Offensive Security · Costa Rica

Validate your defenses
against real adversaries.

We replicate real-world attack techniques against your infrastructure to find the paths that automated tools miss — before an actual threat actor does.

Start an Engagement View Services →

Red Team Operations·Adversary Simulation·Active Directory Security·Cloud Security·Web & API Pentesting·Red Team Operations·Adversary Simulation·Active Directory Security·Cloud Security·Web & API Pentesting·Red Team Operations·Adversary Simulation·Active Directory Security·Cloud Security·Web & API Pentesting·Red Team Operations·Adversary Simulation·Active Directory Security·Cloud Security·Web & API Pentesting·

The Firm

Boutique offensive security, built on practitioner-led engagements.

Orsu Enterprises is a Costa Rica-based offensive security firm offering nearshore advantage to enterprises across the Americas. Every engagement is manual, hands-on-keyboard, and scoped to your threat model. We don't resell automated scan reports.

Our Services →

4Core Specializations

100%Manual Testing

PTESMethodology Aligned

Standards & Frameworks

Our methodology is built on the Penetration Testing Execution Standard (PTES) and aligned with MITRE ATT&CK techniques, adapted to each client's threat model and regulatory environment.

PTESPenetration Testing Execution Standard

MITRE ATT&CKAdversary Tactics, Techniques & Procedures

OWASPWeb Application Security Testing Guide

NISTCybersecurity Framework

Industries

Targeted engagements for growing companies building real security programs.

01SaaS & TechnologyCloud platforms, dev pipelines, and production infrastructure.

02E-Commerce & RetailPayment systems, storefronts, and customer data environments.

03Professional ServicesConsulting firms, legal, and managed service providers.

04EducationStudent information systems, research data, and campus networks.

05Mid-Market EnterpriseGrowing companies building security programs for the first time.

Methodology

How we operate.

Built on PTES and aligned with MITRE ATT&CK, adapted to your threat model.

Phase 01

Reconnaissance

Map your attack surface. Enumerate external assets, identify exposed services, and gather intelligence before a single packet is sent.

Phase 02

Initial Access

Exploit viable entry points — misconfigured services, weak authentication, social vectors. Establish a foothold using real adversary tradecraft.

Phase 03

Lateral Movement

Pivot through your environment. Chain low-severity findings into high-impact paths toward domain admin, production databases, or sensitive systems.

Phase 04

Impact & Reporting

Demonstrate real-world impact on your critical assets and deliver a detailed report with prioritized remediation guidance aligned to your risk profile.

Leadership

Practitioner-led from the top.

Co-founder

James Hernández

Chief Executive Officer

5+ years in offensive security consulting. Specializes in Active Directory attack paths and red team operations. Has delivered security training to enterprise teams across Latin America. CRTP certified.

LinkedIn →

Co-founder

Vamsi Krishna

Chief Technology Officer

Leads offensive security operations and adversary simulation programs across web, cloud, and enterprise environments. Specializes in web application security, cloud penetration testing, and offensive methodology development. CCEP certified with hands on experience training technical teams in red team operations, attack simulation, and tradecraft execution.