Share
Frequently Asked Questions
From scoping and testing to reporting and retesting, this FAQ page covers the essentials of working with Canary Trap. Explore answers to common questions about our offensive security services, client experience, and what to expect throughout an engagement.
What does Canary Trap do?
Canary Trap is a laser-focused services provider specializing in offensive security services, including offensive security and advisory services aligned to industry standards and compliance frameworks.
Is Canary Trap a product company or a consulting firm?
Canary Trap is a services-based cybersecurity consultancy. We do not sell security software or automated scanning tools as standalone products.
Who are your typical clients?
Our clients include mid-market and enterprise organizations across regulated industries such as finance, healthcare, SaaS, critical infrastructure, and government-adjacent environments.
What types of penetration testing do you offer?
- External network penetration testing
- Internal network penetration testing
- Web application penetration testing
- Mobile application penetration testing
- Wireless network penetration testing
- AI penetration testing
- API penetration testing
- Cloud infrastructure penetration testing
- Physical penetration testing
- Red and Purple Team Exercises
- PCI DSS penetration testing
- OT Network penetration testing
What types of advisory services do you offer?
- Social Engineering Vulnerability Assessments
- Microsoft 365 security controls reviews
- Cloud controls reviews
- Tabletop exercises
- Secure code reviews
Do you perform automated vulnerability scans only?
No. Our testing is manual, expert-led, supported by tooling where appropriate.
Do you offer continuous security monitoring?
Yes. In addition to point-in-time testing, we offer continuous external and cloud attack surface monitoring as part of FlightPath.
What frameworks does Canary Trap align with?
- NIST SP 800-115
- ISO/IEC 27001 and 27002
- CIS Critical Security Controls (v8)
- OWASP Top 10 (Web, API, and AI where applicable)
- PCI DSS penetration testing requirements
Are your penetration tests suitable for compliance audits?
Yes. Our deliverables are designed to support audits such as PCI DSS, SOC 2, ISO 27001, and regulatory security reviews, though we do not act as auditors.
Do you provide remediation guidance?
Yes. All findings include risk context, impact explanation, and actionable remediation guidance tailored to the environment tested.
Does Canary Trap test AI systems or machine learning models?
Yes. We assess AI-enabled systems, APIs, and workflows for security risks such as data exposure, prompt injection, access control failures, and integration weaknesses.
Do you use AI to perform penetration testing?
We may use AI-assisted tooling to enhance efficiency, but all findings are validated and reviewed by human security professionals.
What sets Canary Trap apart from other providers?
X
Does Canary Trap train or fine-tune AI models?
No. Canary Trap does not train, host, or sell proprietary AI models.
Where can I learn more about Canary Trap's services?
Contact us to talk to a team member about our services and how we can help you with your next offensive security project.
Why is penetration testing important for businesses?
Penetration testing helps organizations understand how real attackers could compromise their environment. It identifies exploitable weaknesses, validates whether controls are effective, and provides clarity on where risk actually exists, beyond compliance checklists.
When should a business conduct penetration testing?
Penetration testing should be conducted annually or when major changes to network or applications occur.
How does Canary Trap handle sensitive data discovered during testing?
All data is handled in accordance with contractual obligations, least-privilege access principles, and strict confidentiality controls. Sensitive data is not retained beyond engagement requirements.
Do you store client data after an engagement ends?
No. Client data is securely destroyed or returned according to the terms of the engagement and retention policies.
What does a penetration testing report include?
- Executive summary
- Risk-rated findings
- Technical details and evidence
- Remediation guidance
- Compliance mapping (if required)
Are reports written for technical and non-technical audiences?
Yes. Reports are structured to support executives, technical teams, and auditors.
How long does a typical penetration test take?
Engagements typically range from one to four weeks, depending on scope and complexity.
What types of vulnerabilities do you commonly find?
Canary Trap finds all types of vulnerabilities including Injection vulnerabilities, weak or reused service account credentials, misconfigured Active Directory permissions and trusts, Insecure direct object references, Weak session management, Missing or inconsistently enforced multi-factor authentication, Legacy authentication protocols still enabled, and Insufficient input validation.
How often should penetration testing be conducted?
Penetration testing should be conducted at least yearly however if there are substantial changes occurring in the network or application environment additional testing might be required.
Can penetration testing impact system performance?
Penetration testing can impact performance of networks if not performed properly and safely which is why Canary Trap ensuring our testing is safe and controlled.
Do you offer retesting?
Yes. Retesting can be included as part of an engagement or scoped separately.
Where is Canary Trap based?
Canary Trap operates in North America.
Is Canary Trap affiliated with law enforcement or intelligence agencies?
No.
Does Canary Trap sell exploits or malware?
No.
Does Canary Trap engage in unauthorized hacking?
No. All testing is ethical, authorized, and client-approved.
Is Canary Trap an automated scanning platform?
No.
Take the next step to
engage with Canary Trap
engage with Canary Trap
If you require our cybersecurity services please share your details below and we will be in touch!
