The cybersecurity firm that finds attack paths before adversaries do.
One senior-led firm for offensive security, GRC, and business risk advisory — every finding demonstrated, mapped to a control, and turned into a decision you can act on.
- Senior-led delivery.
- Vendor-independent.
- Evidence-driven reporting.
Frameworks we work to
- ISO 27001
- SOC 2
- NIST
- CIS Controls
- PCI DSS
- GDPR
- NIS 2
- DORA
The problem we remove.
You’re not short of security reports. You’re short of a straight answer.
The pen test says "12 highs." The GRC programme says "certified." The board pack says "we’re managing it." Three vendors, three vocabularies, and no one will tell you the one thing you actually need: if a capable attacker came for you this quarter, what would they reach, what would it cost, and what should you fix first?
That translation is work — and right now you’re the one doing it, between a test report, a compliance deck, and a board meeting. HackingByte removes that work. One senior team tests what others assume, documents what others hand-wave, and advises where others stop at a finding — so exploit, control gap, and business impact finally tell the same story.
Services
What we do.
Four senior-led disciplines under one engagement model — and continuous platforms (below) that keep watch between engagements.
-
Penetration Testing
Applications, APIs, networks, and cloud — exploited, evidenced, and prioritised by real impact.
-
Red Teaming
Objective-based adversary emulation across your people, process, and technology.
-
GRC Advisory
ISO 27001, SOC 2, NIS 2, DORA, and GDPR readiness — evidence over box-ticking.
-
Security Assessments
Senior-led reviews of architecture, cloud, and controls against real attack paths.
Senior practitioners only — the person who scopes your work is the person who delivers it.
Platforms
Continuous monitoring between engagements.
Point-in-time testing tells you where you stand today. Our platforms keep watch the rest of the time — so new exposure surfaces as it appears, not at the next test.
Who we work with.
Built for teams under real security pressure.
HackingByte is built for the security buyer who has to translate a pen test, a compliance programme, and a board paper into one defensible position — growth-stage and regulated organisations operating under real customer-security questionnaires, regulatory pressure, or upcoming audits, and tired of stitching three vendors together.
We engage where threat exposure is real and the stakes are operational: a deal stuck on a security review; an ISO 27001 or SOC 2 audit on the calendar; a NIS 2 or DORA scope being mapped; a cloud migration whose attack surface has outrun its controls. Senior-led, evidence-first, and grounded in real-world offensive security — not checklist box-ticking.
Engagement is remote-first across the EU, UK, and Morocco, with on-site availability when scope and engagement type genuinely require it.
The HackingByte Engagement Brief
Every engagement ends in three connected artifacts.
-
Technical Report
for your engineers
-
Executive Risk Brief
for your leadership and board
-
Action Plan
prioritised, owner-assigned, and scoped to what your team can actually do
Why us
Why HackingByte.
-
Senior-only delivery.
-
Evidence over assumption.
-
Vendor-independent — no vendor commissions.
-
Threat-led, not checklist-led.
-
Findings scored against your business.
Founder-led.
Senior practitioners run the work; the founder owns the engagement.
HackingByte is run by Amine Cherrai — 20+ years across offensive security, GRC, and cloud security, including fintech CISO and senior compliance roles. The person who scopes your work is the person who runs it; the report you receive is the report the founder signs off.
Frequently asked questions
- What does a HackingByte engagement cost?
- Pricing is fixed-scope per engagement and depends on the asset surface, the standards in scope, and the depth of evidence required. Tell us what you need scoped and we will write a fixed-price proposal — no hourly billing surprises, and no vendor commissions colouring the advice.
- How is HackingByte different from a pure pen-test vendor?
- Most pen-test vendors hand you a list of findings and stop. HackingByte ends every engagement with three connected artifacts — a Technical Report for engineers, an Executive Risk Brief for leadership and the board, and an Action Plan that is prioritised, owner-assigned, and scoped to what your team can actually deliver. The same senior team also runs GRC advisory and security assessments, so exploit, control gap, and business impact are written by people who can read all three.
- What kind of cybersecurity company is HackingByte?
- HackingByte is a founder-led cybersecurity firm — a senior-led team that combines offensive security (penetration testing and red teaming) with GRC advisory and security assessments, plus continuous monitoring platforms. That makes it a firm you can use for the test, the control gap, and the board-level risk story at once, instead of stitching vendors together.
- Do you work with startups, or only enterprises?
- Both — but we are most useful to companies past the early stage where threat exposure is concrete and buyer-side security pressure is real (customer security questionnaires, an audit on the calendar, a regulator-driven scope). For very early-stage teams we usually recommend a senior-led security assessment first; for mature programmes a red team or framework-readiness engagement is often the right starting point.
- Where are you based?
- HackingByte is operated by HackingByte S.A.R.L., a Casablanca, Morocco company (OMPIC; RC 384549; ICE 001969644000056; IF 24851481). Engagement is remote-first across the EU, UK, and Morocco, with on-site availability where scope and engagement type genuinely require it.
- What standards and frameworks do you follow?
- Testing aligns with PTES, OWASP WSTG, OWASP API Security Top 10, MITRE ATT&CK, NIST SP 800-115, and CIS Benchmarks as appropriate to the engagement type. Severity scoring uses CVSS with a business-impact overlay so the technical score reflects real organisational risk. GRC advisory work maps to ISO 27001 / SOC 2 / NIS 2 / DORA / GDPR. We are independent of every certification body — we do not run the audit, so our recommendations carry no agenda.
- How fast can we start?
- Scoping calls are usually within one working day. After scoping, most engagements kick off within 1–3 weeks depending on the asset access required (cloud provider read-only, internal network reachability, test data, change-management windows). Critical-finding escalation is committed at 4 hours during execution.
Markets
Where we work
Based in Casablanca and working remote-first across Europe and the UK, with on-site delivery where an engagement genuinely requires it.
Tell us what you’re actually worried about — a deal stuck on a security review, an audit on the calendar, a board that wants assurance. We’ll tell you what we’d test first, and how we’d prove it.