Nice To E-Meet You!



    What marketing services do you need for your project?


    Contact Us
    Tech

    Illia Kolesnichenko

    Founder

    Company Name

    XRAY CyberSecurity

    Leader Illia Kolesnichenko
    Company logo

    Please introduce your company and describe your role within the organization.

    XRAY CyberSecurity is a boutique penetration testing firm. We do one thing — deep manual pentesting — and we do it at the highest level. Our service scope covers application pentesting, infrastructure pentesting, and social engineering. Clients come to us when they need to close Enterprise deals, pass SOC 2 / ISO 27001 audits, or simply know their systems are secure before attackers prove otherwise.

    As the Founder, I set the strategic direction, build the team, own client relationships, and make sure every engagement reflects the standard we promised: senior-only expertise, zero information noise in reports, and real business impact from every finding. I’m also a practicing pentester myself — I still hack. That keeps everything we do grounded in reality: our methodology, our reports, and the way we communicate risk to clients come from hands-on offensive experience, not from a marketing department.

    What is your company’s core business model – do you use an in-house team, third-party vendors, or a hybrid outsourcing approach?

    Strictly in-house. Every project is executed and controlled by our own senior engineers — no juniors, no subcontractors. This is a non-negotiable principle. Our clients trust us with access to the core of their business, and we don’t outsource that trust.

    How does your company differentiate itself from competitors in a crowded market?

    Our main competitor isn’t a specific brand — it’s the entire “checkbox security” approach. The market is flooded with automated scanners sold as pentests, large IT outsourcers assigning junior staff at senior rates, and vendors who generate 200-page PDF reports full of false positives and information noise.

    We differentiate through three things. First, depth: we do manual hacking of business logic, not just running tools. We find complex attack chains that no automated scanner will ever detect. Second, business impact: we don’t just list vulnerabilities — we demonstrate full compromise scenarios and translate them into language a CEO, a board member, or an auditor can act on. Third, the deliverable itself: every engagement produces two separate outputs — an Executive Summary for decision-makers and an IT-friendly Technical Report with prioritized remediation steps. Our reports close Enterprise deals and pass audits on the first attempt — but more importantly, clients walk away knowing exactly how their product or infrastructure can be compromised in the real world and what to fix first to prevent it.

    What are the primary industries or sectors you serve, and how has that focus evolved over time?

    We started without a narrow specialization, and that was valuable. Early on we worked across very different industries — nuclear energy, mining, hospitality resorts, e-commerce, banking, fintech, telecom, IT companies, manufacturing. That breadth gave us deep exposure to diverse architectures and security challenges, which is a serious advantage when you’re doing offensive work.

    Over time, we recognized the power of focus. Today our primary verticals are application pentesting for B2B SaaS companies and infrastructure pentesting for manufacturing. That said, from a hacker’s perspective, the underlying technologies across companies overlap significantly — business systems, security solutions, network infrastructure. The industry label changes, but the attack surface often doesn’t.

    What are the most in-demand services or solutions that clients approach your company for?

    It depends on the industry. SaaS companies typically come to us for web application and API penetration testing — they need to secure their product, pass SOC 2 / ISO 27001 audits, or unblock an Enterprise deal that requires an independent security assessment.

    Manufacturing clients lean toward infrastructure pentesting, often in an assume-breach scenario — testing what happens when an attacker is already inside the network. Some go further and commission application pentests of the third-party SaaS platforms they rely on, to make sure every component in their ecosystem is secure, not just the ones they built.

    And targeted phishing simulations and social engineering — that’s popular across all industries. Companies benefit from high-quality attack scenarios that are personalized to their organization and meticulously crafted, as if a real threat actor had spent weeks planning an attack specifically against them.

    How do you personally stay ahead of industry shifts when most data is already yesterday’s news?

    I don’t rely on news cycles — I see the real attack surface firsthand. When you’re actively hacking into client systems every week, you notice shifts in how companies build and configure their products and infrastructure, where teams cut corners, and which new technologies introduce blind spots. That’s a more honest signal than any industry report.

    Beyond that, I invest in continuous learning — advanced certifications, private research communities, and direct conversations with CTOs and CISOs across our client base. When you’re embedded in the security posture of dozens of companies, you see patterns and emerging threats before they become conference talks.

    Do you have a significant percentage of repeat clients? If so, what strategies contribute to that loyalty?

    Yes, and it’s by design. But not because of clever retention tactics — because of how we work during the engagement itself.

