Frequently Asked Questions

We’ve compiled answers to common questions to help you understand our services and how we work.Find quick and clear information on technical details, pricing, and support.
If you need more help, feel free to contact our team.

Answers to Your Most Common Questions

Timelines vary by scope. A web application assessment typically takes 5–10 business days. Network assessments range from 3–7 days. Red team exercises can run 2–4 weeks for comprehensive coverage. We provide a detailed timeline during the scoping call based on your environment and objectives.

We begin with a free scoping call — usually 30–60 minutes — to understand your environment, objectives, and any constraints. From that discussion we produce a detailed Scope of Work and Statement of Work document that defines exactly what will be tested, what is off-limits, testing windows, escalation contacts, and deliverables. No work begins until both parties have signed the agreement.

Yes. We offer quarterly assessment retainers for organisations that want continuous security coverage, as well as annual programmes combining scheduled VAPT cycles, compliance support, and on-demand advisory hours. Retainer clients receive priority scheduling and preferred rates.

We take a careful, controlled approach to all testing. Before any engagement begins we define clear Rules of Engagement — testing windows, off-limits systems, and escalation procedures. For production environments we coordinate testing during low-traffic periods and immediately halt and notify you if any unexpected impact is observed.

Black-box testing gives our assessors no prior knowledge of your systems — simulating an external attacker with zero inside information. Grey-box provides partial information (architecture diagrams, user credentials, some source code) — the most common choice as it balances realism with coverage depth. White-box gives full access to source code, infrastructure configs, and documentation — maximising finding depth for the time invested. We'll recommend the right model for your objectives during scoping.

Yes. Our team holds industry-recognised certifications including OSCP (Offensive Security Certified Professional), CEH (Certified Ethical Hacker), CISA, CISSP, and ISO 27001 Lead Auditor, among others. Certification details can be provided on request for due diligence purposes.

All engagements include: an Executive Summary for leadership (risk overview, business impact, key findings); a Technical Report with detailed findings, CVSS scores, proof-of-concept evidence, and remediation guidance; and a Debrief call to walk through findings with your team. Re-test of critical and high findings is included at no additional cost.

We use CVSS v3.1 base scores as a starting point, but we adjust severity based on your actual business context — a medium-CVSS finding that exposes customer PII in your environment may be escalated to Critical in our report. Every finding includes a business-impact statement so non-technical stakeholders understand what's actually at risk, not just a technical description.

Draft reports are delivered within 5 business days of testing completion for standard engagements. For time-sensitive situations (upcoming audits, compliance deadlines), we offer expedited delivery — discuss this during scoping and we'll accommodate where possible.

All findings are shared exclusively with designated client contacts over encrypted channels. We sign NDAs before work begins. Any client data accessed during testing is handled under strict confidentiality obligations and destroyed from our systems within 30 days of report delivery unless a longer retention period is agreed. We operate a zero-tolerance policy on any external disclosure of findings.

Yes — always. A mutual NDA is a standard part of our engagement process, signed before any scoping information is exchanged. We're happy to work from your standard NDA template or provide our own. Engagements never begin without a signed NDA and a signed Statement of Work.

Yes. Our reports are structured to directly support common compliance requirements. ISO 27001 (Annex A 8.8 — management of technical vulnerabilities) explicitly requires periodic penetration testing. PCI DSS requires annual penetration tests and post-change testing. SOC 2 Type II auditors look for evidence of regular security assessments. We can tailor report structure and evidence packaging to match your specific compliance framework on request.

We test AI systems against the OWASP LLM Top 10 framework — covering direct and indirect prompt injection, system prompt extraction, data leakage via model outputs, guardrail bypass, excessive agency, and training data poisoning scenarios. We also assess integration risk: what tools, APIs, and data sources the LLM has access to, and what an attacker could achieve by manipulating it. Every engagement includes both technical findings and strategic AI governance recommendations.

Yes. We offer dedicated compliance advisory for India's Digital Personal Data Protection Act (DPDPA) and ISO 42001 (AI Management Systems). Both are relatively new frameworks and many organisations are at early stages of readiness. We can run a gap assessment, help you build the required controls and documentation, and support you through to certification or regulatory readiness — depending on your goal.

Protect Your Digital World with EsquivaTech

EsquivaTech protects your digital infrastructure with advanced cybersecurity solutions—keeping your data, systems, and business safe from evolving threats.