Home Services About Contact
Next-Gen Cyber Defense

FIND THE
BREACH
BEFORE
THEY DO

SECURE  ·  DEFEND  ·  TRUST

Circlete delivers adversary-grade penetration testing — uncovering hidden vulnerabilities in your networks, web applications, and APIs before they become headlines.

Explore Services Request a Call
circlete@vapt ~ assessment
$circlete scan --target client.corp --mode full
[*] Initiating recon phase...
[*] Enumerating attack surface...
[!] CVE-2024-3400: PAN-OS detected — CRITICAL
[!] SQLi vector found: /api/v2/users — HIGH
[!] IDOR exposure: /portal/report/{id} — HIGH
[*] Pivoting internal network...
[+] Privilege escalation: domain admin obtained
[+] Report generated: assessment_2025.pdf
$
3
Core Services
100%
Manual Testing
72hr
Report SLA
Network VAPT ///
Web App Pentesting ///
API Security ///
Threat Modeling ///
CVE Research ///
Exploit Development ///
Social Engineering ///
Network VAPT ///
Web App Pentesting ///
API Security ///
Threat Modeling ///
CVE Research ///
Exploit Development ///
Social Engineering ///
What We Do

OUR SERVICES

Adversary-simulated testing across every attack surface. We think like attackers so your defenses hold against ones.

01
INTERNAL NETWORK VAPT

Simulate insider threats and post-breach lateral movement across your entire internal infrastructure. We map your AD, enumerate misconfigurations, and escalate privilege — exactly as a real attacker would.

  • Active Directory Attacks & Kerberoasting
  • Lateral Movement & Pivoting
  • Network Protocol Exploitation
  • Firewall & Segmentation Review
  • Credential Harvesting Simulation
  • CVSS-Scored Findings Report
02
WEB APPLICATION PENTEST

Manual-first, OWASP Top 10 and beyond. We go deeper than automated scanners — chaining business logic flaws, authentication bypasses, and injection vulnerabilities into real-world exploit paths.

  • OWASP Top 10 & OWASP WSTG
  • Authentication & Session Analysis
  • SQLi, XSS, SSRF, XXE Testing
  • Business Logic Exploitation
  • File Upload & Deserialization
  • Source Code Review (Optional)
03
API PENETRATION TESTING

Modern apps live and die by their APIs. We test REST, GraphQL, and SOAP endpoints against OWASP API Top 10 — from broken object-level authorization to mass assignment and beyond.

  • OWASP API Top 10 Coverage
  • BOLA / IDOR at Scale
  • Auth Token Analysis & Replay
  • Rate Limiting & DoS Vectors
  • GraphQL Introspection Abuse
  • Postman / OpenAPI Integration
ENGAGEMENT METHODOLOGY
01
Scoping
Define boundaries, rules of engagement, and success criteria with your team.
02
Recon
OSINT, footprinting, and passive/active enumeration of the attack surface.
03
Exploitation
Manual exploitation of findings — chaining vulnerabilities to demonstrate true impact.
04
Post-Exploit
Lateral movement, persistence, and privilege escalation within agreed scope.
05
Reporting
Detailed findings with CVSS scores, evidence, and prioritised remediation roadmap.
Who We Are

ABOUT CIRCLETE

Circlete was built by practitioners who spent years on both sides of the perimeter. We are a Managed Security Services Provider focused exclusively on offensive security — delivering penetration testing engagements that go beyond checkbox compliance and into real adversarial simulation.

Every engagement is led by a senior consultant. No junior-only teams. No fully automated reports dressed up as manual testing. When we find a vulnerability, we demonstrate its real-world impact — chaining findings into attack paths that tell your board exactly what an attacker would do.

We work with SMEs, fintechs, healthcare providers, and enterprise clients across Sri Lanka and beyond — organizations that cannot afford a breach and demand assurance they can act on. Our deliverables are built for two audiences: your technical team who will fix the issues, and your leadership who needs to understand the risk.

The name Circlete reflects a core belief: security is not a one-time audit. It is a continuous loop — assess, defend, reassess. We partner with clients across that entire cycle.

SECURE
We find vulnerabilities before your adversaries do. Every engagement is scoped for maximum realistic impact — not surface-level scanner output.
DEFEND
Our reports are built for action. Prioritised remediation, clear severity ratings, and re-testing included. We don't disappear after delivery.
TRUST
Confidentiality is non-negotiable. Every engagement operates under a signed NDA, strict rules of engagement, and full data handling accountability.
Get In Touch

START AN ENGAGEMENT

Ready to know what an attacker would find? Reach out for a scoping call. No obligation, no boilerplate pitch — just a direct conversation about your exposure.

✓   Message received. We will respond within 24 hours.
Location
Colombo, Sri Lanka
Engagements conducted island-wide and remotely
Email
contact@circlete.com
For general enquiries and new engagements
Response Time
Within 24 Hours
Mon – Fri, 08:00 – 18:00 (IST)
Report Delivery SLA
72 Hours Post-Assessment
Draft findings shared same-day for critical severity items
// All engagements covered by NDA.
// Zero vulnerability data retained post-delivery.
// Free re-test included for all critical findings.