    Clients see how deeply we get involved. They see that we don’t stop at finding a vulnerability — we push to escalate it, chain it with other findings, and demonstrate the real business impact. They see the attention to detail in the report, the specificity of attack vectors tailored to their product or infrastructure, and the effort we put into making every finding actionable. That level of commitment is what makes them come back.

    When a client goes through a pentest with us and walks away thinking “these people squeezed every possible scenario out of our system” — that’s not something they want to replace next year. They want to continue.

    How do you measure and ensure high customer satisfaction in your operations?

    We measure satisfaction at two distinct stages, because for our clients the real work starts after the pentest.

    The first is right after delivery — we collect feedback and reviews when the client sees the results for the first time. This is the emotional response: the depth of findings, the clarity of the report, the overall experience of working with us.

    The second is after remediation. We support the client through the fix process, consult on implementation, run the retest — and then collect feedback again. This is where we learn what matters most: were the recommendations practical enough? Was the report easy to work with for the team doing the actual fixes? Were there gaps? For application pentests, remediation can be quick. For infrastructure — it can turn into a complex, months-long project. So the quality and practicality of our reports directly determines how smoothly that process goes for the client.

    This gives us a complete picture — not just “did they like the pentest,” but “did our work actually make their security better in practice.”

    What kind of post-project support do you provide to address client queries or ongoing needs?

    Our pentest report is already a detailed guide — every finding includes steps to replicate the attack and specific recommendations on how to fix it. After delivery, we hold a debrief meeting to walk through the results and set the right priorities.

    From there, we remain available for consultations — if the client’s team needs clarification on a specific vulnerability or recommendation, we’re there to explain. That said, we don’t do the fixing ourselves. We’re not developers or integrators — the client decides how and when to implement changes. Once they’re ready, we run a retest to confirm everything is resolved correctly or flag what still needs attention.

    Describe your pricing and billing structure – is it fixed cost, pay-per-milestone, or another model?

    Fixed cost, transparent scope. The client knows exactly what they’re paying for before we start. No hidden fees, no surprise add-ons. The price covers the full cycle: scoping, testing, reporting, debrief, and retest.

    What is the typical price range for projects you’ve handled in the past year, and how do you balance affordability with value?

    Pricing depends on the type of service, the target of testing, and the scope. Let me illustrate with our application pentesting packages.

    We offer three tiers: Base at €10,000 — a focused black-box and grey-box pentest with a compliance-ready report. Power at €12,000 — our flagship, covering deeper scope with multiple user roles, interim reports for critical findings, a prioritized remediation roadmap, and more hands-on support throughout the engagement. And Total at €80,000 — an annual retainer with a comprehensive initial audit (including white-box code review and infrastructure testing) followed by quarterly incremental assessments throughout the year.

    Each tier delivers high-quality results — the difference is in depth and level of support, so clients can choose what fits their situation. We don’t compete on price, we compete on the business outcome. When a €12,000 pentest report unblocks a six-figure Enterprise contract or prevents a breach that would cost millions, the ROI speaks for itself.

    Have you turned down projects based on budget or scope? If so, what are your minimum requirements?

    Yes. We actively disqualify clients who are looking for the cheapest option on the market or who explicitly say they need “just a paper for the auditor, doesn’t matter what’s in it.” That’s not what we do. Our work requires deep immersion into the client’s environment, and we can’t deliver meaningful results if the expectation is a checkbox exercise at rock-bottom pricing.

    Our minimum requirements are defined by scope. A compact application with a limited attack surface may cost less, but the approach and quality of work remain the same.

    What key challenges has your company faced in the last few years, and how did you overcome them?

    The first and most persistent challenge is market education. Back in the early 2010s, we were explaining to companies what penetration testing even is. We thought in ten years it would get easier. It’s been fifteen — and in many ways it’s harder. On one side, some sectors like banking and fintech have matured and understand the difference between a real pentest and a scanner report. On the other, there’s still a critical mass of businesses across industries that have never been tested once. It’s only a matter of time before they face an incident and its consequences. 

    And the landscape has shifted — it’s no longer just “scanner vs. pentest.” The spectrum of alternatives has grown, and everyone promises a secure future. Cutting through that noise is a constant effort. We do it through technical content that breaks down the real differences between approaches, sample reports that let prospects evaluate our work before committing, and — most importantly — through results that turn clients into advocates. A strong recommendation from a CEO, CTO, or CISO who’s been through our pentest does more than any marketing campaign.

