FAQ

90% manual, 10% automated. Scanners find what's documented; our pentesters find what attackers are actively exploiting. Business logic, vulnerability chaining, and authorization abuse — scanners don't see this.

External, Internal, Web/API, Mobile, OT/SCADA, Wi-Fi, Social Engineering (phishing/spear), full Red Team, and recurring PTaaS. See /pricing for detailed prices and scopes.

Yes. We operate in Brazil, Portugal, Italy, Spain, Morocco, United States, and Australia. Engagements in USD, BRL, or EUR.

Simple external: 1 week. Web app: 2-4 weeks. Full Red Team: 6-12 weeks. PTaaS: continuous. Every proposal includes a specific timeline.

1) You submit a quote or schedule a meeting. 2) Within 48h we send proposal with scope, timeline, pricing. 3) NDA + Authorization to Test signed. 4) Execution. 5) Executive + technical report delivery. 6) Optional retest.

Both. Executive (3-5 pages) with risk level and business impact for C-level and board. Technical (50-150 pages) with reproducible PoC, mitigation, and mapping to applicable regulation.

Yes. Our reports are accepted by SOC 2 Type II audits (CC trust services), ISO 27001 (control A.12.6), PCI-DSS 4.0 (req. 11.4), and equivalents. We map findings directly to framework requirements.

Not under normal conditions. We work in mirror homologation or controlled windows. For critical systems (SCADA, hospital, bank core), we validate each step before execution. Pre-agreed red flags ensure immediate stop if needed.

Mandatory mutual NDA, encrypted communication channels (Signal/Element), delivery via dedicated portal, zero retention 90 days after final report with destruction certificate. See /legal/privacy.

Only with your express written authorization. Confidentiality is the default. When authorized, we may list logo + generic description.

Yes, in full Red Team. Only the sponsor (usually CISO/CSO) knows the operation; the security team operates in the dark like a real attack. Measures detection, response, and containment time.

Brazil: PIX, boleto, transfer. International: SWIFT, USDC/USDT/BTC via regulated exchange (with KYC). Billing in BRL, USD, or EUR per jurisdiction.

Yes for projects above BRL 20,000 (or equivalent). Up to 6 interest-free installments upon analysis.

No. 30-day notice cancellation. Automatic renewal absent cancellation — we want you to stay for the value delivered, not by contract.

Yes. Company qualified for public bidding, clean CADIN, current certifications. We serve Brazilian federal, state, and municipal agencies.

Senior pentesters with OSCP, CISSP, CRTO, GPEN, and CompTIA PenTest+ on average. Each engagement has at least 1 lead and 1 executor, with peer review before delivery.

Yes. We operate Cobalt Strike, Mythic, Sliver with custom payloads, proper OPSEC, and TTP chain mapped to MITRE ATT&CK. We don't use commodity tools for serious Red Team.

Founder and CEO of intrus.io. 15+ years in offensive security, with engagements at Caixa Econômica Federal, Banco BMG, iFood, Federal Police, ArcelorMittal, Multibanco, Formula 1, and other regulated clients.