Offensive security services

Six practice areas. One objective: give your leadership defensible evidence about where adversaries can move — and whether your team would catch them.

Security assessment briefing with architecture diagrams on screen
CFA-IMG-03 · Assessment floor

Our services are designed for organisations that have moved past checkbox compliance and need operational truth. Whether you are hardening a cloud migration, validating a new SOC contract, or preparing for a regulatory examination, we scope engagements to your actual risk — not a generic methodology PDF.

SVC-01 · Security Assessment

Security Assessment

A Security Assessment is the structured entry point for organisations that need a clear picture of exposure before committing to a full offensive engagement. We review network architecture, identity flows, endpoint posture, and cloud configuration against your stated threat model. Deliverables include an executive summary for board-level readers, a technical findings register with severity ratings tied to exploitability, and a 90-day remediation sequence. Assessments typically run two to four weeks depending on estate size. We align with frameworks your auditors already recognise — ISO 27001 control mapping, NIST CSF tiers, and OSFI B-13 expectations for federally regulated financial institutions — without turning the exercise into a paperwork drill.

SVC-02 · AI-Assisted Pen Testing

AI-Assisted Pen Testing

Penetration testing at CyberForge AI is human-led and machine-augmented. Our operators use AI-assisted tooling to accelerate reconnaissance, fuzzing, and log correlation — but every exploitation decision, chain validation, and business-impact assessment is made by a named consultant. This hybrid model lets us cover more attack surface in the same window without the false confidence that automation-only scans provide. Engagements include external perimeter testing, internal network pivoting, web application review, and API abuse scenarios. Each finding ships with reproduction steps your engineers can verify independently. We document lateral movement paths, privilege escalation chains, and data exfiltration feasibility so remediation priorities reflect real breach mechanics.

SVC-03 · Red Teaming

Red Teaming

Red team engagements simulate a motivated adversary with defined objectives: access a crown-jewel dataset, achieve domain admin, or exfiltrate synthetic credentials. Unlike standard pen tests, red teams operate under stealth constraints — testing whether your SOC detects initial access, command-and-control traffic, and privilege escalation over days or weeks. We coordinate closely with your incident response lead through encrypted channels and pre-agreed callback procedures. Debrief workshops walk defenders through the full attack timeline, highlighting detection gaps and playbook failures. Red teaming is ideal for mature security programmes that already patch regularly but have never validated end-to-end response under realistic pressure.

SVC-04 · Detection Engineering

Detection Engineering

Detection Engineering closes the loop between offensive findings and defensive readiness. We analyse your SIEM rules, EDR policies, and network sensor coverage against MITRE ATT&CK techniques observed in recent Canadian-sector intrusions. Where gaps exist, we draft detection logic, tune false-positive thresholds, and run purple-team exercises to confirm alerts fire within your target mean-time-to-detect window. This service is often paired with a red team engagement: attackers demonstrate the chain, engineers build the detection, attackers attempt the chain again. The result is measurable improvement — not a slide deck claiming your SOC is already perfect.

SVC-05 · Vulnerability Management

Vulnerability Management

Scanner output without context creates alert fatigue. Our Vulnerability Management practice helps you build a programme that ranks findings by exploitability in your specific environment — not generic CVSS alone. We define asset criticality tiers, establish patch SLAs aligned with regulatory expectations, and integrate threat intelligence on actively exploited CVEs affecting your technology stack. Quarterly reviews assess programme maturity: are critical findings closed within SLA? Are exceptions documented with compensating controls? Do penetration test results correlate with scanner blind spots? We turn vulnerability management from a compliance checkbox into an operational discipline your engineers respect.

SVC-06 · Securing AI / LLM

Securing AI / LLM

Production large language models introduce attack surfaces that traditional AppSec reviews miss. Our Securing AI/LLM service tests prompt injection resistance, training-data leakage paths, plugin and tool-call abuse, and output-filter bypass techniques. We evaluate whether your guardrails prevent users from extracting system prompts, invoking unauthorised API actions, or poisoning retrieval-augmented generation pipelines. Deliverables include a threat model specific to your model architecture, tested attack scenarios with severity ratings, and hardening recommendations aligned with emerging OWASP LLM Top 10 guidance. As Canadian firms deploy customer-facing chatbots and internal copilots, this service answers the question regulators and boards are starting to ask: what happens when someone tries to break your AI on purpose?

Offence informs defence

Every service we offer connects to two operational clusters. Cluster A covers breaking in: attack surface mapping, exploitation, lateral movement, and exfiltration proof. Cluster B covers catching it: detection coverage, alert fidelity, response timing, and control validation. Most clients start with Cluster A to find gaps, then engage Cluster B services to close the loop. Some mature programmes run both simultaneously in purple-team format.

Book a security assessment

Red team operators reviewing attack timeline on collaborative display
CFA-IMG-06 · Red team operations
LLM security review session with model architecture diagram
CFA-IMG-11 · LLM security review

Scoped to your regulatory context

Canadian clients operate under PIPEDA, provincial health privacy statutes, and sector-specific requirements from OSFI, CIHI, and others. Our engagement letters document data handling, retention, and destruction procedures. We do not retain client data beyond contractual obligations. All testing occurs within agreed boundaries — we are offensive operators, not rogue actors.