    The second challenge is data handling. Pentesting by nature requires access to sensitive environments — there’s no way around that. The challenge is building processes that minimize the risk at every step. We put significant effort into ensuring that any client data we work with has the shortest possible lifecycle — only the necessary minimum exists at any given point, and it’s removed as soon as it’s no longer needed. Strict Rules of Engagement, controlled access, and operational discipline around data are not just policies for us — they’re a core part of how we run every engagement.

    How do you foster innovation and adapt to emerging trends in your industry?

    Fundamentally, vulnerabilities don’t change that much. The core attack principles that worked years ago still work today. New technologies bring their own specific vulnerability types — and we handle that through continuous learning and hands-on practice — but that’s an addition to the foundation, not a replacement.

    We tend to follow five-year shifts rather than momentary hypes. That doesn’t mean we use outdated tools or ignore what’s new — it means we evaluate emerging technologies through the lens of risk to the client. Take AI as an example: we study it, research it, experiment in lab environments. But we can’t hand over a pentest to an AI agent with uncontrolled access to client systems and data — it’s too immature from a security standpoint. For client engagements, our priority is the safety of their environment and the quality of results we can stand behind. We adopt what’s proven, and we test what’s promising — but we don’t experiment on client engagements.

    What role does company culture play in your success, and how do you build and maintain it?

    Culture defines how we work on projects and what results we deliver. For us it’s built on a few non-negotiables: proactivity, senior-only expertise, reports written for humans not for compliance theater, and transparency about the real state of a client’s security.

    How we build it — hiring is the first filter. Some candidates are an obvious mismatch and we skip them early. For others, we verify through practice whether their actual output meets our standards. How we maintain it — I personally review the quality of every engagement and course-correct when something drifts. Pentesting is inherently creative work — every system is a unique puzzle, and the best results come from people who are genuinely driven to solve it. I’m not comfortable working with people who treat this as routine or just go through the motions. That becomes obvious fast, and it’s the most reliable filter we have.

    Where do you envision your company in the next 5-10 years? What are your boldest long-term goals?

    We aim to become the go-to penetration testing partner for B2B SaaS companies globally — the name that comes up first in every founder community, every CTO and CISO Slack channel, every auditor recommendation. Not the biggest, but the most trusted.

    Long-term, we’re expanding into high-complexity verticals like aerospace and critical infrastructure, where the depth of our approach creates the most value. The boldest goal is simple: when a company needs to know how they can actually be compromised and strengthen their security — XRAY CyberSecurity is the first name that comes to mind.

    How has your leadership style evolved throughout your career, and what influences it?

    I’m a hacker at heart, and every time I’ve tried to step away from hands-on work entirely, things got less interesting — and less authentic. So my leadership style evolved around keeping that balance: I still practice, I still hack, I’m the one thinking through attack strategies at a high level. That keeps me sharp and keeps our delivery grounded in reality.

    At the same time, I’ve learned to trust the team and let go of things that don’t require me personally. I delegate non-core activities and focus on what I do best — offensive thinking, key client relationships, and setting the quality bar. The evolution was realizing that building a company doesn’t mean becoming a full-time manager. It means building a team you trust enough to focus on what actually matters.

    What emerging technologies or market shifts are you most excited about for your company?

    It’s impossible not to talk about AI here. The pace of change is rapid and radical. Attackers are using AI. Defenders are using AI. Businesses are embedding AI into everything they build. This creates both advantages and new risks from a cybersecurity perspective simultaneously.

    What excites me is that while the speed, the attack surface, and the capabilities are all shifting — the fundamentals remain. Systems are still built by people, configured by people, and will have flaws that require human creativity to uncover. No matter how far AI goes, there will always be room for hackers who find a way to break what everyone else assumed was secure.

    What advice would you give to aspiring leaders? Can you share one lesson from your journey that resonates with the business community?

    Don’t go against your own nature trying to fit someone else’s picture of success. I’ve been through plenty of business programs and frameworks, and the one thing most of them miss is context — what works at one stage of growth may be completely irrelevant at another.

    Strengthen what’s already strong, and for everything else — find people who are better at it than you and let them own it. Enjoy the daily work instead of burning out chasing a template that wasn’t made for you. The lesson I keep coming back to: understand where you are right now and apply only what accelerates you at this specific stage. Everything else is noise.