Find the gaps before an attacker does — and keep finding them.
Annual pen tests find what was exposed twelve months ago. Golonex delivers continuous vulnerability assessment running alongside periodic manual penetration testing — so your attack surface is understood at all times, not just at the point of the last report.
Always-on attack surface monitoring
Between manual engagements, your external attack surface is continuously monitored. New exposed assets, credential leaks, misconfigured cloud resources, and open ports are flagged in real time — not discovered at the next annual test.
Manual penetration testing by named testers
On a defined cadence — quarterly, bi-annual, or annual — named Golonex testers conduct deep manual assessments across agreed targets. The things scanners miss: chained vulnerabilities, business logic flaws, and environment-specific attack paths.
Together, continuous monitoring and periodic manual testing close the gap where real attacks happen — between last year's report and today.
Six assessment types, one continuous programme
Every engagement is scoped to your environment. The continuous layer runs across all in-scope targets; the periodic manual layer goes deep on agreed targets at each engagement.
Continuous Attack Surface Scanning
Your external and internal attack surface is monitored continuously. New assets, exposed ports, misconfigured services, and credential exposures are flagged as they appear — not 12 months later at the next annual test.
Network & Infrastructure VAPT
External perimeter and internal network assessments. Identify misconfigured services, exposed management interfaces, lateral movement paths, and privilege escalation vectors across your entire network.
Web Application VAPT
OWASP Top 10 and beyond. Manual and automated testing of web applications, REST and GraphQL APIs, authentication flows, and business logic. Detailed proof of concept for every finding.
Cloud Configuration Assessment
AWS, Azure, and GCP posture reviews run as part of the continuous programme. IAM misconfigurations, exposed storage, unencrypted data, and overprivileged roles surfaced in real time.
Mobile Application VAPT
iOS and Android assessments covering local data storage, network communication, authentication, session handling, and reverse engineering exposure — added to the continuous rotation.
Red Team Engagements
Goal-based adversary simulation as a periodic overlay on the continuous programme. Tests your detection and response capability against a realistic threat actor, not just your perimeter controls.
Six phases, every manual engagement
Each periodic penetration test follows a defined process — from scoping to attestation. No shortcuts, no handoffs mid-engagement.
Scoping
Every periodic engagement begins with a scoping session. We agree on targets, rules of engagement, timing, and success criteria before a single test runs.
Manual testing
Named testers conduct in-depth manual assessment — the things automated scanners miss: business logic flaws, chained vulnerabilities, authentication bypasses, and context-specific attack paths.
Findings report
Every finding is severity-rated (Critical to Informational), documented with a proof of concept, and mapped to a specific remediation action. No scanner exports, no generic recommendations.
Debrief
A live debrief with your technical team walks through every critical and high finding. Questions answered, remediation priorities agreed.
Retest
Critical and high findings are retested after remediation to confirm they are closed — not just patched on paper.
Attestation
An attestation letter suitable for auditors, customers, and compliance evidence packs is issued at the close of each periodic engagement.
Continuous visibility and periodic evidence
Every deliverable is designed to be useful to three audiences: your technical team, your leadership, and your auditors.
- ✓ Continuous dashboard — live view of your current attack surface and open findings
- ✓ Monthly digest — new findings, closed findings, risk trend over time
- ✓ Executive summary — risk narrative for leadership, no jargon
- ✓ Technical findings report — severity-rated, with PoC and evidence
- ✓ Remediation guidance — specific, actionable fixes for each finding
- ✓ Retest confirmation — written confirmation that critical/high findings are closed
- ✓ Attestation letter — for auditors, customers, and compliance packs
- ✓ Compliance mapping — findings mapped to ISO 27001 Annex A, DPDP, or PCI DSS controls
What makes this different
Continuous + periodic
Most firms do annual pen tests. We run continuous attack surface assessment between periodic manual engagements — closing the gap where real attacks happen.
Named testers
You know who is testing your environment. Not a faceless team, not an offshore queue. The same named tester understands your environment over time.
Manual-first
Automated scanners find the obvious. Our testers find what scanners miss — logic flaws, chained exploits, and environment-specific attack paths.
Remediation through close
We stay engaged through the fix cycle and confirm closure with a retest. A finding that is not closed is still open.
Frequently asked questions
What's the difference between a one-time pen test and your continuous VAPT programme? +
A one-time pen test tells you what was exposed on the day of testing — useful for a compliance checkbox but not for ongoing security. Continuous VAPT runs attack surface monitoring between periodic manual tests, so new assets, exposures, and misconfigurations are caught as they appear rather than discovered twelve months later. The periodic manual engagement goes deep; the continuous layer keeps watch in between.
Does this satisfy RBI BCSF VAPT requirements for banks? +
Yes. RBI BCSF requires periodic VAPT of internet-facing systems and infrastructure. Our reports are structured to produce the evidence an IS auditor expects: scope documentation, methodology, severity-rated findings with proof-of-concept, remediation actions, retest confirmation, and an attestation letter. We map findings to RBI BCSF controls so the evidence pack is organised the way an auditor will review it.
Are your testers certified? +
Yes. Our pen testing team holds industry-recognised certifications including OSCP (Offensive Security Certified Professional) and CEH. Every periodic engagement is conducted by a named tester — not an unnamed queue — so you know who ran the test, can ask them questions at the debrief, and have a named individual to reference in your audit evidence.
Can we start with just web applications and add more scope later? +
Yes. Most engagements start with the highest-risk surface — web applications and external perimeter — and expand to internal network, cloud, or mobile in subsequent cycles. We scope each periodic engagement separately, so you're never paying for coverage you haven't prioritised.
What do we receive at the end of an engagement? +
A severity-rated technical findings report with proof-of-concept for every finding, an executive summary for leadership, remediation guidance for your development or infrastructure team, written retest confirmation for closed findings, and an attestation letter suitable for auditors, enterprise customers, and compliance evidence packs.
Start with a scoping conversation
Golonex runs a no-commitment scoping call to understand your environment, agree on targets, and recommend a continuous VAPT programme that fits your risk profile and compliance requirements.