StrikePoint · Companion to the Architecture Guide
A methodology says how we test. It does not, by itself, say what counts as a win — and without that, "the test succeeded" is whatever the report claims. This module defines the missing half: a pre-agreed, contractual threshold of customer surrender that authenticates a methodology actually worked.
The agreed surrender level is two things at once: the success bar (how far we must get to prove a control failed) and the stop line (how far we are authorized to go). Acceptance criteria and rules of engagement are the same dial.
Every engagement, per attack surface, carries an agreed Surrender Level — the depth of compromise at which the client's defense is deemed to have surrendered. It is written into the Statement of Work as an option the client selects, and it resolves the two hardest questions in offensive testing at the same time:
Five rungs, escalating from "the door is reachable" to "we walked out with the crown jewel." Every attack surface maps onto these same rungs, so acceptance is defined in one consistent language across the whole engagement.
The vector exists and is reachable from the tester's position. No interaction, no exploitation — pure attack-surface confirmation. The lowest-risk finding: "this door faces the street."
A weakness is demonstrably exploitable, or a human demonstrably engages (clicks the link, answers the pretext) — proving compromise would occur, without actually taking the secret or firing the exploit. Non-destructive proof of susceptibility.
The secret or the access is actually in StrikePoint's hands — credential captured, OTP disclosed, foothold established, data readable. The surrender happened; we hold what we obtained but have not yet used it.
StrikePoint uses the obtained access to perform a pre-authorized, safe, reversible proof-action: authenticate with the credential, redeem the OTP, move one hop laterally, or drop a benign marker / harmless proof payload. Demonstrates real — not theoretical — impact, inside a defined blast radius.
StrikePoint reaches the pre-defined target asset — the agreed "flag": a specific record, system, or crown-jewel data set — demonstrating full chained business impact. The deepest authorized surrender, and the strongest consent requirement.
The same five rungs, translated into concrete meaning for each attack surface in the methodology. This is the table referenced when a Statement of Work sets the level for each in-scope vector.
| Attack surface | S0 Reachable | S1 Susceptible | S2 Surrendered | S3 Actioned | S4 Objective |
|---|---|---|---|---|---|
| Social engineering (phish / vish / pretext) | Target reachable & profiled | Target clicks / answers / engages | Target discloses credential or OTP | SP authenticates with it / redeems OTP / sends benign proof from account | SP reaches the data the lure targeted |
| External network & web app | Service exposed to internet | Vuln safely validated, not fired | Exploit lands; session / foothold gained | Controlled command exec / read a proof file | Reach target database or record |
| Wireless | Rogue AP / weak SSID in range | Association or handshake capture possible | Network access obtained | Pivot to an internal resource | Reach segmented crown-jewel system |
| Telecom / VoIP | PBX / SIP endpoint exposed | Misconfig present (default creds, open relay) | Unauthorized call path obtained | Place a controlled proof call / benign action | Reach target voice system or toll route |
| Physical | Entry point identified | Tailgating opportunity demonstrated | Actual entry achieved | Reach defined internal point / connect benign device | Reach server room / exec office / asset |
| Denial of service | Amplifiable / exhaustible vector found | Controlled, throttled degradation demonstrated | Capped — staging/isolated only | Out of scope by default | Out of scope by default |
The client picks where the test authenticates as successful, and where StrikePoint must stop.
Two values, set per in-scope surface in the Statement of Work. They are usually equal, but the client may authorize deeper demonstration than the pass bar requires.
The surrender level at which the test authenticates as successful — i.e., the control is deemed failed and a finding is raised. From the client's side, reaching this level = a control that must be remediated.
The maximum surrender level StrikePoint is permitted to reach. Always ≥ the pass threshold. Reaching it is the mandatory stop line — StrikePoint goes no further, whatever else is possible.
Example clause shape: Social Engineering — Pass Threshold: S2 (disclosure). Authorization Ceiling: S3 (controlled use), named approver: [CISO]. Stop on: any access to customer PII.