Active testing only with written authorisation
~/tholim_
About the practice

A small purple-team practice that prefers depth over headcount.

Tholim was put together by a small group of operators who got tired of two extremes — the offshore "audit" that ships a 200-page report no engineer reads, and the boutique "rockstar" engagement priced like a luxury car. We sit in the middle: a focused practice that goes deep on a small number of clients per quarter, ships findings the engineering team can act on inside the same sprint, and stays involved through remediation.

§01 · How we work

Three operating decisions that shape every engagement.

§01·01
Reference tools, not reinvention

Mozilla Observatory, sslyze, RetireJS, ProjectDiscovery's nuclei and subfinder, the Chrome HSTS preload list, AlienVault OTX, Shodan InternetDB, certificate-transparency logs, Wayback Machine. Where the field has converged on a reference implementation, we use it. Where one is missing — JA4S server fingerprinting, Shodan-style favicon hashes, baseline-diff continuous monitoring — we wrote ours and made them open source.

§01·02
Findings the team can ship

Every finding ships with the exact request, response, or capture that proves it, plus a remediation note scoped to the stack we found in the audit — not a generic OWASP boilerplate paragraph. Where the fix is mechanical we'll open the pull request. Where it requires architectural change we walk through it with whoever owns the codebase.

§01·03
Continuity past the report

A pentest report that lands in a forgotten Drive folder is a refunded engagement waiting to happen. We attach a 30-day post-delivery window for clarification and re-tests at no extra cost, and offer continuous attack-surface monitoring as a low-friction follow-on for clients that want a baseline alarm on their public footprint.

§02 · Fix loop

A finding is not closed until the re-test runs clean.

Most pentest reports land in a Drive folder, get triaged into Jira, and rot. We close the loop with the engineering team that has to ship the fix — same week, same channel, same sign-off script. The retainer model below is included in every fixed-fee engagement.

01 · Sign-off
Tholim

Scope letter, RoE, kickoff. Written authorisation timestamped.

Client engineering

Designate a single eng owner. Provide read access to the surface in scope.

Artifact

scope.md · authorisation.txt

02 · Test
Tholim

Active testing. Findings filed live into a shared Slack/Linear/GitHub channel as they land — not batched at the end.

Client engineering

Triage in real time. Push back on false positives. Ask for clarification on the spot.

Artifact

F-NNN_*/ evidence folders

03 · Pair
Tholim

For mechanical fixes — open the PR. For architectural ones — pair with the owner over voice or doc until the approach is agreed.

Client engineering

Review, merge, deploy. We stay available during business hours of the chosen timezone.

Artifact

PR with retest.sh attached

04 · Re-run
Tholim

Re-execute every finding's retest.sh against the patched surface. Within 30 calendar days of delivery — included.

Client engineering

Confirm the fix is live in the environment we're testing.

Artifact

07_retest.sh exit code 0

05 · Close
Tholim

Sign-off note: who verified, when, ticket reference. Repository archived with a 12-month retention per editorial policy.

Client engineering

Counter-sign. Optional: continuous monitoring as a low-friction follow-on.

Artifact

08_signoff.md · monitor cron

Re-test window
30 days post-delivery, included. Extended on written request.
Closure rule
retest.sh exits zero or the finding stays open. No "presumed fixed".
Cost model
Re-runs and pairing are inside the original fixed fee — never billed by the hour mid-engagement.
§03 · Engagements we do not take

Refusing the wrong work is part of the work.

Bigger isn't better when the work doesn't fit. We will say no — early, with a referral where we can — when one of the criteria below applies.

  • DECLINED

    No written authorisation, no work. If the contact reaching out cannot demonstrate authority over the target, we do not start.

  • DECLINED

    Adversarial reconnaissance against third parties. Audits to inform a lawsuit, an acquisition without consent, or a public attack-surface dump on a competitor — out of scope.

  • DECLINED

    Compliance theatre. "We need a report that says we are secure" is not a brief. We can help you actually be secure; we cannot help you appear to be.

  • DECLINED

    Engagements outside our depth. Embedded firmware, cryptography research, ICS/SCADA, hardware reverse engineering — we will refer you to specialists rather than fake it.

§04 · Standards we follow

The rulebooks our deliverables map to.

Every report cross-references the relevant control IDs from the standards below, so your security or compliance team can trace each finding to its corresponding obligation without rewriting the deliverable.

Methodology
PTES

Penetration Testing Execution Standard

Web testing
OWASP WSTG v5

Web Security Testing Guide

Verification
OWASP ASVS

Application Security Verification Standard, L1 to L3

Adversary model
MITRE ATT&CK

Reconnaissance & Initial Access tactics

Cloud baseline
CIS Benchmarks

AWS / GCP / Azure / Kubernetes

Risk framework
NIST CSF 2.0

Mapping for executive summaries

Email & domain
RFC 7489 / 8461

DMARC · MTA-STS · TLS-RPT

Disclosure
RFC 9116

security.txt · Coordinated disclosure

If your problem fits the brief above, write to us.

Two-working-day reply with a scoping note, rough timeline, fixed-fee estimate. If we are not the right fit, we will say so and refer you to a practice that is.

Start a conversation →