Skip to content
HackingByte Book a scoping call

Cybersecurity services that find the attack paths before adversaries do.

One senior-led firm for offensive security, GRC, and business risk advisory — every finding demonstrated, mapped to a control, and turned into a decision you can act on.

Book a scoping call See how we work
  • Senior-led delivery.
  • No tools sold.
  • Evidence-driven reporting.
  • ISO 27001
  • NIS 2
  • SOC 2
  • GDPR
  • DORA

The problem we remove.

You're not short of security reports. You're short of a straight answer.

The pen test says "12 highs." The GRC programme says "certified." The board pack says "we’re managing it." Three vendors, three vocabularies, and no one will tell you the one thing you actually need: if a capable attacker came for you this quarter, what would they reach, what would it cost, and what should you fix first?

That translation is work — and right now you’re the one doing it, between a test report, a compliance deck, and a board meeting. HackingByte removes that work. One senior team tests what others assume, documents what others hand-wave, and advises where others stop at a finding — so exploit, control gap, and business impact finally tell the same story.

What we do.

Four pillars, one engagement model.

  • Penetration Testing

  • Red Teaming

  • GRC Advisory

  • Security Assessments

Senior practitioners only — the person who scopes your work is the person who delivers it.

Who we work with.

Security solutions for SaaS, fintech, and regulated companies.

HackingByte is built for the security buyer who has to translate a pen test, a compliance programme, and a board paper into one defensible position. Most of our work is with SaaS and fintech mid-market teams: companies past the seed stage, operating under real customer-security questionnaires, regulatory pressure, or upcoming audits — and tired of stitching three vendors together.

We engage where threat exposure is real and the stakes are operational: a deal stuck on a security review; an ISO 27001 or SOC 2 audit on the calendar; a NIS 2 or DORA scope being mapped; a cloud migration whose attack surface has outrun its controls. Senior-led, evidence-first, and grounded in real-world offensive security — not checklist box-ticking.

Engagement is remote-first across the EU, UK, and Morocco, with on-site availability when scope and engagement type genuinely require it.

The HackingByte Engagement Brief

Every engagement ends in three connected artifacts.

Technical Report

for your engineers

Executive Risk Brief

for your leadership and board

Action Plan

prioritized, owner-assigned, and scoped to what your team can actually do

Why HackingByte.

  • Senior-only delivery.

  • Evidence over assumption.

  • Independent (no tools sold, no vendor commissions).

  • Threat-led, not checklist-led.

  • Findings scored against your business.

Founder-led.

Senior practitioners run the work; the founder owns the engagement.

HackingByte is run by Amine Cherrai — 20+ years across offensive security, GRC, and cloud security, including fintech CISO and senior compliance roles. The person who scopes your work is the person who runs it; the report you receive is the report the founder signs off.

About the founder

Frequently asked questions

What does a HackingByte engagement cost?
Pricing is fixed-scope per engagement and depends on the asset surface, the standards in scope, and the depth of evidence required. Most engagements land in a mid-market range that small SaaS, growth-stage fintech, and regulated mid-market companies can plan against. Tell us what you need scoped and we will write a fixed-price proposal — no hourly billing surprises, no tool resale on top.
How is HackingByte different from a pure pen-test vendor?
Most pen-test vendors hand you a list of findings and stop. HackingByte ends every engagement with three connected artifacts — a Technical Report for engineers, an Executive Risk Brief for leadership and the board, and an Action Plan that is prioritised, owner-assigned, and scoped to what your team can actually deliver. The same senior team also runs GRC advisory and security assessments, so exploit, control gap, and business impact are written by people who can read all three.
Do you work with SaaS startups, or only enterprises?
Both — but we are most useful to companies past seed stage where threat exposure is concrete and the buyer-side security pressure is real (customer security questionnaires, an audit on the calendar, a regulator-driven scope). For very early-stage teams we usually recommend a senior-led security assessment first; for mature programmes a red team or framework-readiness engagement is often the right starting point.
Where are you based?
HackingByte is operated by HackingByte S.A.R.L., a Casablanca, Morocco company (OMPIC; ICE 384549; tax ID 001969644000056). Engagement is remote-first across the EU, UK, and Morocco, with on-site availability where scope and engagement type genuinely require it.
What standards and frameworks do you follow?
Testing aligns with PTES, OWASP WSTG, OWASP API Security Top 10, MITRE ATT&CK, NIST SP 800-115, and CIS Benchmarks as appropriate to the engagement type. Severity scoring uses CVSS with a business-impact overlay so the technical score reflects real organisational risk. GRC advisory work maps to ISO 27001 / SOC 2 / NIS 2 / DORA / GDPR. We are independent of every certification body — we do not run the audit, so our recommendations carry no agenda.
How fast can we start?
Scoping calls are usually within one working day. After scoping, most engagements kick off within 1–3 weeks depending on the asset access required (cloud provider read-only, internal network reachability, test data, change-management windows). Critical-finding escalation is committed at 4 hours during execution.

Tell us what you’re actually worried about — a deal stuck on a security review, an audit on the calendar, a board that wants assurance. We’ll tell you what we’d test first, and how we’d prove it.

Book a scoping call