OFFCEPT
All Engagements
Real testing by experienced operators. Threat-informed scoping, actionable reporting, and verified remediation.
See Methodology

What We Do

Penetration Testing
Manual testing that finds what scanners miss
Red Team Operations
Multi-week adversary simulations
CTEM
Continuous threat exposure management
Threat Intelligence
Data breach, dark web, and credential monitoring
EDR & XDR Testing
Endpoint detection gap analysis and evasion testing
Phishing & Social Engineering
Real campaigns, not generic templates
AI & LLM Security
Testing AI systems and LLM integrations
Zero-Day Research
Hunting undiscovered vulnerabilities
Reverse Engineering
Binary analysis, malware, and firmware
How We Work
From scoping to verified remediation in four phases. Every engagement follows the same structure, adapted to your threat landscape.
Full Breakdown

The Process

01 Scoping & Threat Model
Profile threat actors, map attack surface, define objectives
02 Testing & Exploitation
Manual testing, chained vulnerabilities, real attack paths
03 Reporting & Debrief
Proof, impact, remediation path, live walkthrough
04 Remediation & Validation
Re-test fixes, confirm they work, measurable improvement

Latest Posts

[Advisory]

TIBER-EU and DORA: What Financial Institutions Need to Understand Before the Notification Arrives

[Advisory]

NIS2 Compliance in Portugal: Evidence Over Documentation

[Technical Research]

Killing EDR visibility at the kernel: BYOVD

[Technical Research]

ACL Abuse Havoc, a BOF toolkit for AD ACL exploitation via Havoc C2

About OFFCEPT
Built by operators who spent years breaking into networks before building a company around it.
Learn More

Company

About Us
Our team, certifications, and story
Contact
Get in touch with our operators
Let's Talk

Security

Responsible Disclosure

Last updated: 16 May 2026

Our commitment

OFFCEPT operates at the intersection of offensive security research and client service. We understand the value of responsible disclosure and are committed to working with researchers who find vulnerabilities in our systems.

We will not pursue legal action against researchers who follow this disclosure policy in good faith. We ask that you extend the same respect to us that we extend to the security community.

What we promise

  • Acknowledgement within 48 hours of receiving your report
  • Regular updates on our progress towards a fix
  • Credit in our security acknowledgements (if you want it)
  • No legal action against researchers who follow this policy

Scope

The following systems are in scope for responsible disclosure:

  • offcept.com and all subdomains
  • Our client portal and engagement management systems
  • APIs and authentication mechanisms
  • Infrastructure hosting our public-facing services

The following are out of scope:

  • Social engineering or phishing against our employees
  • Denial of service attacks
  • Physical attacks against our offices
  • Third-party services not operated by OFFCEPT
  • Spam or brute-force attacks

How to report

Send an encrypted email to security@offcept.com. Include enough detail to reproduce the issue: affected system, steps to reproduce, and potential impact. Use our PGP key if the finding is sensitive.

The process

  • 1. Report: Send details to security@offcept.com. Include the affected system, steps to reproduce, and potential impact.
  • 2. Acknowledge: We will acknowledge your report within 48 hours and begin investigating. We will keep you updated and may ask follow-up questions.
  • 3. Fix: Once we have developed a fix, we will ask you to confirm it resolves the issue. We aim to resolve critical findings within 7 days and other findings within 30 days.
  • 4. Disclosure: We ask for 90 days before public disclosure. After that, you are free to publish your findings. We will credit you unless you prefer to remain anonymous.

PGP key

We encourage the use of PGP for encrypting sensitive vulnerability reports. Our public key fingerprint is E1CF 291B 8744 D011 FE10 72BF 66F9 3EA1 384A C05F.

