Modern attackers don't break in—they log in.
Decode emulates the tactics used by today's ransomware groups, identity-focused adversaries, and data extortion operators to uncover the attack paths that matter most. We validate exploitability, quantify business impact, and provide proof that remediation works.
No exploit fired at any step — every move rides valid access and trusted tools. We test whether your controls would notice.
Time has become patient zero.
Adversaries no longer break in — they log in, and they move faster than an annual test can see. The numbers that should set your testing cadence:
A once-a-year penetration test assumes a timeline that no longer exists. Decode runs continuously — so quiet weeks are quiet because nothing changed, not because nothing was checked.
A programme, not a PDF.
Five principles separate this from a commodity scan. Every engagement operationalises Continuous Threat Exposure Management (CTEM) and maps to MITRE ATT&CK.
Manual-led, AI-accelerated
Automation is the floor of the assessment, never the ceiling. AI speeds discovery; a senior analyst verifies every exploited finding.
Identity-first
SSO, federation, conditional access, tokens and the path from one valid credential to crown-jewel access — tested as a first-class scope.
Outcome-defined
We agree the outcomes a real attacker would pursue, then prove whether each is reachable — domain dominance, fraud, exfiltration.
Continuous (CTEM)
Between deep-dive cycles we run attack-surface monitoring, breach-and-attack simulation and deception against the assets attackers probe.
Depth where it breaches you.
We stay deliberately niche — offensive depth and the assurance layer around it. See all services →
Penetration Testing & Red Teaming
Senior-led VAPT across external, internal, application, identity, cloud and the human layer — chained into the attack path a real adversary would walk, with proof-of-exploit and validated retest included.
Exposure Management
CTEM lifecycle: attack-surface monitoring, BAS and prioritisation between cycles.
CoreIdentity & Cloud
Active Directory, Entra ID, SSO, token and conditional-access testing across AWS, Azure, GCP.
New for 2026AI & Agentic Security
LLM and agent testing — prompt injection, tool misuse, excessive agency — mapped to OWASP & MITRE ATLAS.
RespondForensics & IR
Digital forensics, breach triage, eviction and evidence handling under chain-of-custody.
AssureGovernance, Risk & Compliance
POPIA, King IV, ISO 27001, PCI DSS.
StrengthenTraining & Awareness
Phishing and social-engineering simulations with measurable click, submit and report rates — closing the human attack surface.
Built for high-stakes environments.
An internationally recognised African information-security practice, trusted where a breach is a board-level and regulatory event.
Niche by choice. Deep by design.
Senior-led, every engagement
No juniors cutting their teeth on your network. Work is run by senior practitioners holding OSCP, OSEP, CREST, CEH and CISSP.
Vendor-independent
Findings are reported on their technical merit — never to position a tooling sale. The deliverable is risk reduction, not a shopping list.
Fixed-fee, retest included
Priced as a subscription, not per finding — so there's no incentive to inflate counts. Every Critical and High is retested to closure.
Written for people who act on it
An executive read on one page and a reproducible technical report for the engineer who has to close the finding.
We publish what we learn.
Research and disclosure are part of the craft. Short, technical, no marketing fluff.
What 90 minutes looks like
A timed walk from a public VPN exploit to encryption-ready privilege — and the three points a defender could have stopped it.
Past the MFA wall
Token theft and session replay in the wild: why "we have MFA" is the start of the conversation, not the end of it.
POPIA and the quiet breach
When an incident becomes reportable under POPIA, and how to make that call before the regulator makes it for you.