Home Services Projects About Contact
Next-Gen Cyber Defense

FIND THE
BREACH
BEFORE
THEY DO

SECURE  ·  DEFEND  ·  TRUST

Circlete delivers adversary-grade penetration testing — uncovering hidden vulnerabilities in your networks, web applications, and APIs before they become headlines.

circlete@vapt ~ assessment
$circlete scan --target client.corp --mode full
[*] Initiating recon phase...
[*] Enumerating attack surface...
[!] CVE-2024-3400: PAN-OS detected — CRITICAL
[!] SQLi vector found: /api/v2/users — HIGH
[!] IDOR exposure: /portal/report/{id} — HIGH
[*] Pivoting internal network...
[+] Privilege escalation: domain admin obtained
[+] Report generated: assessment_2025.pdf
$
4
Core Services
100%
Manual Testing
72hr
Report SLA
Health Check ///
Network VAPT ///
Web App Pentesting ///
API Security ///
Threat Modeling ///
CVE Research ///
Exploit Development ///
Social Engineering ///
Health Check ///
Network VAPT ///
Web App Pentesting ///
API Security ///
Threat Modeling ///
CVE Research ///
Exploit Development ///
Social Engineering ///

OUR SERVICES

From an entry-level health check to full adversary simulation — we meet you where you are and take you where you need to be.

00
Entry Offer
CYBERSECURITY HEALTH CHECK

Not sure where your security stands? The Health Check is our structured entry engagement — a rapid, non-intrusive review of your external exposure, cloud configuration, and dark web footprint. You receive a prioritised risk report and a 30-day improvement plan your team can act on immediately, without needing a full penetration test.

Request a Health Check
What's included
  • External Vulnerability Scan
  • Firewall Rule Review
  • Microsoft 365 Security Review
  • Dark Web Exposure Check
  • Prioritised Risk Report
  • 30-Day Improvement Plan
01
INTERNAL NETWORK VAPT

Simulate insider threats and post-breach lateral movement across your entire internal infrastructure. We map your AD, enumerate misconfigurations, and escalate privilege — exactly as a real attacker would.

  • Active Directory Attacks & Kerberoasting
  • Lateral Movement & Pivoting
  • Network Protocol Exploitation
  • Firewall & Segmentation Review
  • Credential Harvesting Simulation
  • CVSS-Scored Findings Report
02
WEB APPLICATION PENTEST

Manual-first, OWASP Top 10 and beyond. We go deeper than automated scanners — chaining business logic flaws, authentication bypasses, and injection vulnerabilities into real-world exploit paths.

  • OWASP Top 10 & OWASP WSTG
  • Authentication & Session Analysis
  • SQLi, XSS, SSRF, XXE Testing
  • Business Logic Exploitation
  • File Upload & Deserialization
  • Source Code Review (Optional)
03
API PENETRATION TESTING

Modern apps live and die by their APIs. We test REST, GraphQL, and SOAP endpoints against OWASP API Top 10 — from broken object-level authorization to mass assignment and beyond.

  • OWASP API Top 10 Coverage
  • BOLA / IDOR at Scale
  • Auth Token Analysis & Replay
  • Rate Limiting & DoS Vectors
  • GraphQL Introspection Abuse
  • Postman / OpenAPI Integration
ENGAGEMENT METHODOLOGY
01
Scoping
Define boundaries, rules of engagement, and success criteria with your team.
02
Recon
OSINT, footprinting, and passive/active enumeration of the attack surface.
03
Exploitation
Manual exploitation of findings — chaining vulnerabilities to demonstrate true impact.
04
Post-Exploit
Lateral movement, persistence, and privilege escalation within agreed scope.
05
Reporting
Detailed findings with CVSS scores, evidence, and prioritised remediation roadmap.

SELECTED PROJECTS

Alongside our offensive security practice, we build custom software solutions for clients who need more than a report — they need a working system.

Custom Dashboard · United Kingdom
Sales & Commission Dashboard
Client: Knottinger Limited — Leeds, U.K.

Knottinger Limited is a Leeds, UK-based brand celebrating colour, craftsmanship and creative expression, and the concept store behind more than 40 independent makers. We designed and built a sales and finance management dashboard that lets Knottinger import sales and commission data directly from their POS systems, then view consolidated statistics on product performance and creator payouts in one place.

Because the store represents dozens of independent makers rather than a single seller, the platform was architected with multi-tenancy at its core — Knottinger can grant each individual creator their own login to view exactly their own sales and commission figures, without visibility into other makers' data. The system follows a multi-tier architecture, with an isolated backend, a dedicated business logic tier, and a separate internet-facing consumer interface, keeping sensitive data and processing away from the public-facing layer.

POS Data Import Sales Analytics Commission Tracking Multi-Tenant Access Mobile & Web Pentest
What We Delivered
  • Automated ingestion of sales & commission data from POS exports
  • Consolidated product-level sales statistics and reporting
  • Per-creator commission calculation and breakdown
  • Multi-tenant architecture with isolated creator accounts
  • Individual creator logins to self-serve their own sales data
  • Mobile-responsive dashboard for on-the-go access
  • Penetration test of the mobile app and consumer-facing website, with a findings report and remediation advice

ABOUT CIRCLETE

Circlete was built by practitioners who spent years on both sides of the perimeter. We are a Managed Security Services Provider focused exclusively on offensive security — delivering penetration testing engagements that go beyond checkbox compliance and into real adversarial simulation.

Every engagement is led by a senior consultant. No junior-only teams. No fully automated reports dressed up as manual testing. When we find a vulnerability, we demonstrate its real-world impact — chaining findings into attack paths that tell your board exactly what an attacker would do.

We work with SMEs, fintechs, healthcare providers, and enterprise clients across Sri Lanka and beyond — organizations that cannot afford a breach and demand assurance they can act on. Our deliverables are built for two audiences: your technical team who will fix the issues, and your leadership who needs to understand the risk.

The name Circlete reflects a core belief: security is not a one-time audit. It is a continuous loop — assess, defend, reassess. We partner with clients across that entire cycle.

SECURE
We find vulnerabilities before your adversaries do. Every engagement is scoped for maximum realistic impact — not surface-level scanner output.
DEFEND
Our reports are built for action. Prioritised remediation, clear severity ratings, and re-testing included. We don't disappear after delivery.
TRUST
Confidentiality is non-negotiable. Every engagement operates under a signed NDA, strict rules of engagement, and full data handling accountability.

START AN ENGAGEMENT

Ready to know what an attacker would find? Reach out for a scoping call. No obligation, no boilerplate pitch — just a direct conversation about your exposure.

✓   Message received. We will respond within 24 hours.
Location
Colombo, Sri Lanka
Engagements conducted island-wide and remotely
Email
contact@circlete.com
For general enquiries and new engagements
Response Time
Within 24 Hours
Mon – Fri, 08:00 – 18:00 (IST)
Report Delivery SLA
72 Hours Post-Assessment
Draft findings shared same-day for critical severity items
// All engagements covered by NDA.
// Zero vulnerability data retained post-delivery.
// Free re-test included for all critical findings.