OFFCEPT Security <security@offcept.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGoJAy0BEACtlXQxzOnHQ2FpHaQc7cYbG7+BFK4pHbhXLwTlbsSm588y11ar
iHYhBVcMTntH6MDMifAcXl3xqjepxBTWLVqIXXSsCgb5EQLFg5gaJ4YM1VzRJxak
T6jbhrDnU8fqgOu82ZJFqdw1oakCR78Mj7r9L5uqk4sytoc5INiMY1Puhi/Ugxm5
tEoAJofWOFDrFTIjzJIECj8vPiu9FB1bgwA2R0FRwa31YtLch/ryx9TXhM2kECqY
Cpq+ohBmIQDG3ixseVXs4n1OR84i/7kxcYmDZRiNcqvxKUloDdoPtCva7hZFOttx
JgKcw0WxYLgZaiZ1bB/xqd3dn37aj4oFmRg8vRu7WextAeY7TfyNQCWisrvrLagx
GlL4/N37BO704+vOqpzv92E4MDaVMDg+LuuDryq3aAvY66wSDcK8OLU5J3zVraxT
DBr4VjwwBQFBiKZj0GMvK3dduJzuWqmlGyjUtfNmGGTyfISfRWnxrgTUmJI+B8EZ
S0eQbN/KfZ2pz8tVuahGQnGQDegCge7k3CdXFhtruQbeDzRdMIvfSGiOVzwh9crR
c5wWenEYlW2aC7ECuX9Cu5zIdkvJUhKGrhMjc01lnKBkVwsS/XIrpD0mdXvKMXoz
14eCdhFGJljyby/DyeGUAQIZpHih7H54AKUhQj6PW21ESCfUPLy0Q6TKwwARAQAB
tCdPRkZDRVBUIFNlY3VyaXR5IDxzZWN1cml0eUBvZmZjZXB0LmNvbT6JAk8EEwEK
ADkWIQThzykbh0TQEf4Qcr9m+T6hOErAXwUCagkDLQMbLwQFCwkIBwIGFQoJCAsC
BBYCAwECHgECF4AACgkQZvk+oThKwF9DrRAAmOiyK74n8uJvHGTwfD6oracCMCuP
wa1cCNJ2VHpMwpqRa8Dl+OIppXi+PkEq368xvB88daz4wE6nAz/BJuC2yB7/CAPq
QM6//D5AHIWQ7+mtLRGUeLOKgA8UClRBTwZTzqMk5ZaCFD8Uk6IErtK/+zzZFSSu
+VNguQIFuQWTg4OZS2vMuNxV714rcEASlRYNPIYvDtKQkcnS+LUHy8I4/NvWBDLT
3h6Vx2BJu+CboZm7AtwmouCHipOo0bxmdEzIrBOBo6jV4/W0IO7ZY4FdKCRuSgpX
02tPIRdXIukuhboree6aiQoE0VyEuP9kHKw6cm4NpCt7sthPG8mOMLOjgmz/T/FG
H3XsjvntMdb0Y5db9aEZ1AEXSwEA79iFMEH+JrGe2fC2qec73HUfxm+Y+NBRipcg
6t4KrbIL77XI2+WHaRHMYocR4lNsI4hXkbmqIdwCfnrOtVU5y2V8ssWXh2E/cK9W
mKY4tOzk4+K0oikGjd/taIsy5FNSjqI+ijaDhP8TvpeOwaQxCOyBRunbj9vbV92Z
QLL/IfQLKi4ZC5ftEA7jyM/9CNrQez9ZriiAIaLopkpqKH7ORs0hds2R1FU2pDg7
3zsCDtRaQT3CONFoo8WBY0QccB6skQGd0DYVKcWn39URP+cLGLPk/NJWVg3HRvPP
6eRCiWQRCZqOMAe5Ag0EagkDLQEQAMvQnvsuqV6+gj6uzpEP99DL9ZhZWEBQbIQj
/EXkDea8k4RrguVp9alsOUH4QVu5JwtqOR3YgGDvB/KfWjjy0WUjIp9ItSQq5tjv
EAjuZtIlVVUdw/ttyxTMknPvId9gjK1W0rrVro8GejxcDK1XoV+XrIEgDX62EOGW
m5g7BMUNqsTf0FS519Qn1ZLv/liY5DUivIQOpiWSQJF5OZpGVnvskV1DMGjU1usD
ev4jrmqB+jSaJMpi/jjpFyf5k7uoAO7lCAzRf3+XYTbYdKkN42h+wsgg/SpZAasH
CpfLokoOYf03vkme/eIHFHGFA2uSAQk79RwIhF/TDjfKL+j6zQaMHCLZoXAGWowv
