Frequently asked questions

We deliver offensive security assessments built around penetration testing, red team exercises, and related services. We emphasize hands-on manual analysis, clear reporting, and remediation guidance your team can act on. Explore all services, including network testing, application security, cloud, Active Directory, social engineering, and more.

Teams that want depth beyond checkbox testing: reproducible findings, actionable fixes, and direct collaboration with experienced operators. We're a strong fit for security and engineering teams in fintech, healthcare, SaaS, and other regulated or high-growth environments that need real risk reduction, not a report that sits on the shelf.

“Vilkas” means wolf in Lithuanian. It reflects strategy, adaptability, and showing up as a partner, not a distant vendor. Read our full story on About.

Yes. We partner with MSPs and MSSPs who want to augment their security offerings with independent offensive testing and another set of eyes on the networks and environments they manage for clients. We align reporting and collaboration with how your team delivers services. Partners and MSSPs describes how we work with channel teams.

We follow a consistent path: discovery and goals, then scoping (targets, methodology, rules of engagement, and pricing), kickoff with stakeholders and confirming necessary access, testing, reporting, and debrief. Your team leads remediation; we stay available for clarification. We finish with post-remediation testing so fixes are validated. See the full lifecycle on About.

You can book a short introductory call to learn more about Vilkas and our services, or, if you are ready, move straight into structured scoping with our consultants. Book an introductory call, send us a message through Contact, or begin organizing scope inputs with the Vilkas scoping questionnaire.

Scoping is led by consultants with deep, hands-on experience in the type of assessment you are buying, not by a sales-only handoff and not by a generic questionnaire on its own. A questionnaire can collect facts and constraints, but a qualified tester turns that into methodology, priorities, and edge cases tailored to your networks, applications, and business goals.

We document what is in and out of scope, rules of engagement, access, timing, and how we will communicate during testing. For a structured starting point on inputs, see the Vilkas scoping questionnaire.

Yes. Post-remediation validation is part of how we work, so you can confirm critical issues are fixed and the loop is closed, not just that findings were delivered once. This matches the methodology we describe across our services.

Timing depends on scope, environment size, complexity, and methodology. Many scoped projects run on the order of one to three weeks of testing plus reporting and debrief; larger networks, complex applications, or red team simulations can run longer. We align milestones during scoping. For general benchmarks, see the Services FAQ on our main services page.

Yes. We keep testing threat-driven and practical, and we map findings and recommendations to the frameworks and programs your stakeholders care about. Examples we regularly address in reporting and discussion include PCI DSS, HIPAA, GDPR, ISO 27001, FedRAMP, HITRUST, environments aligned with NIST SP 800-53 (including many FISMA-oriented federal contexts), and SOC 2. We can include other control catalogs when your program requires them. For a shorter overview, see the Services FAQ.

We design testing to reduce risk to production: coordinated windows, excluded fragile systems, steady communication, and safer techniques first. Higher-risk steps are planned with you or placed in maintenance windows when that is the right call. For more detail on disruption, access patterns, and how we coordinate with your team, see the Services FAQ.

We are remote-first for many assessments so your budget goes toward testing time instead of travel. When onsite presence, physical access, or facility requirements matter, we travel according to your needs and any regulatory or contractual constraints you operate under.

You get risk-prioritized findings, enough technical detail to reproduce and fix issues, and guidance that works for both technical owners and leadership. We skip filler. Deliverables typically include an executive summary, technical detail, reproduction steps, remediation guidance, and evidence, plus a live debrief. Request a sample report if you want to see our format.

Yes. We routinely provide technical walkthroughs and executive-level debriefs so each audience gets impact, priority, and next steps in language that fits their role.

We offer penetration testing and related offensive security work across network, application, cloud, identity, and social engineering. Each service below has its own page with scope, methodology, and expected outcomes. Services overview lists everything in one place.

Included offerings: Network penetration testing, vulnerability assessment, application security, cloud security, Active Directory security assessment, red team assessment, purple team assessment, social engineering, and security control and readiness assessment. We can combine offerings when your program needs one coordinated engagement.