Manual Exploitation
depth scanners miss
Validated PoCs
every finding proven
Source Review
input-to-sink tracing
CI/CD SAST
caught in the PR
OFFENSIVE SECURITY FIRM · INCORPORATED IN WYOMING, USA

We find the flaw
before the breach.

Manual penetration testing, source-code review, and SAST automation for teams that ship fast. Every finding validated with a working proof-of-concept — and a report that satisfies SOC 2 auditors, vendor questionnaires, and enterprise procurement.

NDA-FIRST · THE FOUNDER REPLIES IN 24H, NOT A BOT · SAMPLE REPORT ON REQUEST
OSWEOSCPOSWP EWPTXEWPTVHL Advanced+

RANKED & TRUSTED ACROSS THE PLATFORMS THAT MATTER

HackerOne Bugcrowd Synack Red Team OffSec INE AWS Azure GCP
001 // FINDINGS
0
Vulnerabilities found
002 // DELIVERED
0
Engagements completed
003 // OFFSEC
0
OffSec certifications
004 // SLA
0h
Response time
01 CAPABILITIES

Offensive security,
end to end.

From automated reconnaissance to manual exploitation, incident response, and source-level review. One firm across your entire attack surface.

01
Penetration Testing

Web, API, mobile, backend, frontend, and cloud. Manual exploitation with Burp Suite, custom tooling, and validated PoCs.

02
Cloud & AI Pentesting

AWS, GCP, and Azure assessments. AI/ML model testing, LLM prompt injection, and cloud misconfiguration audits.

03
Source Code Review

Deep manual review of your codebase. Auth-flow mapping, input-to-sink tracing, IDOR detection, business logic analysis.

04
SAST Automation

Custom code-review rules tuned to your stack. CI/CD integration that catches vulnerabilities in pull requests before they ship.

05
AI-Automated SOC

AI-powered Security Operations Center setup. Automated alert triage, threat correlation, and intelligent incident prioritization.

06
DFIR & Incident Response

Digital forensics and incident response. Breach investigation, evidence collection, root cause analysis, containment strategy.

07
Threat Hunting

Proactive hunting and compromise assessment. Detect active or past compromise, lateral movement, and persistent access.

08
Configuration Review

Hardening audits for servers, cloud resources, firewalls, and network devices against CIS benchmarks and best practice.

02 PRODUCTIZED SECURITY

Code security
automation.

Stop vulnerabilities at the source. We build custom SAST rule sets for your exact stack and wire them into CI/CD, so your team catches security issues in every pull request.

See packages
A1
Custom rules for your stack

Not generic rulesets. Code-review rules that match your frameworks, libraries, and patterns. Django, Spring, Express, Rails, FastAPI, Go, all covered.

A2
CI/CD integration

GitHub Actions, GitLab CI, or Bitbucket Pipelines. PR blocking on high/critical findings. Inline comments on vulnerable lines. Zero developer friction.

A3
Baseline triage

We do not dump 500 alerts on your team. We triage the initial scan, classify false positives, and hand you a clean prioritized starting point.

A4
OWASP Top 10 coverage

SQLi, XSS, SSRF, IDOR, auth bypass, insecure deserialization, path traversal, and more. Rules mapped to OWASP categories with fix guidance.

INTERACTIVE

Watch an attack
unfold.

A scroll-through of a real assessment: from your exposed perimeter, through the breach, to a hardened network. Six scenes, one continuous camera, no slideshow.

Enter the walkthrough
SCROLL TO FLY IN
03 PRICING

Engagement plans.

Every plan ships validated findings with proof-of-concept and remediation guidance. Pentests are fixed-price per assessment: tell us the target, get a quote within 24 hours, no surprises after.

Penetration Testing

A typical US web-app pentest runs $12,000–$18,000+. Our senior-only, zero-overhead model delivers the same manual depth from $3,500 — and scope flexes both ways: smaller target, smaller quote. Tell us what you have and we size it honestly.

One-Time Assessment
from $3,500 / assessment

Fixed-scope pentest of a web app, API, mobile app, or cloud environment. Sized in man-days and quoted up front — typically 5-8 days for a web application. Senior-only delivery at roughly half typical US rates.

