Home SERVICES
All Services Red Team Operations Active Directory Cloud Security AI Red Teaming
ABOUT US
About Us Founder, Arturs Stay Certifications Why Organizations Trust CSPI FAQ
Process Partners Industries Blog Request a Quote CONTACT
Request a Quote Get Help Now Ask a Question
Services / Custom Tailored Pentest

Custom Tailored Pentest

When your environment, threat model, or objectives do not fit a standard service template, we build the engagement entirely around you. You define the targets, depth, and success criteria, we engineer the methodology to match.

Fully Bespoke Security Engagements

Standard penetration testing frameworks are designed for common scenarios. They work well for most organisations, but not every organisation is standard. When you operate unique technology stacks, cross unusual regulatory boundaries, face specific adversarial scenarios, or are in the middle of a transaction that depends on accurate security intelligence, a generic test produces generic results.

Custom tailored engagements at Cyber Security Pentesting Inc. begin with a discovery conversation, not a checkbox questionnaire. Principal consultant Arturs Stay, CREST-certified, OSCP/OSEP, 20+ years of enterprise technology and cybersecurity experience, works directly with your technical and leadership teams to understand what you are actually trying to answer, then builds a methodology that answers it. No scope padding. No findings that do not apply to your risk profile. Every engagement is principal-led from scoping call to final debrief.

Client-Defined Scope Bespoke Methodology Threat Modelling Due Diligence Custom Objectives OT / IoT / SCADA Non-Standard Compliance Emerging Technology

When to Choose a Custom Engagement

These are the situations where bespoke methodology consistently outperforms standard service templates.

Unique Technology Stacks
IoT device ecosystems, SCADA and industrial control systems, proprietary communication protocols, embedded firmware, and hardware-level attack surfaces that standard pentest methodologies do not cover. We assess the actual attack paths an adversary would use against your specific technology, not a generic checklist applied to something it was never designed for.
Pre-Acquisition Due Diligence
M&A security assessments that give acquirers an accurate picture of inherited cyber risk before a transaction closes. We identify material vulnerabilities, technical debt in security controls, regulatory exposure, and hidden attack surface, delivering findings in formats suitable for deal teams, legal counsel, and board-level risk committees.
Bespoke Threat Models
Industry-specific adversarial scenarios built around your actual threat actors, not generic MITRE coverage. Financial services facing nation-state APTs, healthcare organisations defending against ransomware groups targeting patient data, critical infrastructure operators facing destructive attacks. We map your real threat landscape and test against it specifically.
Scenario-Based Testing
Insider threat simulations, supply chain compromise scenarios, ransomware deployment rehearsals, or specific incident-driven re-testing. If you need to answer a precise question, "Could a malicious contractor reach our financial data?" or "Could a compromised vendor update pivot into our production environment?", we structure the engagement to answer exactly that.
Non-Standard Compliance Requirements
Sector-specific regulatory frameworks, NERC CIP, FISMA, FedRAMP, DORA, NIS2, provincial privacy legislation, defence supply chain requirements, that demand testing approaches beyond generic PCI or SOC 2 templates. We design assessments aligned to your actual compliance obligations and produce evidence packages your auditors will accept.
Emerging Technology Assessment
Newly deployed AI/ML infrastructure, blockchain-based systems, quantum-safe cryptography transitions, next-generation identity platforms, or any technology your organisation has adopted before the security community has built standard assessment frameworks around it. We approach emerging technology with first-principles offensive thinking rather than outdated checklists.

How It Works

Every custom engagement follows a structured discovery-to-delivery process that keeps your objectives at the centre of every decision.

Scoping & Discovery
A working session with your technical and business stakeholders to understand the environment, objectives, constraints, and the specific questions the engagement needs to answer. We challenge vague objectives and sharpen them into testable hypotheses before any work begins.
Threat Modelling
We map your relevant threat actors, their known TTPs, and your specific attack surface. This determines which attack scenarios are in scope, what a realistic adversary would actually target, and what the meaningful success criteria look like for your risk profile.
Custom Methodology Design
A written methodology document delivered before execution begins. It defines the attack scenarios, tooling, escalation points, communication protocols, and rules of engagement. You review and approve it. No surprises during testing.
Execution
Principal-led delivery, Arturs Stay conducts the assessment personally. Real-time communication throughout via an encrypted channel. Immediate notification for any critical findings. Full OPSEC discipline to avoid disrupting production systems unless explicitly scoped for disruption testing.
Reporting & Debrief
A structured report with executive summary, technical findings, attack narrative, evidence packages, and a prioritised remediation roadmap calibrated to your business context, not a generic CVSS-ordered list. Followed by a live debrief with your technical and leadership teams and a written Q&A follow-up period.

Example Scenarios

Custom engagements are shaped entirely by client context. These examples illustrate how bespoke methodology produces answers that standard tests cannot.

