A single-account review (≤10 services, ≤50 resources) typically takes 4-5 working days. Mid-market AWS Organizations (3-10 accounts, EKS or Lambda) takes 7-10 days. Enterprise landing zones (10+ accounts, multi-region, data perimeter) take 10-15 days. Test duration is determined during scoping based on account count and service breadth.

AWS penetration testing engagements at single-account scale range from £6,000 to £10,000. Mid-market (most commonly commissioned) £10,000 to £18,000. Enterprise £18,000 to £28,000. All quotes are fixed-price after scoping with no day-rate surprises.

Yes. Every AWS engagement includes a control-by-control CIS AWS Foundations Benchmark v3.0 assessment. Findings are tagged to specific CIS control IDs (e.g., 1.2 — root account hardware MFA) so your audit team can submit evidence directly. We also reference the AWS Well-Architected Framework security pillar where applicable.

Core AWS services: AWS IAM, AWS S3, AWS EC2, AWS VPC, AWS Lambda, AWS EKS, AWS KMS, Secrets Manager, API Gateway, CloudTrail, RDS, CloudFront. Extended scope on request: ECS, Fargate, Step Functions, EventBridge, SNS, SQS, AppSync, WAF, GuardDuty, Security Hub, AWS Config, Organizations / Control Tower / Landing Zone.

Read-only by default. We use the AWS-managed SecurityAudit IAM role for the discovery and CIS audit phases. Manual exploitation phases — IAM privilege escalation, IMDS attacks, EKS escape attempts — only run with explicit written authorisation per resource type, in agreed maintenance windows, with full audit-log capture.

Yes. EKS reviews include control-plane configuration, RBAC scrutiny, IAM Roles for Service Accounts (IRSA), pod security standards (PSS), node IAM trust, container image registry security, network policies, and pod-to-node escape paths via IMDSv1 abuse, hostPath mounts, or privileged containers.

Multi-account testing is fully supported. We map the entire Organizations structure, evaluate Service Control Policies (SCPs), audit cross-account trust relationships, review AWS Control Tower / Landing Zone deployments, and test data perimeter enforcement (RCPs in preview, plus existing identity / service / resource perimeters).

Yes. Pre-deployment IaC review is offered as a separate engagement or bundled with cloud testing. We review Terraform / OpenTofu, CloudFormation, AWS CDK, and Pulumi for misconfigurations, secret leakage, and policy violations before the resources hit your AWS account.

Yes. Every finding ships with prioritised remediation guidance and where applicable, example Terraform / CloudFormation patches. For high-severity findings we include direct engineer access via our portal so your platform team can ask follow-up questions during remediation.

Yes. IMDSv2 enforcement is one of the most common AWS findings — IMDSv1 allows server-side request forgery (SSRF) to retrieve EC2 instance metadata including IAM credentials. We test every EC2 instance, Lambda, and ECS task to verify IMDSv2 is enforced and IMDSv1 is disabled.

All AWS testers are vetted UK or international engineers. Relevant certifications across the team include CREST CRT and CCT INF, AWS Certified Security – Specialty, OSCP, OSCE, and platform-specific specialisms (e.g., Kubernetes CKS, eMAPT). SC-cleared testers are available for public-sector and regulated-financial engagements.

Yes. Standard NDA before any technical detail is shared, and we operate under a project-specific master agreement that includes data handling, deliverable IP, and breach notification clauses. Custom MSAs and AUP terms are accepted for enterprise and public-sector clients.