Golonex

Security Operations

EDR · MDR · XDR Email Security SOC Monitoring & SIEM Continuous VAPT Security Awareness Training

IT & Governance

Configuration Management Backup & DR / BCP IT & Security Governance IS Audit Readiness Compliance Readiness

Advisory & AI

Fractional Leadership AI Automation Solutions Lab Staff Augmentation Hire with us Our Work Industries About Contact Blog Golonex Press ↗ Golonex Tools ↗ ◆ Golonex Ready Book a Call →
Continuous VAPT

Find the gaps before an attacker does — and keep finding them.

Annual pen tests find what was exposed twelve months ago. Golonex delivers continuous vulnerability assessment running alongside periodic manual penetration testing — so your attack surface is understood at all times, not just at the point of the last report.

Continuous Layer

Always-on attack surface monitoring

Between manual engagements, your external attack surface is continuously monitored. New exposed assets, credential leaks, misconfigured cloud resources, and open ports are flagged in real time — not discovered at the next annual test.

Periodic Layer

Manual penetration testing by named testers

On a defined cadence — quarterly, bi-annual, or annual — named Golonex testers conduct deep manual assessments across agreed targets. The things scanners miss: chained vulnerabilities, business logic flaws, and environment-specific attack paths.

Together, continuous monitoring and periodic manual testing close the gap where real attacks happen — between last year's report and today.

What We Test

Six assessment types, one continuous programme

Every engagement is scoped to your environment. The continuous layer runs across all in-scope targets; the periodic manual layer goes deep on agreed targets at each engagement.

🔄

Continuous Attack Surface Scanning

Your external and internal attack surface is monitored continuously. New assets, exposed ports, misconfigured services, and credential exposures are flagged as they appear — not 12 months later at the next annual test.

🌐

Network & Infrastructure VAPT

External perimeter and internal network assessments. Identify misconfigured services, exposed management interfaces, lateral movement paths, and privilege escalation vectors across your entire network.

🖥️

Web Application VAPT

OWASP Top 10 and beyond. Manual and automated testing of web applications, REST and GraphQL APIs, authentication flows, and business logic. Detailed proof of concept for every finding.

☁️

Cloud Configuration Assessment

AWS, Azure, and GCP posture reviews run as part of the continuous programme. IAM misconfigurations, exposed storage, unencrypted data, and overprivileged roles surfaced in real time.

📱

Mobile Application VAPT

iOS and Android assessments covering local data storage, network communication, authentication, session handling, and reverse engineering exposure — added to the continuous rotation.

🎯

Red Team Engagements

Goal-based adversary simulation as a periodic overlay on the continuous programme. Tests your detection and response capability against a realistic threat actor, not just your perimeter controls.

The Periodic Engagement

Six phases, every manual engagement

Each periodic penetration test follows a defined process — from scoping to attestation. No shortcuts, no handoffs mid-engagement.

01

Scoping

Every periodic engagement begins with a scoping session. We agree on targets, rules of engagement, timing, and success criteria before a single test runs.

02

Manual testing

Named testers conduct in-depth manual assessment — the things automated scanners miss: business logic flaws, chained vulnerabilities, authentication bypasses, and context-specific attack paths.

03

Findings report

Every finding is severity-rated (Critical to Informational), documented with a proof of concept, and mapped to a specific remediation action. No scanner exports, no generic recommendations.

04

Debrief

A live debrief with your technical team walks through every critical and high finding. Questions answered, remediation priorities agreed.

05

Retest

Critical and high findings are retested after remediation to confirm they are closed — not just patched on paper.

06

Attestation

An attestation letter suitable for auditors, customers, and compliance evidence packs is issued at the close of each periodic engagement.

What You Receive

Continuous visibility and periodic evidence

Every deliverable is designed to be useful to three audiences: your technical team, your leadership, and your auditors.

  • Continuous dashboard — live view of your current attack surface and open findings
  • Monthly digest — new findings, closed findings, risk trend over time
  • Executive summary — risk narrative for leadership, no jargon
  • Technical findings report — severity-rated, with PoC and evidence
  • Remediation guidance — specific, actionable fixes for each finding
  • Retest confirmation — written confirmation that critical/high findings are closed
  • Attestation letter — for auditors, customers, and compliance packs
  • Compliance mapping — findings mapped to ISO 27001 Annex A, DPDP, or PCI DSS controls
Why Golonex

What makes this different

Continuous + periodic

Most firms do annual pen tests. We run continuous attack surface assessment between periodic manual engagements — closing the gap where real attacks happen.

Named testers

You know who is testing your environment. Not a faceless team, not an offshore queue. The same named tester understands your environment over time.

Manual-first

Automated scanners find the obvious. Our testers find what scanners miss — logic flaws, chained exploits, and environment-specific attack paths.

Remediation through close

We stay engaged through the fix cycle and confirm closure with a retest. A finding that is not closed is still open.

FAQ

Frequently asked questions

What's the difference between a one-time pen test and your continuous VAPT programme? +

A one-time pen test tells you what was exposed on the day of testing — useful for a compliance checkbox but not for ongoing security. Continuous VAPT runs attack surface monitoring between periodic manual tests, so new assets, exposures, and misconfigurations are caught as they appear rather than discovered twelve months later. The periodic manual engagement goes deep; the continuous layer keeps watch in between.

Does this satisfy RBI BCSF VAPT requirements for banks? +

Yes. RBI BCSF requires periodic VAPT of internet-facing systems and infrastructure. Our reports are structured to produce the evidence an IS auditor expects: scope documentation, methodology, severity-rated findings with proof-of-concept, remediation actions, retest confirmation, and an attestation letter. We map findings to RBI BCSF controls so the evidence pack is organised the way an auditor will review it.

Are your testers certified? +

Yes. Our pen testing team holds industry-recognised certifications including OSCP (Offensive Security Certified Professional) and CEH. Every periodic engagement is conducted by a named tester — not an unnamed queue — so you know who ran the test, can ask them questions at the debrief, and have a named individual to reference in your audit evidence.

Can we start with just web applications and add more scope later? +

Yes. Most engagements start with the highest-risk surface — web applications and external perimeter — and expand to internal network, cloud, or mobile in subsequent cycles. We scope each periodic engagement separately, so you're never paying for coverage you haven't prioritised.

What do we receive at the end of an engagement? +

A severity-rated technical findings report with proof-of-concept for every finding, an executive summary for leadership, remediation guidance for your development or infrastructure team, written retest confirmation for closed findings, and an attestation letter suitable for auditors, enterprise customers, and compliance evidence packs.

Get Started

Start with a scoping conversation

Golonex runs a no-commitment scoping call to understand your environment, agree on targets, and recommend a continuous VAPT programme that fits your risk profile and compliance requirements.