  • Web, API, mobile, backend, frontend, or cloud
  • AI/ML security & cloud infrastructure testing
  • Manual + automated testing
  • Executive summary + technical report
  • Letter of attestation for auditors & customers
  • Remediation guidance with code fixes
  • 30-day retest included
Get my scoped quote Request a redacted sample report →

Code Review & SAST Automation

Starter
$500

Single repo, single language. Security guardrails, fast.

  • Custom + curated code-review rules for your stack
  • CI/CD pipeline integration
  • 30-minute walkthrough call
  • 3-5 day delivery
Get started
Enterprise
$2,000

Up to 10 repos, any languages. Quarterly updates included.

  • Custom + curated code-review rules at scale
  • Rules for internal frameworks & libraries
  • Multi-repo centralized reporting
  • Full severity classification
  • Developer training documentation
  • Quarterly rule updates (Q1 included)
  • 2-hour walkthrough + 4 weeks support
Get started
04 LIMITED OFFER

Free external
security scan.

A complimentary assessment of your domain. We run automated reconnaissance and deliver a one-page report with real findings, no strings attached.

Subdomain enumeration & exposure mapping
Known vulnerability detection (CVEs)
Technology fingerprinting & misconfiguration checks
One-page PDF report delivered in 48 hours
Zero obligation, keep the report either way

Request your free scan

We assess your external attack surface and send you a report.

No credit card required. We only scan domains you own. Results in 48 hours.

05 METHODOLOGY

Our process.

Every engagement follows a structured methodology. No black boxes: you get full visibility into what we test and what we find.

01
Scope & reconnaissance

Define targets, constraints, and rules of engagement. Automated asset discovery, subdomain enumeration, and technology fingerprinting.

02
Enumeration & scanning

Deep enumeration of live services, endpoints, and attack surface. Automated scanning with Nessus, Acunetix, and custom nuclei templates.

03
Manual testing & exploitation

Manual testing for business logic flaws, auth bypass, IDORs, and chained vulnerabilities scanners miss. Proof-of-concept for every finding.

04
Reporting & remediation

Executive summary for leadership. Technical report with CVSS scores, reproduction steps, and code-level fix recommendations for engineering.

06 TRACK RECORD

Proof,
not promises.

No fabricated quotes, no stock-photo testimonials. Just verifiable work: companies that accepted our vulnerability reports, open-source tools engineers run every day, and research you can read right now.

Responsibly disclosed vulnerabilities to

FacebookGoogleAppleMicrosoftTwitterAdobeSonyPayPalNetflixCoinbaseLinkedInDropboxSnapchatYahooGitHubTwitchVimeoTumblrSoundCloudWordPressAT&TUnitedDuckDuckGoZendeskESET99designsMediafireFreelancerBugcrowdHackerOne+ more
860+
GitHub stars on our tools

keyFinder, VulnHawk, AgentGuard, and our writeups — open source, in engineers' daily workflows. Star counts update live from GitHub.

Explore the tools
Featured
By the security community on X

Our tooling has been picked up and shared by the security community, including coverage of VulnHawk's AI-assisted SAST approach.

See the post
500+
Published HTB writeups

The most comprehensive Hack The Box writeup collection on GitHub: machines, challenges, attack-path diagrams, exam prep.

Read the research
07 WHO WE ARE

Operators,
not résumé padders.

GreyCore Labs is a US-incorporated offensive security firm founded by Moamen Basel. We have spent a decade breaking production systems for some of the largest companies on the internet, and we bring that same adversary mindset to every engagement.

Moamen Basel, founder of GreyCore Labs
Moamen Basel
Founder · Offensive Security

Moamen has worked both sides of security since 2014, from defensive engineering to offensive testing across web, host, and mobile. He holds the OSWE, OSCP, OSWP, and EWPTX certifications and has reported vulnerabilities to dozens of major companies through their bug bounty programs.

OSWEOSCPOSWPEWPTXEWPTCRTO

Why teams pick GreyCore

Senior-only delivery: the person quoted is the person testing. No bait-and-switch to junior staff.
A working proof-of-concept behind every finding. Zero copy-pasted scanner noise.
Direct line to the tester during and after the engagement, not an account manager.
Fixed quote up front. Scope creep is our problem, not your invoice's.
Reports built for SOC 2 and ISO 27001 audits, vendor questionnaires, and enterprise procurement reviews.
We publish our tooling and research in the open, so you can judge the work before you buy it.
08 THE TEAM

Top-ranked bug
bounty hackers.

