Offensive Security Consultancy

Not every vulnerability
announces itself.

Qila finds the ones that don't. Manual penetration testing, clear reporting, and direct expert communication: the same person scopes your engagement, runs the tests, and delivers the report.

Working with teams in

Financial ServicesHealthcareSoftware & SaaSProfessional ServicesManufacturingStartups
About Qila

Built for the
organizations that
can't afford gaps.

Qila is a boutique offensive security consultancy. We work with a deliberate number of clients, not hundreds, so that every engagement receives the attention and focus it deserves.

Our work spans web applications, APIs, and external attack surfaces. We test the same systems that real adversaries target, using the same techniques, then give you a precise, actionable picture of your risk, not a report padded with low-severity noise.

Est. Bosnia & Herzegovina
01

Manual-first

Every test is executed by a human expert. We don't rely on scanner output, we think like attackers.

02

No handoffs

The analyst who finds your vulnerabilities writes your report and presents it to your team. No lost context.

03

Honest scope

We only offer what we can deliver at the highest standard. Breadth at the expense of depth helps no one.

04

Clear communication

Reports are written for both technical teams and leadership. Risk is never buried in jargon.

Who this is for

Built for teams that move fast
and need security that keeps up.

Qila works with organisations that want direct expert access to the practitioner doing the work, from early-stage startups to established businesses. If you're building or operating a web product and want to know where you're actually vulnerable, we're a practical fit.

Startups

You're building fast, handling user data, and don't yet have dedicated security. A focused assessment tells you where your real risks are before a client or investor asks.

SMBs

You run a public-facing application or platform without an internal security team. We scope testing to fit your environment, not a corporate enterprise checklist.

Software agencies

You build applications for clients and want an independent review before delivery. We assess what you've built and give your clients something concrete.

SaaS companies

You hold customer data and face audit requirements or security questionnaires. A pentest report demonstrates due diligence to clients and enterprise buyers.

Why Qila

A boutique practice
built on focused work.

We deliberately stay small. Every client gets direct attention from the practitioner doing the work, from the first conversation to the final report.

NDA before work begins

Every engagement is covered by a mutual non-disclosure agreement, signed before any discussion of your systems.

Written authorisation required

We will not test any system without explicit written authorisation from the party responsible for it. No exceptions.

Report on the agreed date

We scope carefully and commit to a delivery date. You receive the report when we said you would.

Direct expert access

The person who scopes your engagement is the same person who tests it and writes the report. You always know who is doing the work and can reach them directly.

Manual over automated

Automated scanners are a starting point, not a methodology. We find the vulnerabilities that live in your business logic, your session handling, your custom authentication flows, the ones scanners reliably miss.

Reporting that communicates

We write for your developers and your board simultaneously. Technical findings with full reproduction steps. An executive summary that explains real business risk without jargon.

Honest scope, honest results

We only offer services we genuinely provide. If a finding isn't real, it doesn't go in the report. If a service is outside our focus, we'll tell you and refer you to someone qualified.

Our process

Seven steps.
No surprises in between.

Every engagement follows the same structured process so you always know where things stand.

  1. Discovery

    We learn about your environment, technology stack, and what matters most to your business.

  2. Scoping

    Together we define clear boundaries, objectives, and timelines so there are no surprises.

  3. Assessment

    Manual testing by experienced practitioners, methodical, thorough, and documented as we go.

  4. Validation

    Every finding is verified before it enters the report. We don't pad results with false positives.

  5. Reporting

    A clear report delivered on time: executive summary, technical findings, and actionable remediation guidance.

  6. Debrief

    We walk through every finding with your team, answer questions, and clarify anything that needs context.

  7. Retesting

    Once you've remediated, we can retest to confirm the fixes held and issue a clean letter of attestation.

FAQ

Frequently asked questions.

All questions

Scope determines duration. A focused assessment of a single web application usually takes between three and five days of active testing, plus time for report writing. More complex applications with extensive functionality or multiple APIs take longer. We scope precisely before any engagement so you know exactly what to expect.

Ready to start?

Understand your real risk
before someone else does.

A short conversation is all it takes to get a clear scope, timeline, and pricing, no commitment required.