Ztp7JoEoBIFrFA3O9s7MmT+Rim6HEd1Sj/qHPCEkDoTpkQOzWa+qy6uo11QYY1cm
YQcp9hJCH/A/rbukvKSMNazfpVtbgrozkbYkBxu+wKAA4/wKX4Z/qjVhXZiuEoLE
OvevYqNCuo81rYOjJOjYqjzUTGrP770uikhZlp843DaRom4CvPS3jki3OGIbNnfA
uJ74WcvZ8fN7l1rY9MFyQR+m7n75vrgaFKSVNTCEZqPcAimzsSs0z2t7rmwi1Lab
sOUEGAt+EDENq0NKzTxhR1GrS7AFRhPy1fwCD1IpHJmuN+/w9HwVdhIMc8hfiaEr
nHL5d3fPABEBAAGJBGwEGAEKACAWIQThzykbh0TQEf4Qcr9m+T6hOErAXwUCagkD
LQIbLgJACRBm+T6hOErAX8F0IAQZAQoAHRYhBBGs/mO9V55vvpuq7qgGsGP4HUP3
BQJqCQMtAAoJEKgGsGP4HUP3UWoQAK+XryQRFXSB49keYyX+v6eShIfZOyotQ4pE
mi26JDaTvrun/Xk5vaAJ6US8oB1ShEMDXrPbbVwALN+2NZ5hPG4c69mBD8jzQ9S+
rBYBMsXmA9evkHHjoGQ7/HlYh5jQrSIydvy6lZmlmdoUukjbOdiRI1/8517AYgpb
Idmoh6eZ9Ebn+ktclz6DbnXRCBdWOL1M6dqPwHLNLruwwN7x2TEuLvAPlwXoPXfF
KwYC78IEF1JDyVKuDgrKE6w4xNImHf+L/Up17HRte6O1JdDJb4m2tP9OtdFY3ymQ
E3QwChUFVa/G3+LSCe8LeapF80s2s0hrpXW4rmWVHA8MRoLoQ4TuhQ2e87eWfCMI
VPOeKI6mJcSsj0vNcfa8s+y8JjcBEnFu9JbEX10Xuv/Q/DxOP2AG9nwhPkZ4BN3k
CaJO5uBS7jstZN9NNGcWuytJTNOGkAiYqeV0RppEK0dupkdPSc+TJPfMrGqgbHty
ILCGt3e/Rhcb7HuyZzNM/YuI00nBKUe/gISnU6AtMJRsjyf+w7CCjcw29dLVHQf4
ySRs5NhB/8QfwXg8JnWx4zBNf0rPooIyk0OD6QmswFC9p9pBjvGz0s+fbrUh1clC
n2HAyPLg9/lpIJ+ECUTTQabM5Gqo3HXT7eXUgtZTUYhR5Wrr1G/p8ZbdzgYdW+uh
QI82GZDU94QP/1zWraJBmrhPYApLp7PaCSq1w6awAH0Yt/TaMJigP384MHLd6wPC
PY2Gjw/3JnCfckzSJQGE+nq+a/wXHiL5YNeBNabrZLGFjr7Qg4svx0xBGgctOUsr
0vFO58q1jLfit+vEdJddrJCltDKsj3HGgz5SZI4Sb9zIxw606yb/l4rEsHjF2GxX
7wKTaSNI5yKx7dTsbW1lLtAYFA2KXMpDtGC3ENRcRxpadP5hb3q2Q6OoAxQVVR3Q
iK2FRHf6V/iK+Bv31BD9yVo6kwWvERT7xO961gP72Lr0BGickS94TZ5p2dxOg+W2
mQATNowCIvsz9kB34CW2pIDgaeinppFCaVWwx/4BvF5hrRvaIz78FZNwk9WfbE4C
Uy6zwIDW4qem6uhou/iaZO3fJNfgRZL3too/7peoQlR/EDRJTCuVZQuJ2IfEayaj
WPDokyIB3Lq9FZy61CVnTTZW6tNi2wGrlTKQ+9399bsnpY9ucQ0MyhBThPtFL6fS
mAPXntMclMLOBhbfssAk77chC97FwCrTjVckALBQ9B5IRT18QTmnRHrqgjpmZ04G
F+UWRghpeI3XglC4vql01QeD9zhiJXOi9cPkTQ5HQvr2h+agCDwcZsLtHG2WPl6R
3OVMvoABlv5x811MMGghoh2TUIpx2oKJz5k8DWQwfhj3winm+kyIqGK5
=Ce47
-----END PGP PUBLIC KEY BLOCK-----

Contact

For vulnerability reports, email security@offcept.com.

We encourage the use of PGP for sensitive vulnerability reports.