Human-led Düsseldorf, Germany · CET · CPTS · CRTO

Automated tools find known vulnerabilities.
We find yours.

Manual penetration testing for SaaS companies, enterprises, and agencies across Europe. You work directly with a certified security professional. Not a tool, not a junior analyst running scans.

50+
Engagements Completed
4h
Response SLA
RECONNAISSANCE
Data Gathering
Data Integration
Data Extraction
VULNERABILITY
ANALYSIS
Threat Modeling
Threat Manual
Concept Vulnerability
EXPLOITATION
Proof Of Concept
Post-Data-Learning
From Evasion
REPORTING
Remediation
Strategy
Remediation
Services

What We Test

Every engagement is fully manual. We tailor each assessment to your architecture, business context, and threat model. No generic checklists.

01

Web Application

Manual testing against OWASP Top 10, authentication flaws, business logic vulnerabilities, and injection chains that automated scanners routinely miss.

OWASP Top 10Auth BypassBusiness LogicIDOR
02

API Security

Assessment of REST, GraphQL, and SOAP endpoints. We identify broken object-level authorisation, mass assignment, and function-level access control issues that expose customer data.

REST / GraphQLBOLABFLAMass Assignment
03

Cloud Security

Security posture review across AWS, Azure, and GCP. IAM misconfiguration, privilege escalation paths, exposed storage, and container security reviewed against current attack patterns.

AWS / Azure / GCPIAMCSPMContainers
04

Network Infrastructure

Internal and external assessments covering Active Directory attack paths, lateral movement, privilege escalation, and network segmentation gaps.

Active DirectoryLateral MovementKerberoasting
05

Mobile Application

iOS and Android assessments across static and dynamic analysis, runtime manipulation, insecure data storage, and backend API communication security.

iOS / AndroidDAST / SASTOWASP Mobile Top 10
06

Secure Code Review

Manual source code analysis to identify vulnerabilities before production. All major languages, with CI/CD integration guidance and developer-facing remediation.

Manual ReviewDevSecOpsAll Languages
Who You Are Working With

Enterprise-Grade Security.
Without the Enterprise Price Tag.

Large security firms charge between 15,000 and 20,000 euros for assessments that many growing businesses genuinely need but cannot justify at that cost. That gap is the reason Pentest Precision exists.

I am Ehtisham Fakhar, an independent security professional based in Düsseldorf. Since 2021 I have completed over 50 assessments for 20 clients across the UK, US, and Europe. SaaS companies, agencies, enterprises at different stages of growth. Every engagement is carried out by me personally, not delegated to a junior analyst.

The work is the same standard you would expect from a large firm. The difference is that you talk directly to the person holding the certifications and you pay for the assessment, not for the brand name on the invoice.

View LinkedIn Profile →
Ehtisham Fakhar
Ehtisham Fakhar
Independent Security Professional
Düsseldorf, Germany
50+
Assessments completed
20
Clients served
4+
Years active
CPTS CRTO
Credentials

Certifications That Require Proof, Not Paperwork

Each certification requires passing a hands-on exam in a live attack environment. There are no multiple-choice questions involved.

OSCP

Offensive Security Certified Professional

A 24-hour hands-on exam requiring exploitation of multiple live machines. Widely regarded as the baseline standard for professional penetration testing work.

✓ Verified

OSEP

Offensive Security Experienced Penetration Tester

Covers advanced evasion, Active Directory exploitation, and multi-stage attack chains. Relevant for engagements where detection avoidance is in scope.

✓ Verified

CPTS

Certified Penetration Testing Specialist

Comprehensive methodology covering web, network, and Active Directory testing. Emphasises the professional reporting standards expected in regulated engagements.

✓ Verified

CRTO

Certified Red Team Operator

Adversary simulation using Cobalt Strike within Active Directory environments. Covers command and control, evasion, and red team tradecraft aligned to real threat actor behaviour.

✓ Verified
Client Feedback

What Clients Have Said

Selected feedback from completed engagements. Clients are identified by role to preserve confidentiality.

