Penetration Testing

Identify security weaknesses with realistic attacks.

Build a better security program

Novacoast has been performing security assessments for over 20 years. Our group of professional attackers for hire is called the Novacoast Attack Team (NCAT) and boasts some unique characteristics.

What Makes NCAT Different?

Novacoast is a standout among security groups, with NCAT likely being the most exciting and often entertaining group because of the nature of the work. Here are some things that set NCAT apart from its contemporaries in the industry:


The team comes from varied backgrounds in IT, software development, and security operations. We build our own exploits and perform in-depth, highly specialized assessments better because of this.

We also have the full technical resources of Novacoast at our disposal which includes experts in other technologies that may prove useful if we come up against something unique.


Our reports are detailed and actionable. The summary of any security assessment is what provides the value. We author our reports for broad appeal to satisfy executive and technical audiences alike. The reports contain:

  • Executive summaries
  • Technical findings with details and visual proof
  • Short-term remediation actions
  • Long-term security strategy actions

The reports can be customized by request.


We follow proven methodologies that adhere to industry best practices. These methodologies are constantly being updated and honed to follow the ever-changing threat landscape.

We dig deep in our penetration tests. Not only will we look at the immediate technical issues, but we’ll also take in the bigger picture and recommend strong long-term security strategies. For example: If we are able to break in and obtain Domain Administrator, we don’t stop there. We’ll use the opportunity to identify all of the additional weaknesses that would stand to be exploited following this type of compromise such as unused accounts, stale passwords, etc.

Secure data practices

NCAT utilizes an attack grid that is isolated and separate from Novacoast infrastructure as a whole. Data at rest and data in transit are encrypted. Artifact data resulting from a testing engagement is permanently deleted at the end of the assessment.

Customizable and flexible

Every customer is different, so we adapt to their unique needs. As part of an engagement, prior to beginning the assessment we can meet to:

  • Establish compliance standards requirements
  • Establish timing constraints (after hours testing only, etc.)
  • Reporting considerations
  • Desired alerts during the assessment (notification of successful compromise)
  • Scope considerations

Customer visibility

We understand that having a security assessment performed can be both an exciting and anxiety-inducing experience. We will schedule weekly cadence calls directly with the test engineers to discuss findings, recommend action, and provide further guidance.

Assessment execution

We can start quickly, generally within 2 weeks after signing the contract. Even before COVID-19, most security assessments we performed remotely. There’s really no need for travel or any other expenses unless physical security and in-person social engineering is part of the assessment.

Follow up

After the initial findings from an assessment are presented, it’s recommended to follow up after remediation action is taken to verify and validate that the vulnerabilities have been fixed. This is optional and may be scheduled at the customer’s leisure.

Many customers re-test with Novacoast annually. The benefit of using the same group is that we have a baseline to compare future testing with and can reveal insights on how security posture has changed or matured.