Our hackers are ranked on the world's top bug bounty platforms, finding real vulnerabilities in production systems every day.

HackerOne
Bugcrowd
Synack Red Team

CERTIFIED BY OFFSEC, INE, AND INDUSTRY-RECOGNIZED BODIES

OSWEOSCPOSWP EWPTXEWPTVHL Advanced+
09 OPEN SOURCE

Tools we build
in the open.

We ship the tooling we use on engagements. Battle-tested, used by thousands of engineers, free and open source.

675
keyFinder

Passive API key and secret discovery browser extension for Chrome and Firefox. 80+ detection patterns, zero config, Manifest V3.

VulnHawk

AI-powered SAST scanner that finds auth bypass, IDOR, and logic bugs traditional scanners miss. Framework-aware, SARIF, GitHub Action.

500+ writeups
HTB Writeups

The most comprehensive collection of Hack The Box writeups, walkthroughs, and cheatsheets on GitHub. 500+ machines, interactive browser.

Live sitehtb-writeups
6
AgentGuard

AI agent supply-chain security. Intercepts and validates every package install, git clone, and script download an AI coding agent triggers, before it runs.

10 FAQ

Common questions.

How long does a typical pentest take?

Most web application assessments take 5-10 business days depending on scope. We provide preliminary findings within the first 48 hours so your team can start fixing critical issues immediately.

What is included in the free security scan?

We run automated reconnaissance against your domain: subdomain enumeration, technology fingerprinting, known CVE detection, and misconfiguration checks. You receive a one-page PDF report with findings and severity ratings. No obligation to purchase anything.

Do you sign NDAs?

Yes. We are a US-incorporated entity and sign NDAs before every engagement. We also support MSAs, SOC 2 compliance reporting, and can work within your legal team's preferred framework.

What makes your code-review automation different from stock SAST rules?

Stock SAST rulesets generate hundreds of false positives and miss framework-specific patterns. We write rules tailored to your exact codebase: your ORM, your auth middleware, your API patterns. The result is fewer alerts that are actually actionable, integrated directly into your PR workflow.

Can you test our API, mobile app, or cloud infra?

Yes to all. We test REST APIs, GraphQL, mobile apps (iOS/Android), cloud infrastructure (AWS/GCP/Azure), and internal networks. Our certifications (OSWE, OSCP) cover web, network, and application-layer security.

Can I see a sample report before buying?

Yes. Email us and we will send a redacted sample report so you can judge the depth of testing, the quality of reproduction steps, and the remediation guidance before you spend anything. If a vendor will not show you a sample report, walk away.

Will the report work for SOC 2, ISO 27001, or a customer security review?

Yes. You receive a full technical report plus a letter of attestation you can hand to auditors, enterprise customers, and vendor-risk teams. Findings are mapped to OWASP and CWE, and the 30-day retest gives you a clean closure letter once fixes land.

Why are your prices below typical US rates?

No sales team, no account managers, no office. GreyCore is a senior-only boutique: the person who scopes your engagement is the person who tests your application. You pay for testing hours, not overhead. The work itself is public - check our open-source tools and research before you commit.

How fast can you start?

Scoping replies go out within 24 hours and most engagements start within 1-2 weeks. If you are blocked on a deal or an audit deadline, say so - we keep room for urgent compliance-driven timelines.

11 INSIGHTS

Security research.

Technical deep dives on vulnerabilities, tooling, and offensive security methodology.

12 GET STARTED

Ready to secure your stack?

Tell us about your application, infrastructure, or codebase. You will hear back within 24 hours from the founder — the same person who will be testing your systems.

US-incorporated entity. NDAs and MSAs signed before every engagement.
Want to see the work first? Request a redacted sample report.

ASSESSMENTS & REPORTS ALIGNED TO THE FRAMEWORKS YOUR AUDITORS USE

US IncorporatedSOC 2PCI DSSISO/IEC 27001GDPRHIPAAOWASPMITRE ATT&CKNIST CSFNDA + MSA