How a Provecore engagement works

You submit your stack, target surfaces, and goals through our contact form or email. We review and respond within one business day with questions or a proposed approach. No automated quoting — every scope is reviewed by a person.

A 30-minute call to align on scope, access requirements, authorization boundaries, and timeline. We discuss your tech stack, auth model, and what specific surfaces matter most. You receive a written proposal and SoW within 48 hours.

You sign the Rules of Engagement authorizing the test. We receive credentials, API documentation (if available), and any relevant context. Kickoff call confirms the test window, communication channel for critical findings, and reporting format.

Exploitation-led testing across the agreed surfaces. We follow a structured methodology covering authentication, authorization, business logic, input handling, API security, and session management. Critical findings are reported verbally same-day. No scanner-only passes — every finding is manually validated.

You receive two documents: an Executive Summary for leadership and procurement reviewers, and a Technical Findings Report for your engineering team. Every finding includes: severity, root cause, proof of exploitation, affected endpoint or code path, and step-by-step remediation guidance.

A 45–60 minute call to walk your engineering team through the findings, answer questions, clarify reproduction steps, and prioritize remediation order. This is optional but reduces ambiguity significantly.

After your team applies fixes, we retest each finding, verify remediation, and issue a written Retest Confirmation Letter. This letter confirms the specific issues tested and their status — suitable for inclusion in SOC 2 packages, vendor security questionnaires, or customer requests.