunting, and incident response — run by people who've spent time on both sides of the keyboard. The person who triages your alert is the person who walks you through the response.

  • Continuous detection coverage
  • Detection engineering
  • Threat hunting
  • Incident response
Reporting

What's in every finding.

Every finding includes the exploit chain, the privilege gained, the evidence, and the patch path.

  • Exploit chainStep-by-step reproduction with commands.
  • EvidenceScreenshots, packet captures, log excerpts.
  • Patch pathCode-level remediation, not vendor advice.
  • RetestRe-validated within 60 days. Included.
Sample finding · illustrativeF · 2026 · 014
Severity
Critical
CVSS 3.1
9.1

Privilege escalation via misconfigured ADCS template

A standard domain user can enroll for a certificate template flagged for client authentication, then use the issued certificate to authenticate as any user — including domain administrators.

Vector
Authenticated · Network
MITRE
T1649
Discovered
Day 3 / pentest
Exploit chain
  1. Authenticate
    Standard domain user · jdoe@████████
  2. Enumerate ADCS
    certipy find -vulnerable
  3. Enroll certificate
    Template ESC1 · Client Auth EKU
  4. Request TGT as DA
    Domain Administrator obtained
Fix

Remove the Client Authentication EKU from the template, or restrict enrollment to a security group of authorised service accounts.