“Very quickly reachable, willing to solve problems, and available when you really need assistance. I can recommend for all IT security-related questions without hesitation.”
PT
Past Client
Penetration Testing & Data Security
“He asked the right questions upfront, which made the engagement efficient without any loss of quality. Straightforward to work with throughout.”
CTO
Past Client
Web Application Penetration Test
“Always a pleasure to work with Ehtisham. He is extremely fast and delivers high quality.”
CL
Past Client
Repeat Engagement
“The final report was detailed enough that we used it in a proposal to a prospective enterprise client. It contributed directly to winning that contract.”
BD
Past Client
Security Report for Sales Process
“Thorough and methodical. Clear communication throughout. Delivered on time and within scope. We are using Pentest Precision for our ongoing security reviews.”
EH
Past Client
Ongoing Security Review
“Good communication, technically strong, and genuinely helpful in explaining findings to non-technical stakeholders. We will continue to work together on future assessments.”
PM
Past Client
Web Application & CRM Security
For Agencies & MSPs

Security Testing Under Your Brand

If you run an IT consultancy or managed services practice, we can deliver security testing on your behalf. Your clients see only your name. We handle the technical work.

01

Confidential by Default

We sign NDAs before any engagement begins. All deliverables are branded to your company. There is no Pentest Precision branding in any client-facing document.

02

Capacity Without Overhead

Take on security projects without hiring in-house. We work within your existing project management and communication structure.

03

Based in Germany

Work is conducted from Düsseldorf in Central European Time. For clients with European data handling considerations, this is often a relevant factor in vendor selection.

04

Predictable Timelines

Standard web application reports delivered within 5–7 business days. Critical findings communicated immediately, not held for the final document.

Discuss a Partnership

We work with consultancies, MSPs, and agencies across Germany, DACH, and wider Europe.

  • Full NDA before any scope discussion
  • Reports in your template or a neutral format
  • Per-project or retainer arrangements available
  • OSCP and OSEP certified tester on every engagement
  • CET timezone, available during standard business hours
Send a Partnership Enquiry
Security Insights

Research & Technical Writing

Practical analysis from real engagements. Click any article to read it in full.

AI Security
Trending

Securing AI Agents: Prompt Injection, Tool Misuse, and the New Attack Surface

AI agents with access to APIs, databases, and external tools introduce a threat model most security teams have not yet modelled.

Read Article →
SaaS Security
Trending

The SaaS Security Checklist Enterprise Buyers Are Now Sending to Vendors

Enterprise procurement teams issue security questionnaires before signing contracts. Here is what they ask and what a pentest report helps you answer.

Read Article →
Compliance
Trending

DORA Is Now Enforceable: What Penetration Testing Obligations Mean for Financial Firms

The Digital Operational Resilience Act requires threat-led penetration testing. We explain scope, frequency, and what constitutes a compliant test.

Read Article →
API Security
Evergreen

BOLA, BFLA, and Mass Assignment: The Authorisation Flaws That Keep Appearing in SaaS APIs

Broken object-level authorisation and function-level access control issues appear in mature codebases as often as in early-stage products.

Read Article →
Cloud Security
Evergreen

The Ten IAM Misconfigurations We Find Most Often During AWS Penetration Tests

Overly permissive roles, missing MFA on privileged accounts, and misconfigured trust policies account for a large share of cloud findings.

Read Article →
Web Application
Evergreen

What Automated Vulnerability Scanners Do Not Test For, and Why It Matters

Business logic abuse, multi-step authentication flaws, and race conditions are outside the scope of every scanner on the market.

Read Article →
Get in Touch

Start with a Conversation

We offer a free 30-minute consultation to understand your environment, discuss scope, and give you an initial view of where the most likely risk areas are. No obligation to proceed.

Location
Düsseldorf, Germany (CET)
Response Time
Within 4 hours on business days · 24/7 for active incidents

Book a Free Consultation

Tell us about your environment and what you need assessed. We will come prepared.

Message received. We will respond within 4 hours.