AEGYS DATALYTICS
AEGYS PENTEST

Prove what an attacker could actually do.

AEGYS Pentest autonomously shows which attack paths are actually exploitable in your environment — not as a theoretical vulnerability list, but as a proven demonstration. Fast, safe in production, with a report for auditors and leadership.

This page describes AEGYS Pentest. The continuous Monitor is explained on its own page → AEGYS Monitor.

15 minutes. Fixed price once the scope is set.

WHEN A PENTEST COUNTS

Three situations where a pentest really counts

A pentest isn't "nice to have." In three situations it becomes a reliable basis for decisions — and for the legal protection of leadership.

COMPLIANCE AUDITS

Compliance audits and frameworks

Major US frameworks expect penetration testing as evidence that your controls actually work. PCI DSS 4.0 explicitly requires annual penetration tests — and tests after any significant change. SOC 2 auditors universally expect a pentest as evidence for the Trust Services Criteria. For healthcare, a proposed HIPAA rule update is set to make annual testing mandatory for covered entities.

AEGYS Pentest delivers an audit-ready final report mapped directly to the framework you're being measured against.

CYBER INSURANCE

Insurance and supply-chain pressure

Cyber insurers increasingly require penetration tests as a condition or discount for coverage. Larger customers demand proof from suppliers, especially in regulated industries.

An AEGYS Pentest report works as compliance evidence in the insurance and supply-chain context — structured for insurers, auditors, and leadership.

AFTER MAJOR CHANGES

Before and after major IT changes

New systems, migrations, cloud onboarding, M&A integration — such changes need more than an annual pentest. PCI DSS explicitly requires testing after significant changes, not just on a calendar.

AEGYS Pentest runs point-in-time or continuously — testing exactly where something has changed since the last test.

An important development: leading compliance advisors warn that a once-a-year pentest is no longer enough in many regulated settings — PCI DSS even requires biannual segmentation testing for service providers. AEGYS Pentest is therefore built as a subscription with continuous testing — and available as a one-time engagement when needed.

HOW IT WORKS

Three steps. That's it.

From intro call to report. What happens technically is transparent — and so is what you get in the report.

01

Scope definition

In the intro call we define together what gets tested.

Internal network, external attack surface, cloud environment (AWS / Azure / Microsoft 365), Active Directory, or several combined. You define what should be covered — we define what's technically sensible. The scope follows from both.

You get a fixed price before any engagement — no hidden costs, no day rates that creep up.

02

Autonomous test

AEGYS Pentest runs without you having to do anything.

The pentest engine is released within the defined scope — for an internal test as a virtual component in your network, for an external test from our analysis environment in the location you choose. You follow the test progress in the real-time dashboard, but don't have to participate actively.

The engine chains vulnerabilities like a real attacker: compromised credentials, misconfigurations, exposed services, lateral movement, privilege escalation, data access. Proven paths — not a theoretical CVE list. First results often within hours.

Safe in production: proven pentest-engine technology with over 100,000 documented production tests and zero downtime incidents.

03

Analysis and report

Paths become a basis for decisions.

The report isn't a 200-page vulnerability list. It typically focuses on 2–5 critical attack paths — the routes an attacker would take into your environment. With concrete remediation recommendations, prioritized by risk.

On request, we review the results together with your team — structured, clear, no room for interpretation. After remediation, we run a re-test that confirms the paths are actually closed.

RESULT

What ends up on the table

You get more than technical findings. You get a report you can argue with — in front of auditors, insurers, and leadership.

  • Proven attack paths — typically 2–5 critical paths per test, with proof instead of assumptions.
  • Management summary — understandable for leadership and the board, not just for engineers.
  • Compliance mapping — each finding mapped to the framework you're measured against (SOC 2 Trust Services Criteria, PCI DSS requirements, HIPAA Security Rule), audit-ready.
  • MITRE ATT&CK mapping — the attack techniques used, aligned to the standard framework.
  • Remediation recommendations — prioritized by risk and feasibility, with concrete steps.
  • Re-test after remediation — we confirm the critical paths are actually closed.

Proof, not assumptions. Paths, not lists. Clarity, not noise.

DEPLOYMENT MODES

Once or continuous

Compliance requirements and the reality of modern threats point to two sensible deployment options.

ONE-TIME

One-time pentest (entry)

A defined pentest engagement with clear scope, fixed price, and final report. With re-test after remediation on request. No subscription, no contract lock-in.

Typical as an entry point, before a first audit, before an insurance renewal, or after a major IT change.

SUBSCRIPTION

Pentest subscription (standard)

Continuous autonomous tests on a cadence agreed with you — weekly, monthly, or after every major change. Asset-based subscription model, cancelable anytime.

Suitable for organizations that take compliance seriously — and understand that "once a year" is no longer enough as evidence.

A common path in practice: one-time pentest as entry → analysis reveals open paths → transition to the continuous subscription. We'll clarify which fits in the intro call.

DATA PROTECTION

Analyzed where you choose — like everything with us

A pentest generates sensitive data: your environment's vulnerabilities, compromised credentials, exploited paths. Where that data is processed is not a trivial matter.

Analyzed where you choose

The pentest engine and analysis run in the environment you choose — on US infrastructure or in Germany. We use no hyperscaler cloud for pentest data; it stays in the location you chose. Results, reports, and history remain under the legal framework you chose.

Data-protection compliance

Data-processing agreement as standard. Clearly defined scope, documented deletion processes after the engagement ends, NDA standard for every test. GDPR-grade protection.

Safe in production

The pentest engine is based on a proven platform with over 100,000 production tests and zero downtime incidents. Rules of engagement and blast radius are configured before every test.

WHERE IT FITS — AND WHERE IT DOESN'T

What the pentest doesn't do

AEGYS Pentest is a specific answer to a specific question.
What it isn't, we state as clearly as what it is.

  • Not a classic multi-week pentester engagement

    AEGYS Pentest runs autonomously — no weeks of waiting for an available pentester, no day rates that creep up. If you want a red-team engagement with social engineering and multiple pentesters for a large enterprise, specialized boutique providers are a better fit.

  • Not a vulnerability scanner

    Vulnerability scanners produce CVE lists without proof of exploitability. AEGYS Pentest proves paths — you know which of the 5,000 theoretical vulnerabilities are actually dangerous.

  • Not a replacement for monitoring

    What happens between pentests, the pentest doesn't see. For continuous visibility into ongoing activity, there's → AEGYS Monitor.

  • Not protection

    The pentest finds paths but blocks no attacks. Protection requires firewall, EDR, IPS, and hardening measures — which the pentest reveals.

These limits aren't weaknesses — they're the sharp definition of what the pentest delivers. If you need to solve a different task, you need a different tool.

COMMON QUESTIONS

What leaders and IT owners typically ask

Talk to a customer

If you'd like, we'll arrange a direct conversation with companies already using AEGYS.

No in-house security team, but you have an IT provider?

That's the norm. Often your existing provider can run the ongoing analysis through AEGYS themselves — and if not, a security partner takes it over. We'll clarify what fits in the intro call.

15-minute intro call

See what's happening. And what could happen.

A 15-minute intro call is enough to clarify what fits your situation. If we can help, we take the next step together. If not, we'll say so honestly.

Backed by an advisory board from NATO Digital Capability, KIT research, and international threat research. About us →

Background: Vulnerability scan vs. penetration test vs. security validation →