Scope of actual exposure
The test is directed at the real external surface — including shadow IT, subsidiaries, and supply chain — not just a static list.
SERVICE ON DEMAND · PENTEST
A formal and targeted penetration test against your external surface — for when there is a specific date and reason: an audit, a certification, due diligence, or a launch. With a difference that defines the outcome: the scope is built on what is actually exposed.
WHAT IS
Not every testing need is continuous. There are times when what is needed is a formal evaluation with a defined beginning, middle, and end: an audit that requires independent evidence, an ISO 27001 or PCI DSS certification, due diligence for M&A, a client or regulator requirement, or the day before launching a new environment.
The One-Time Pentest delivers exactly this—a proactive, non-destructive offensive test conducted within an agreed-upon scope with a formal report at the end. The difference lies in how the scope is defined. A one-time pentest only validates what its scope covers: testing the same known list leaves out precisely what was not registered. CSURFACE first maps the real external surface—shadow IT, subsidiaries, and digital supply chain—and directs the test where the actual exposure is. The attacker follows the path of least resistance; the test must reflect this reality.
BENEFITS
The test is directed at the real external surface — including shadow IT, subsidiaries, and supply chain — not just a static list.
Active tests confirm what is actually exploitable. The report describes real risk, not CVSS theory.
Executive summary and technical detail with evidence — ready for audit, certification, or board review.
A round of retesting after remediation confirms the closure of addressed findings.
Tests designed to confirm risk without causing downtime. Sensitive actions only with explicit authorization.
Package of evidence ready for ISO 27001, PCI DSS, BACEN, and LGPD — in the format that regulators expect.
WHAT YOU GET
FOR WHO
Need an independent test for an audit, a certification (ISO 27001, PCI DSS) or a regulatory requirement with a deadline.
Are going through M&A due diligence and need a point-in-time and formal security assessment.
Are launching a product, a brand or a new environment and want an invasion test before going live.
EXPOSURE IS A PROCESS
The following week, a deployment publishes a new route and a dependency gains a CVE. If your need is to ensure that the surface remains tested over time — not just on a single day —, then Continuous Pentest is the way forward.
Learn about Continuous Pentest →WITHOUT OBLIGATION
Provide your initial domains. CSURFACE performs a free attack surface sizing without cost and sends along a quote for the Pentest on Demand within up to 72 business hours.