Pensta Security Services

Why Pensta

Trust from experience, clarity, and community

Pensta was founded in 2025 by Michael Minchinton, a security professional with 20+ years in penetration testing, research, and responsible disclosure. While Pensta is a new consultancy, it stands on the strength of Michael’s personal track record and an approach that puts clarity and actionability first.

By choosing Pensta, you strengthen your defences and also help us give back—your engagement supports our efforts to open doors for others to build careers in cybersecurity.

What makes us different

  • Senior attention on every engagement
    Every test is led and overseen by a senior penetration tester from start to finish. At present, all testing is performed by senior professionals. As we grow and introduce junior consultants, they’ll be closely mentored to maintain the same high standards.
  • Clear, decision-ready reporting
    Non-technical executive summaries, prioritised remediation, and reproducible technical detail—plus optional video walk-throughs for critical issues.
  • Agile and reliable
    Faster start dates, low admin overheads, and flexibility around release cycles and change freezes.
  • Partnership, not box-ticking
    We map real attacker TTPs to your environment, then stay available to help you close gaps and validate fixes.

Recognised expertise (Michael Minchinton)

Before founding Pensta, Michael received acknowledgements for responsible disclosure and research from:

  • UK Cabinet Office — reporting critical GOV.UK cache exposures
  • Microsoft — listed among trusted security researchers
  • Google — Application Security Hall of Fame
  • PayPal — Bug Bounty Wall of Fame
  • Sitecore — critical XSS disclosure

These acknowledgements were awarded to Michael personally.

Proven track record (bug bounty & research)

  • Bugcrowd (handle: gtrf) — 100% accuracy on programmes including SpaceX, Twilio, Indeed, and others
  • HackerOne (handle: bugbound) — vulnerabilities disclosed in Monero, Tide, A.S. Watson Group

This demonstrates depth of technical ability, precision, and ethical responsibility.

How we work

  1. Scoping call — objectives, crown jewels, timelines, constraints
  2. Proposal & plan — scope, methodology, evidence, pricing
  3. Testing — hands-on methods aligned to OWASP, NIST and NCSC guidance
  4. Reporting — plain-English summaries, reproducible steps, pragmatic fixes
  5. Remediation support — we answer questions as your team patches
  6. Re-test — complimentary verification of in-scope critical/high fixes within an agreed window
  7. Assurance pack — evidence for stakeholders, auditors, and customers

Services

  • Web & API Penetration Testing — auth, business logic, data exposure, modern attack chains
  • Cloud & Kubernetes Reviews — misconfigurations, identity boundaries, workload isolation
  • Internal & External Infrastructure — network paths, AD abuse, phishing-led entry, lateral movement
  • Mobile App Testing — platform-specific issues, API trust boundaries, secure storage/transport
  • Incident Readiness & Light Forensics — containment guidance, evidence basics, post-incident hardening

Need something bespoke? We’ll tailor the scope to your environment and risk profile.

Security & confidentiality

  • Data handling — encrypted transfer/storage; strict need-to-know access
  • GDPR — data minimisation with clear retention & deletion policy
  • Safe testing — change-controlled, safeguards for availability and integrity
  • Insurance — professional indemnity and public liability cover appropriate for UK clients

Standards & methodology

We align to: OWASP ASVS & Top 10 • OWASP MASVS • NIST 800-53/115 • MITRE ATT&CK • CIS Benchmarks.
Reports include CVSS scoring and CWE/OWASP references to streamline tracking.

Community impact

We share knowledge, support skills development, and contribute to the wider cybersecurity community. By working with Pensta, you help us continue that work and expand opportunities for others.

FAQs

Are you CREST or CHECK accredited?
Not at present. Many clients choose us for senior expertise, clarity of reporting, and speed of delivery. If your procurement requires a specific accreditation, tell us—if we’re not the right fit, we’ll say so upfront.

What does the “complimentary re-test window” include?
For most engagements, we verify fixes for in-scope critical and high findings once, within an agreed timeframe, at no extra cost.

Can you support audits and customer due diligence?
Yes—our assurance pack includes executive summaries, methodology, evidence, and re-test results suitable for auditors and customers.

Ready to strengthen your security?

Book a free 30-minute consultation with a senior tester—no jargon, no pressure.
Schedule your consultationhello@pensta.co.uk