About CyberGuards

A small senior team. The person you meet is the person who tests.

CyberGuards is a small penetration-testing team based in San Francisco. We do one thing — hands-on offensive testing for teams who need a credible answer in front of customers, auditors, and the board.

Why we do this

Most pentest reports are written for filing, not fixing.

We started CyberGuards because the engineering teams we worked with all had the same complaint about the pentests they had paid for: a thick PDF, a stack of generic CVE descriptions, and no clear path from finding to fix. The version of the engagement that worked — a senior tester, a clear proof per finding, a paste-ready remediation, and a retest of reported findings — turned out to be hard to buy.

So we built it. The work is the same hands-on penetration testing teams have done for two decades. The packaging — what the deliverable looks like, who runs the engagement, what the retest costs — is what's different.

How the team evolved

A short, honest history.

No invented dates, no inflated milestones. The capabilities below were added in the order our customers asked for them — which is a more honest record than a timeline ever is.

  1. Founded

    A small offensive-security team in San Francisco

    CyberGuards started as a small group of senior penetration testers tired of seeing engagements scoped by sales and executed by junior staff. The first engagements were web application and API tests for SaaS teams in the Bay Area — and the engagement model (senior testers, paste-ready findings, retest of reported findings included in scope) is the same today.

  2. Cloud

    Added cloud-configuration testing as customers moved to AWS, Azure, and GCP

    When customers started running production in cloud accounts, the highest-impact findings shifted to IAM trust paths and configuration drift. We built explicit cloud-account engagement scope and CIS-aligned reporting.

  3. Compliance

    Tuned reporting for SOC 2, ISO 27001, PCI DSS, and HIPAA

    Most of the questionnaires our customers were answering started looking like the same controls in different language. We added control mapping to every report and built explicit compliance-pentest scope so audit field work is shorter and cleaner.

  4. AI features

    Added AI security testing for teams shipping LLM-backed product

    When customers started shipping chat, RAG, and tool-use features, the prompt and the retrieval became part of the attack surface. We added AI security testing aligned to the OWASP Top 10 for LLM Applications and to the NIST AI Risk Management Framework.

  5. Continuous

    Vulnerability scanning with human triage between annual pentests

    Customers wanted continuous coverage between annual pentests but did not want to drown their team in scanner output. We added vulnerability scanning paired with human triage so only real, prioritized findings reach the engineering tracker.

Specific engagement counts and customer names are kept in confidence by request. References are available after the scoping call.

How we work

Four principles, applied to every engagement.

A senior tester leads every engagement

The person on the scoping call is the person leading the testing. Engagements are run in-house with the team you spoke to — we do not subcontract testing to third parties.

Plain language in every deliverable

Findings are written so an engineer can act on them, an auditor can map them, and a board member can understand them.

Retest of reported findings, included

After you fix the items in the report we retest them and update the report — included in scope.

No unauthorized testing, ever

All testing happens under signed scope. We say no to engagements where rules of engagement cannot be agreed up front.

Credentials

Certifications across the team.

Practical, hands-on certifications — the kind earned at a keyboard, not in a multiple-choice exam. We carry a mix of offensive-security and cloud certifications across the team.

  • OSCP

    Offensive Security Certified Professional

  • OSWE

    Offensive Security Web Expert

  • GPEN

    GIAC Penetration Tester

  • GXPN

    GIAC Exploit Researcher and Advanced Penetration Tester

  • CRTO

    Certified Red Team Operator

  • CCSP

    Certified Cloud Security Professional

  • CISSP

    Certified Information Systems Security Professional

  • CREST CRT

    CREST Registered Penetration Tester

Frameworks we test against

Boring, well-defined, and what auditors expect.

  • OWASP Testing Guide
  • OWASP ASVS
  • OWASP API Security Top 10
  • OWASP Top 10 for LLM Applications
  • MITRE ATT&CK
  • NIST SP 800-115
  • PTES
  • CIS Benchmarks
FAQ

About us — common questions

How big is the team?

Small and senior by design. We staff each engagement around one or two senior testers and keep the team small enough that the person on the scoping call is the person leading the work. Engagements are run in-house — we do not subcontract testing to third parties.

Do you work remotely or on-site?

Both. We are based in San Francisco and most testing is remote. On-site engagements are available for internal network testing, physical scope, or sensitive environments where remote access is not appropriate.

Are you hiring?

We hire experienced penetration testers occasionally. If you have a strong offensive security background and the certifications to back it up, send a note to [email protected] with a writeup or two.

How do you handle sensitive findings?

Findings are encrypted in transit and at rest, retained only as long as needed for the engagement plus a defined retention window agreed in scope, and never disclosed to third parties without written authorization.

Want to talk to the people who would test you?

The scoping call is the same person who runs the engagement. Thirty minutes, no slides, no pitch.

Book a security review See what we test