Fintech
Payment Platform with Custom API Integrations
A Toronto-based payments company had built a proprietary settlement layer connecting six banking partners via custom REST and message-queue APIs. Standard web application testing would have missed the business logic flaws in cross-partner transaction flows. We scoped a bespoke assessment targeting the trust boundaries between integrations, uncovering a transaction replay vulnerability that allowed fund duplication across two partner rails, exploitable without authentication bypass.
Healthcare
Organisation with Connected Medical Devices
A regional health network was integrating connected infusion pumps and patient monitoring equipment into their clinical IT network. The attack surface spanned proprietary device firmware, the clinical network segment, and cloud telemetry pipelines. We assessed the full kill chain from device compromise through lateral movement into the EHR system, with testing windows designed around clinical operations to ensure zero patient impact.
SaaS / M&A
Pre-Acquisition Security Audit
A private equity firm acquiring a mid-market SaaS company needed technical due diligence before close. We assessed the target's external attack surface, internal infrastructure, cloud configuration, data handling practices, and security debt, delivering a risk-quantified findings package within a compressed deal timeline. The report surfaced three critical findings that were negotiated into escrow provisions before the transaction closed.
Manufacturing / OT
OT/IT Convergence Assessment
A Canadian manufacturer had connected its operational technology floor, PLCs, SCADA historian, HMI systems, to the corporate IT network to enable real-time production analytics. We assessed the segmentation controls between OT and IT, tested pivot paths from a compromised IT endpoint to the OT environment, and evaluated whether an attacker with IT credentials could reach process control systems. The engagement required coordination with plant operations to avoid triggering safety interlocks.

What You Define

In a custom engagement, you control the parameters that matter. We advise on each, but the final decisions are yours.

Target Scope
Specific systems, applications, network segments, devices, or business processes. Narrow and precise, or broad and comprehensive, scoped to match your objectives, not a generic template.
Testing Depth
Targeted assessment of a defined attack scenario, or a full-depth engagement that follows every viable attack path. We advise on the trade-off between depth and timeline based on your risk priorities.
Success Criteria
What does a meaningful finding look like for your context? Compromise of a specific data store, demonstration of a particular lateral movement path, proof-of-concept for a board presentation, we test to the outcome that matters to you.
Rules of Engagement
Blackout windows, production-safe constraints, communication escalation paths, notification thresholds, and any systems or actions that are explicitly out of bounds. All documented and agreed before testing begins.
Timing & Duration
Testing windows aligned to your operational calendar, avoiding critical business periods, coordinating with change management, and accommodating transaction timelines or regulatory deadlines.
Reporting Format
Technical findings for your security team, executive summary for leadership, board-level risk presentation, or evidence packages formatted for auditors, legal counsel, or deal due diligence, we produce the deliverables you actually need.

Other Engagement Types

If your requirements are closer to a defined service line, these engagements may be a better fit, or can be combined with a custom component.

Discuss Your Custom Engagement

Every custom engagement starts with a conversation. Tell us what you are trying to answer, we will tell you honestly whether a bespoke assessment is the right approach and what it would involve.

Start the Conversation →
TL;DR, Custom Tailored Penetration Testing

Custom tailored penetration testing is bespoke offensive security assessment scoped entirely around your specific environment, threat model, and objectives, for situations that do not fit a standard engagement template. CSPI delivers custom engagements for non-standard targets: embedded devices and IoT, OT/SCADA estates, mobile applications, fintech payment rails, healthcare integrations (HL7, FHIR), automotive systems, blockchain protocols, M&A due diligence assessments, and threat-model-specific exercises. Engagement scoping, methodology, and deliverables are all designed around your objectives, you define what success looks like, we build the methodology around it. Principal-led by Arturs Stay (CREST CRPT, OSCP, OSEP, 20+ years of enterprise technology and cybersecurity experience). Output structured for whatever downstream consumer needs the evidence: regulator, board, auditor, customer security review, M&A counterparty.

Frequently Asked Questions

When is a custom engagement the right fit instead of a standard service?

Custom engagements suit environments that do not match the assumptions of a standard service offering. Examples include OT/IT environments where safety considerations override standard testing intensity, M&A due diligence with a fixed deadline and incomplete documentation, in-house or proprietary technology stacks that warrant deeper review than off-the-shelf methodology covers, multi-vendor environments where the attack surface crosses contract boundaries, and threat-model-driven engagements where the customer wants to validate against a specific adversary.

How is a custom engagement scoped and priced?

Scoping begins with a working session under NDA where we map the environment, the testing objective, the constraints (time, safety, regulatory), and the deliverables the customer needs. From that session we produce a written scope document with explicit in-scope and out-of-scope items, methodology, and an effort estimate. Pricing follows the effort estimate. We do not quote without scoping; scope-first pricing is how we keep the engagement honest.

Do you handle M&A and pre-acquisition security due diligence?

Yes. M&A diligence engagements have specific patterns: tight deadlines, limited environment access pre-close, and a report audience that includes deal teams rather than only security engineers. Coverage typically includes external attack surface review, identity and access assessment, cloud configuration review, and a critical-finding summary structured for inclusion in deal documentation.

Can you test OT/IT environments?

Yes within constraints. OT environments require explicit scoping around safety: which systems can be actively tested versus passively assessed, what intensity of testing is acceptable, and what coordination is required with operations. We treat OT engagements as design-first: the test plan is reviewed and signed off by both security and operations leadership before any testing begins, and disruption-risking techniques are out of scope unless explicitly authorised.

What deliverables come out of a custom engagement?

Deliverables match what the customer needs rather than a fixed template. Common patterns include an executive summary, a technical findings report with reproduction steps, a compliance mapping if relevant, an attack chain diagram, and architecture-level remediation guidance. For M&A engagements we also produce a deal-team brief structured for non-security audiences. For OT engagements we include operational safety considerations alongside security findings.

How long does a custom engagement typically take?

Three to six weeks of testing time is common, with reporting adding another week to ten days. Engagements that span multiple environment types (cloud + on-prem + OT, for example) or that include heavy reverse engineering can extend to eight to ten weeks. Scope-first pricing means the timeline is agreed before testing starts, not adjusted after.

Explore further

Prefer email? Send a scoping request and we will respond with next steps.