Resources
Field-tested operating documents for teams that want to ship with deterministic proof. Each playbook is a short, opinionated PDF we use inside Pentrova engagements — request a copy and we’ll send it over, or adopt the sections that fit your shop.
AppSec runbook
A week-by-week operating model for a small AppSec team covering intake, triage, ownership routing, deterministic verification, and closing the loop with engineering. Includes SLA templates, generic ticket field mappings, and the escalation path for findings that require sandbox replay.
Request the PDFIncident triage
A step-by-step triage guide for the first sixty minutes after a suspected exploit. Covers scoping, evidence preservation, deterministic reproduction in a staging replay environment, communication templates for legal and exec stakeholders, and the decision tree for external disclosure.
Request the PDFPre-production pentest
A release-blocking pentest checklist that ships with a scoped authorization matrix, an API surface enumeration, a DOM-XSS canary pass, and a sandboxed PoC requirement for every critical finding. Designed to run in under forty-eight hours on a feature branch before it reaches production.
Request the PDFAudit readiness
A mapping between ISO 27001:2022 A.8.8 / A.8.29, PCI DSS 11.4, HIPAA Security Rule §164.308(a)(8), and GDPR Article 32 controls and the artifacts Pentrova retains for each one. Includes a ready-to-ship evidence-bundle layout, a per-finding evidence checklist, and the RACI matrix we use to answer auditor questions in the first round.
Request the PDFContinuous security
A CI/CD integration playbook that wires Pentrova into GitHub Actions and GitLab CI, gates merges on deterministic-proof severity, and exposes the authorization matrix drift report as a PR comment. Covers rollback, exception handling, and the change-management hooks your platform team needs.
Request the PDF
