Testing methodology
We follow the OWASP Web Security Testing Guide (WSTG) and the OWASP Top 10, combining automated scanning with deep manual testing across the full request/response surface, configuration and business logic.
Authentication & session management
Credential attacks, MFA bypass, password-reset and account-recovery flaws, session fixation and hijacking, and JSON Web Token (JWT) weaknesses.
Authorization & access control
Insecure direct object references (IDOR), broken object- and function-level authorization, privilege escalation and multi-tenant isolation testing.
Input validation & injection
SQL injection, cross-site scripting (XSS), server-side request forgery (SSRF), command and template injection, and insecure deserialization.
Business logic & abuse cases
Workflow and validation bypass, race conditions, mass assignment and abuse of legitimate functionality that scanners miss.
Frameworks & standards
What you get
- Findings rated by severity (CVSS) with clear reproduction steps
- Developer-ready remediation guidance
- Executive summary for management and auditors
- Free remediation retest of fixed issues
FAQ
Black-box or white-box?
Both. White-box (with source/credentials) finds more, faster; we recommend it for critical apps but support black-box too.
Do you test in production or staging?
Usually a representative staging environment, with safe, agreed testing windows for production where needed.
Is a retest included?
Yes — once you remediate, we retest the reported findings and update the report.