XRAY CyberSecurity

14/05/2026

Enterprise buyers have quietly raised the bar on vendor security.
They now require an independent third-party pentest report to sign new contracts or renew existing ones.

They've learned a checkbox pentest doesn't tell them whether a vendor is actually secure. So they're looking past the certificate, at what the testing covered and how deep it went.

This is the kind of testing we've built our practice around — and the reason global Enterprises have hired us directly to test their own SaaS vendors.

Our approach to manual application pe*******on testing for B2B SaaS:
🔗

XRAY CyberSecurity | Real attack chains by senior engineers.

26/03/2026

Securing the ones who secure others 🔐

When a cybersecurity software company needs to test its own defenses, the bar is set even higher.

In this engagement, we performed a full-scope manual pe*******on test across all of the client's systems — a company building digital life protection against scams in France.

Key highlights from the case:
🔹 Identified critical attack paths that automated scanners and standard audits wouldn't catch
🔹 Delivered clear remediation guidelines for every finding
🔹 Helped strengthen the client's overall security posture
🔹 Worked independently, without pulling the client's team away from their work
🔹 Perfect 5.0/5.0 client rating

"They worked independently, and their communication was good. Their delivery was on time."

📄 Read the full case study below.

19/03/2026

XRAY CyberSecurity ranked #1 among Top Pe*******on Testing companies in 2026 by Reverb.

Grateful for the recognition — and aware that rankings are just one lens. What matters more is why clients keep coming back.

Here's what we do differently:

🔹 Every engagement is 100% manual testing by senior engineers. No juniors on your project, no scanner-generated PDFs passed off as a pentest. We dig into business logic, build real attack chains, and show you what actual compromise looks like.

🔹 We don't sell software, hardware, or managed services. Pentesting is all we do. That keeps us objective and laser-focused.

🔹 And we treat every project as custom work — tight scoping, direct communication with the engineers doing the testing, and deliverables that make sense to both your technical team and your leadership.

👇 Link in comments

11/03/2026

Ordering a checkbox pentest? Expect a real incident to follow.

Security audits that exist to satisfy only a compliance requirement don't make your business safer.

They create a false sense of it — which is often worse than nothing.

Quality in pentesting can be abstract.

But it can be measured.

Check your vendor: do they only report vulnerabilities — or do they build attack chains?

There's a critical difference.

A single vulnerability rarely has catastrophic business impact on its own.

But a misconfigured permission, combined with a logic flaw, combined with a weak access control — stops being three medium-severity findings.

It becomes a full compromise scenario.

The business risk of the chain is almost always dramatically higher than the sum of its parts.

This is exactly how we approach every application pentest: we don't stop at finding an issue and assigning it a score.

We follow the path, chain the vulnerabilities together, and deliver a working proof of concept that shows what a real attacker would actually do to your business — and what it would cost you.

That's what makes the difference between a report that sits in a folder and one that actually reduces your risk.

05/03/2026

38 million users affected. ManoMano's breach.

☢️ We don't yet know the full impact - how this stolen personal data and customer service history will be weaponized for targeted phishing, fraud, or social engineering.

The entire attack went through a subcontractor who had legitimate access to customer data. According to ManoMano, their own infrastructure was not breached.

In January 2026, a threat actor compromised their third-party customer support provider and exfiltrated 37.8M user records, support tickets, and documents. ManoMano is a major European e-commerce platform with 50M+ monthly visitors.

This is what supply chain risk looks like in practice. Not a theoretical framework - a real scenario where one vendor's weak security exposed 38 million people.

The question this raises is not just technical. It's organizational:

ℹ️ If you're an enterprise that relies on third-party vendors, SaaS platforms, or outsourced services - do you actually verify their security posture? Not through questionnaires and compliance certificates, but through real pe*******on testing that simulates how an attacker would exploit their access to your data?

Some of our clients already do this - they commission pentests of the vendors and SaaS platforms they depend on, because they understand that their own security is only as strong as the weakest link in the chain.

ℹ️ If you're a vendor, a subcontractor, or a SaaS provider - are you waiting for your client to demand a pentest, or are you doing it proactively?

A pe*******on test is the only way to verify your actual security level - not a paper compliance status, but how your systems hold up against a real attack scenario. And increasingly, it's what enterprise clients expect before they sign or renew a contract.

25/02/2026

Stop building your security around the "impenetrable fortress" myth.
The perimeter is no longer a wall; it’s just a speed bump.

Sophisticated attackers will eventually find a way in.
A stolen credential, a zero-day, or a simple human error.

The real question isn't how they got in - it’s what happens next.

How far can they move laterally through your network?
How quickly can they escalate privileges to reach your "crown jewels"?

And the most critical metric:
How many days, weeks, or months will pass before your team even notices them?

The solution is Assume Breach Pentesting.

We simulate an attacker who has already bypassed your outer defenses.
We test your detection capabilities, not just your prevention tools.

Don’t wait for a real incident to measure your "Blast Radius."
Know your weak spots before the hackers do.

25/02/2026

🌍 World-class security for world-class brands

This case study captures the standards that drive our ongoing partnership with Danone.

In this engagement, we did more than just pe*******on testing — we helped strengthen their security posture across specific IT systems.

Key highlights from the case:
✅ Comprehensive analysis of Network & Application security
✅ Strategic Action Plan with clear prioritization
✅ Delivery of both Technical and Executive reports

"The project was executed excellently."

We value the continued trust Danone places in our team.

👇 Read the full case study below.

09/09/2025

🏆 Exciting News! We're honored to announce that XRAY CyberSecurity has been ranked #1 in The Manifest's "Top 100 Pe*******on Testing Services" (The Best of September 2025)!

https://themanifest.com/cybersecurity/pe*******on-testing/companies

This recognition reflects our team's unwavering commitment to delivering cutting-edge cybersecurity solutions and our clients' trust in our expertise.

Thank you to our incredible team and loyal clients who make this achievement possible. Your trust drives our mission to keep organizations secure in an ever-evolving threat landscape.

*******onTesting

29/08/2025

81% of interactive intrusions were malware-free.

The CrowdStrike 2025 Threat Hunting Report confirms what our pe*******on tests consistently show: sophisticated tools aren't always necessary for enterprise IT compromise.

Adversaries often leverage built-in system functionalities, using everyday tools already present in your environment. The difference is simple: react to incidents and deal with consequences, or act proactively.

Regular pe*******on testing allows you to identify and fix security flaws before criminals exploit them, leaving them no chance.

Link to the full report in the comments.
Ready to outpace cyber threats? Contact us!

*******ontesting

14/08/2025

How to run an Active Directory security audit in minutes?
There's a very simple tool.

PingCastle.

🔍 Why we recommend it:
- Provides a comprehensive security overview of your domain
- Requires no complex setup
- Generates clear, actionable reports

⚡ The reality check: Yes, it's not a complete audit. No, it won't catch every vulnerability or risk in your environment. But here's the thing - if PingCastle flags high-level alerts, those 5 minutes will be the best investment you've made this week.

💡 Our take: Sometimes the most effective security improvements come from the simplest methods. PingCastle exemplifies this perfectly - it's proof that you don't always need complex tools to uncover significant security gaps.

Give it a try. Your future self will thank you when you spot that critical misconfiguration before an attacker does.

There are plenty of alternative utilities out there. Which one do you recommend?