Methodology

First we scan like a defender. Then we attack like an adversary.

A scanner produces a list. We turn the list into proof and remove everything that isn’t real before it reaches your engineers. Here’s exactly how.

Book a testSee pricing
01
scan

Scope & authorization

Systems, test accounts, roles, rate limits, exclusions, escalation paths, and written authorization.

02
scan

Baseline scans + security researcher

Dependencies, cloud posture, SAST, secrets, IaC, and known CVEs, plus an AI security researcher surfacing novel, previously-unseen vulnerabilities.

03
scan

Correlate & target

Deduplicate, map ownership, check reachability, and prioritize the paths worth attacking.

04
attack

AI-driven exploitation

DeepExploit and the AI security researcher verify each other’s findings, turning every confirmed exploit into the lead for the next.

05
attack

Human validation

Operators confirm exploitability, strip noise, correct severity, and make every finding safe and accurate.

06
deliver

Fix-ready output

Reproduction steps, impact, severity, affected assets, remediation guidance, and retest status.

Beyond known CVEs

An AI security researcher on every engagement.

A scanner only knows what’s already been published. Our AI security researcher hunts for novel, previously-unseen vulnerabilities, the kind a motivated attacker finds first, then every candidate is human-validated before it reaches you.

When it’s not on the menu

We build the test for your target.

The six steps above are how we run a standard engagement. But offensive security is bespoke by nature, and plenty of targets don’t fit a fixed menu. When yours doesn’t, we build the approach around it instead of bending your system to fit ours.

01 · tell us

Describe the target

An unusual stack, a niche framework, a custom protocol, embedded or OT, a brand-new AI system: whatever doesn’t fit a standard box.

02 · now

Operators handle it

Human-driven testing reaches what off-the-shelf tooling can’t. You get real coverage today, not “we don’t support that.”

03 · next

We extend coverage

What we learn becomes part of our tooling, so the next engagement against that kind of target is faster and deeper, for you and everyone after.

The honest part: if something can’t be meaningfully tested, or falls outside what we can do well, we’ll say so up front. A straight answer is worth more than a sale we can’t deliver.  Scope custom testing →

DeepExploit attacks & proves

We find what’s exploitable, validate it by hand, and hand you evidence your engineers can act on.

Operative fixes & governs

Remediation, compliance execution, and ongoing security ownership. joinoperative.com ↗

See the method on your systems.

Tell us the target and the deadline, and we’ll scope it and tell you what we can prove.

Book a test