Offensive security, defensive architecture, and secure web development for Raleigh, NC and the Research Triangle, from a 20-year enterprise IT shop. We test like adversaries, harden like operators, and build like engineers — because the difference between a breach and a near-miss is whoever got there first.
Real-world attack simulation against your infrastructure, web apps, and networks. We find what scanners miss — chained vulnerabilities, business-logic flaws, and the soft spots adversaries actually exploit.
Offensive SecurityComprehensive scanning and analysis with industry-leading tools, then triaged by humans who know your environment. Prioritized findings with actionable remediation — not 400-page noise reports.
Risk ManagementFirewall tuning, SIEM deployment (Security Onion, Elastic), endpoint detection, and zero-trust architecture. We lock the perimeter, instrument the interior, and make sure you'll see the breach — if it ever happens.
Defensive SecurityCustom websites and applications built security-first from line one. WordPress hardening, headers, CSP, secrets handling, dependency hygiene, and code that won't show up in a CVE next year.
DevelopmentProactive infrastructure monitoring, encrypted cloud backup with hourly snapshots, disaster recovery, and ongoing patch management. Your IT department, outsourced — without the help-desk runaround.
Managed ServicesHIPAA, PCI-DSS, and NIST framework navigation with thorough documentation. We come from healthcare IT — we know what auditors want to see, and we've helped clients pass on the first try.
ComplianceScoping call, asset inventory, threat model, and rules of engagement. We don't touch a packet until we both agree on what's in scope and what's off-limits.
Active testing — automated scanning paired with manual exploitation, chained findings, and adversary-emulation techniques drawn from current threat intel.
Executive summary plus technical findings, severity-ranked, with proof-of-concept where appropriate and remediation guidance you can hand straight to your team.
We don't just hand you a PDF and disappear. Retest after fixes, quarterly reviews, and standing access to the engineer who knows your environment.
Most security firms hand you a screenshot of an old project. We embedded a working simulation of one of our visualizations directly on this page — rendered live in your browser, no external services, no heavy frameworks. If you can imagine the dashboard, we can build it — and we mean that as a turnkey service offering, not a tagline.
What you're looking at: a simulated network mesh where green packets are legitimate traffic and pink packets are attempted intrusions. The firewall (center node) blocks most attacks — but a small fraction get through, just like in the real world. Click Launch Attack to see a coordinated burst. What this is really for: showing you that "we built a custom dashboard for your SOC" isn't a slide — it's a deliverable we ship.
gotroot.sh is the cybersecurity division of Pendergrass Consulting, a full-service IT firm built on two decades of enterprise healthcare experience — hospital networks, mission-critical infrastructure, and the kind of environments where downtime isn't an inconvenience, it's a patient outcome.
We bring that operational rigor to small businesses that can't afford a breach. No ticket systems. No junior account managers. When you call, you reach the engineer who already knows your stack — and we'd rather tell you the uncomfortable truth than the comfortable lie.
Based in Selma, NC — about 30 miles east of downtown Raleigh — we serve clients across the Research Triangle: Raleigh, Durham, Cary, Chapel Hill, Apex, Garner, Clayton, and Smithfield. On-site engagements throughout Wake and Johnston Counties; remote assessments and managed services nationally.
Twenty minutes is usually enough to figure out whether we're a fit. Tell us what's keeping you up at night and we'll tell you whether it should be — and what we'd do about it.