Arturs Stay — Founder & Principal Penetration Tester
Founder and Principal Penetration Tester of Cyber Security Pentesting Inc. in Toronto, Ontario, Canada. 20+ years of enterprise technology and cybersecurity experience. Every engagement is personally scoped, executed, and reported by Arturs — no outsourcing, no junior staff, no scanner-only deliverables.
Arturs Stay —
The Practitioner Running Your Engagement
Arturs Stay is the Founder and Principal Penetration Tester of Cyber Security Pentesting Inc., a boutique offensive-security consultancy based in Toronto, Ontario, Canada. He founded the firm to deliver a model that large consultancies cannot: senior, hands-on adversarial testing performed directly by the practitioner the client hires, rather than delegated to rotating junior analysts running automated scanners.
Over a career spanning 20+ years of enterprise technology and cybersecurity, Arturs has worked across offensive security, penetration testing, red team operations, cloud and identity security, and large-scale regulated infrastructure. That breadth is deliberate: durable attack paths usually cross the seams between systems, identities, and business logic, and finding them requires someone who has operated on both the defensive and offensive sides of real enterprise environments.
His practice concentrates on medium-to-large enterprises and regulated Canadian sectors — financial services, healthcare, critical infrastructure, SaaS, and public-sector organisations — where genuine adversarial expertise is required rather than compliance theatre. Clients receive direct access to the practitioner conducting their assessment from kickoff through the final remediation debrief.
Arturs is based in Toronto and serves clients across Canada, the United States, and internationally. An NDA is available before any initial discussion.
No subcontractors, no offshore analysts, no account-management layer. When you engage Cyber Security Pentesting Inc., Arturs Stay personally conducts your assessment from kickoff to final report debrief and signs the deliverable.
Two Decades of
Enterprise & Offensive Security
Arturs Stay's career spans more than twenty years across enterprise technology and cybersecurity. He has worked deep inside large, regulated technology estates — the kind of environments where identity, infrastructure, cloud, and application layers are tightly interdependent and where a single misconfiguration can cascade across an organisation. That operational grounding is what separates his testing from checklist-driven assessments: he has built and defended the systems he is now paid to break.
The transition into full-time offensive security was a natural progression. After years of designing, operating, and securing enterprise systems, Arturs specialised in adversary simulation — penetration testing, red team operations, Active Directory and identity attacks, and cloud exploitation across AWS, Azure, and Google Cloud. He founded Cyber Security Pentesting Inc. to offer this expertise as a principal-led service, where the senior practitioner who scopes an engagement is the same person who executes it and presents the findings.
Today the practice is recognised for manual, exploit-proven testing of complex environments: financial institutions subject to OSFI, OSC, and CIRO oversight; healthcare organisations governed by PHIPA; SaaS providers; and critical-infrastructure operators. The work is grounded in recognised frameworks — OWASP, MITRE ATT&CK, and PTES — but driven by real adversarial tradecraft rather than tool output.
Credentials Earned in
Realistic Adversarial Conditions
Arturs holds 15+ industry certifications, including OSCP, OSEP, CREST CRPT, CREST CPSA, CRTO, CRTE, CRTP, CARTE, CARTP, and PACES — spanning penetration testing, red teaming, and cloud attack specialisations. These are hands-on, exam-under-fire credentials — not multiple-choice paper certs — each requiring demonstrated compromise of realistic target environments under time pressure.
Where Arturs
Goes Deep
Find What
Scanners Miss
Arturs's approach rests on a simple conviction: the findings that actually matter are the ones automated tools never surface — chained logic flaws, identity and trust-boundary abuses, and attack paths that only emerge when a skilled operator thinks like a real adversary. Scanners produce noise; principals produce proof.
Every engagement is therefore principal-led and manually executed. There is no junior-analyst layer, no offshore delegation, and no account manager between the client and the practitioner. The person who scopes the work executes it, signs the report, and answers questions during remediation. Deliverables pair executive summaries mapped to business impact with technical findings that include full reproduction steps, and every engagement includes a remediation re-test pass at no additional cost.
This model trades volume for depth. The practice deliberately takes on fewer engagements so each one receives the full attention of a senior operator — which is exactly what regulated, high-stakes environments require.
Research,
Writing & Recognition
Arturs authors the Cyber Security Pentesting Inc. technical blog, where he publishes practitioner-grade analysis of current offensive-security tradecraft — from Active Directory certificate-services abuse and Kerberoasting to cloud privilege escalation, AI/LLM exploitation, and modern red-team OPSEC. His professional recommendations and client reviews are published, unedited, on LinkedIn and Google.
Work Directly
with the Founder
Engagements begin with a scoping call under NDA. No detailed environment information is requested until an NDA is in place. You speak with Arturs directly — not a sales team.