Web pentest, manual-first.
Senior-led web-application VAPT covering the full OWASP Top 10, business-logic abuse and chained attacks. Reproducible PoCs, written remediation roadmap, and a clear path to fix.
Threat landscape
What attackers go after first
The attack classes that drive real breaches on web apps in 2026. We test for these before anything else.
Account takeover
Auth bypass, session fixation and weak reset flows are still the cheapest way into a web app.
Cross-tenant data leak
IDOR / BOLA flaws exposing one customer's records to another - the breach class your auditors hate most.
SSRF → cloud metadata
A single SSRF can pivot into IMDS, cloud creds, and full account compromise.
Stored XSS → session hijack
A persistent XSS in an admin panel turns into account takeover and worse, silently.
Business-logic abuse
Coupon stacking, race conditions, negative quantities - the bugs scanners can't find by design.
Supply-chain via deps
Outdated or compromised npm / PyPI / Maven packages quietly grant attackers code execution.
What we cover
- OWASP Top 10 (A01-A10) coverage
- Authentication & session attacks
- Access control (IDOR / BOLA / BFLA)
- Business-logic abuse scenarios
- Crypto & secret management review
- Input validation / output encoding
Common findings
- SQL / NoSQL / SSTI injection
- Cross-site scripting (stored, reflected, DOM)
- Broken access control
- CSRF / SSRF / clickjacking
- Auth bypass & insecure JWT
- File-upload & deserialization flaws
OWASP Top 10 (2021)
Coverage matrix
Every category gets at least one hypothesis-driven test. Most apps fail two or three before we even run the second day.
Where scanners stop
Business-logic abuse
Automated tools find the obvious bugs. Business-logic flaws - the kind that lets someone buy a laptop for one rupee or read another tenant's data - take hypothesis-driven manual testing. Forty to sixty considered hypotheses per app, mapped to your workflows.
- Coupon stacking, negative quantities, decimal-precision tricks
- Race conditions on payment hooks or stock updates
- Multi-tenant cross-org reads and writes
- Workflow skipping (state-machine bypass)
- Privilege escalation through hidden parameters
- Trust-boundary confusion in webhooks
Tools & stack
What's in the toolbox
See what a real report looks like
24 pages, redacted from a live engagement. Executive summary, technical findings with PoCs, remediation roadmap and attestation.
- Executive summary + technical report
- Reproducible PoCs with screenshots
- Remediation roadmap + retest plan
- Letter-of-attestation appendix
How we work
Methodology
A repeatable five-phase process. Same depth whether it's a focused spot test or a multi-surface engagement.
Recon & threat modeling
Asset discovery, app mapping, STRIDE/DREAD analysis to scope what matters.
Automated baseline
Tuned SAST/DAST/scanners to clear the noise. Never the primary signal.
Manual exploitation
Where the real findings live. Senior testers, real PoCs, chained attacks.
Risk assessment
CVSS scoring combined with your business context - not auto-generated severities.
Reporting
Executive summary + reproducible technical report + remediation roadmap.
Frameworks & standards
Mapped to the standards your auditors care about
Reports map findings to the frameworks your compliance team is already chasing. Drop-in evidence for ISO, SOC 2, PCI and DPDP audits.
FAQ
Common questions
If you're evaluating multiple firms, these are the questions worth asking each of us.
How long does a typical engagement take?
A focused spot test runs 5-7 business days. Multi-surface engagements typically take 2-4 weeks depending on application complexity. We agree on a written scope before the contract - no surprise extensions.
Is testing safe to run in production?
We test in production only when staging is unavailable and only with explicit written approval, an agreed test window, and a documented rollback plan. Destructive checks (DoS, data corruption) are excluded unless specifically requested.
What certifications does your team hold?
Engagements are run by senior testers and signed off by a practice lead. We test to recognised methodologies - OWASP, PTES and the OSSTMM - and map every finding to CVSS and CWE. If your procurement process needs specific individual credentials on file, we'll share them under NDA during scoping.
Do you offer retests after we patch?
Yes - retest engagements are scoped separately, focused only on the findings you've patched. Pricing is proportional to the surface area being re-verified and we send a written scope before any work starts.
What format are the deliverables in?
PDF reports (executive summary + technical), an editable findings spreadsheet, attack-path diagrams where relevant, and a letter of attestation on request. All findings include CVSS, CWE, repro steps, and remediation guidance.
How is scope determined and priced?
After a 15-minute discovery call we send a written scope inside 48 hours - fixed-price, with clearly itemized exclusions. No hourly billing surprises, no scope creep mid-engagement.
Ready to scope your web pentest?
Tell us the URL count and the deadline - we'll come back with a written scope in under 48 hours.