See your exposure before attackers do.
Prox Offensive is a boutique offensive security practice. External attack surface assessments, penetration testing, and application security testing that show what's actually exploitable, with the evidence to prove it. The senior specialist you talk to first is the one who does the work.
What we do
Four ways to work with us, from a fixed-scope external sprint to deep, goal-driven testing.
External Exposure Audit Sprint
A timeboxed review of your public-facing attack surface. Prioritized findings, evidence, and a remediation roadmap in 3–5 business days.
- Fixed scope, fixed price
- External-only, non-intrusive
- From $2,500
Penetration Testing
Goal-driven testing that shows how a vulnerability actually leads to compromise.
- Attack chains: foothold, pivot, objective
- Reproducible evidence for every link in the chain
- Scoped and authorized in writing before the first packet
Application Security Testing
Manual testing for the flaws scanners miss: broken auth, IDOR, business-logic abuse.
- Broken authentication, IDOR, and business-logic testing by hand
- Requests and responses your engineers can replay
- OWASP Top 10 and the logic flaws outside it
Mentoring
One-on-one mentorship for people breaking into offensive security.
- Live labs: Hack The Box, TryHackMe, home-lab builds
- CompTIA PenTest+ prep with someone who holds it
- Résumé, portfolio, and GitHub review
What is offensive security?
Offensive security is the attacker's half of cybersecurity, put to work on your side: the same tools, tactics, and techniques real adversaries use, run legally and under written authorization to find your weaknesses before someone hostile does.
Defense alone can't tell you which vulnerabilities actually matter. A controlled attack simulation can. It separates the theoretical from the exploitable, so your engineers spend their remediation time on the exposure that would actually get you breached.
How we work
A structured engagement, from scope to verified fixes.
Scope
We confirm authorized targets and sign a clear scope agreement before any testing begins.
Test
We use the same tactics as real attackers, legally, to find what is genuinely exploitable.
Prioritize
Findings are validated, deduplicated, and ranked by what they would cost you in practice.
Deliver
You get evidence, a remediation roadmap, and verification steps, plus a findings review call.
Why Prox Offensive
Authorized & ethical
Every engagement requires written authorization. No testing without explicit owner permission.
Evidence-based
Every finding ships with proof: screenshots, requests, and reproduction steps you can verify.
Business-context first
We translate technical exposure into impact your leadership and auditors actually understand.
Remediation-focused
Every report ends in a prioritized roadmap with verification steps, ordered by what would hurt you first.
Who does the work
At larger firms, the person who scopes your test is rarely the one who runs it. Here, scoping, testing, and reporting are one set of eyes: nothing gets lost in a handoff, and every finding has its author in the room.
Felix Gutierrez
Founder & Offensive Security Specialist
On every engagement I do the testing, write the report, and walk your team through the fixes. When you ask why a finding matters, or push back on one, you're talking to the person who found it.
Between engagements I publish research in the open: LLM red-teaming, adversary emulation, recon automation. Studying how attackers read a public attack surface is exactly what sharpens how I map yours.
More about how I work →Proof, in the open
- cert
- CompTIA PenTest+
- community
- Volunteer — BSides St. Pete, BSides Orlando, HackSpaceCon, HackRedCon
- research
- ai-redteam-lab ↗ LLM adversarial-robustness harness: 33 attack cases across 8 categories
- research
- apt33-scythe-case-study ↗ Adversary-emulation case study with detections and hunting queries
- research
- prox-recon ↗ Offline-first reconnaissance core: linPEAS parsing, CVE matching
From the field
Explainers and research notes from the practice: the thinking behind the method.
Put Weight On It: An Open LLM Red-Team Lab
Most teams ship an LLM feature after prompting it a few times and calling it safe. We built a local-first, open-source harness that puts real adversarial pressure on a model and scores what breaks: 33 cases across 8 attack categories.
Read →Security Assessment Before a SOC 2 Audit: What You Actually Need
SOC 2 doesn't name a penetration test as a hard requirement, but its criteria expect vulnerability management, and an external exposure assessment beforehand is the cheapest way to avoid findings. Here's what to run, and when.
Read →External Exposure Audit vs. Penetration Test: Which Do You Need?
An external exposure audit maps what's reachable and misconfigured across your public footprint. A penetration test proves how far an attacker could actually get. Here's how they differ and how to choose.
Read →Every engagement ends with a report you can act on.
Executive summary, prioritized findings with evidence, a 30-day remediation roadmap, and verification steps for each fix. See exactly what you'll receive.
Ready to find out what's exposed?
Book a short call, tell us what you're running, and we'll scope the right engagement.