Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist
Web & API
Penetration Testing
Find vulnerabilities in your application before attackers do.
Manual testing of web apps and APIs.
OWASP Web & API Top 10 · retest included · fixed price after scoping · from €2,900
This assessment is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.
Engagement Model
Engagement options
Every formal web and API pentest uses the OWASP Web Security Testing Guide and OWASP API Security Top 10 as the baseline, with scope-specific tests added for authentication, authorization, business logic, integrations, and API design. You receive a rigorous, compliance-ready report to confidently share with your customers and stakeholders.
Option A
Official Penetration Test
Best for compliance, vendor audits, and major deployments.
- Priced in advance from the approximate size of the application
- Higher cost, with a dedicated testing window booked ahead
- Needs planning so testing time can be allocated
- Rigorous, methodology-backed report you can share
Option B
Fast-Track Consultation
Best for active development and quick reviews.
- Fast and ad-hoc, with quick response
- Billed by the hour, very flexible scope
- Backed by immediate NDA signing
- Simple, read-only system access
Scope
What's in scope
Browser-facing web applications and the APIs behind them. We confirm which of these apply during scoping.
Web Applications
Authentication bypass, broken access control, XSS, SQL injection, and business logic flaws in browser-facing apps.
REST APIs
Auth bypass, BOLA, BFLA, injection, mass assignment attacks.
GraphQL
Introspection abuse, batching attacks, authorization bypasses, complexity limits.
WebSocket APIs
Message injection, CSRF, authentication persistence, per-message authorization checks.
Microservices
Service-to-service trust, gateway bypass, JWT flaws. On request.
Requirements
Access and accounts I need
For web applications: the URL and one test account per role. A non-production environment is preferred.
For APIs: or equivalent REST documentation. If none exists, I treat it as an undocumented API and scope accordingly.
What does each endpoint do? What business process does it support? What data does it handle?
A simple table of every user role and what each can read, write, and administer. A spreadsheet or text file is fine. See how to scope an API test for a worked example and the full checklist.
Which data is isolated per organisation or user? What must never cross tenant boundaries?
- › Dedicated test environment (separate database)
- › One test account per role (pre-created)
- › Dummy data that can be safely manipulated
Why role definitions matter
In my API work, authorization flaws (BOLA, BFLA) are among the most common severe findings. I find them by knowing what each role should access - then proving it can access things it shouldn't.
Without a role matrix, I spend time guessing your access model instead of testing vulnerabilities. That time increases the price.
A well-structured OpenAPI spec + role matrix = I test vulnerabilities, not map your API. Undocumented or non-standard API = additional discovery work → reflected in the final quote.
Pricing
Indicative pricing
What affects the final price
Application & API Surface
Number of pages, endpoints, roles, and protocols (web, REST, GraphQL, WebSocket). More surface = more time = higher price.
Documentation
Swagger / OpenAPI spec significantly reduces scoping time. Undocumented APIs require more reconnaissance and are priced higher.
Lead Time saves money
Booking a slot at least 3 weeks in advance allows better planning and is reflected in the quote. Urgent engagements carry a premium.
Process
How We Collaborate
We review your API docs, role matrix, and architecture. I issue a fixed-price quote. No surprises.
You provide non-production access and one test account per role. I confirm scope and rules of engagement.
I test your API against the OWASP API Top 10 and custom scenarios derived from your role matrix and business logic.
Executive summary for management. Technical findings with reproduction steps and remediation guidance for your dev team.
We walk through findings together. After you remediate, one verification round within 14 days is included; additional rounds, major changes, or late retests are quoted separately.
A one-off assessment answers a single question. A Retained Security Partner retainer schedules these assessments for you at the best time and budget, so testing keeps pace with how your business changes.
2027 waitlist
Scope a test
Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.