Independent Consultant | Cybersecurity Architect & vCISO

Currently fully booked. New engagements onboard from early 2027.Join the 2027 waitlist

Web & API
Penetration Testing

Find vulnerabilities in your application before attackers do.
Manual testing of web apps and APIs.

OWASP Web & API Top 10 · retest included · fixed price after scoping · from €2,900

This assessment is available on its own - the better path is the Retained Security Partner retainer, where you get it automatically once your security maturity is ready.

Engagement Model

Engagement options

Every formal web and API pentest uses the OWASP Web Security Testing Guide and OWASP API Security Top 10 as the baseline, with scope-specific tests added for authentication, authorization, business logic, integrations, and API design. You receive a rigorous, compliance-ready report to confidently share with your customers and stakeholders.

Option A

Official Penetration Test

Best for compliance, vendor audits, and major deployments.

  • Priced in advance from the approximate size of the application
  • Higher cost, with a dedicated testing window booked ahead
  • Needs planning so testing time can be allocated
  • Rigorous, methodology-backed report you can share

Option B

Fast-Track Consultation

Best for active development and quick reviews.

  • Fast and ad-hoc, with quick response
  • Billed by the hour, very flexible scope
  • Backed by immediate NDA signing
  • Simple, read-only system access
Inside a retainer: with a Retained Security Partner retainer you do not have to pick. I choose the right option and schedule it for you at the best time and budget, so the heavier official pentest lands when it genuinely adds value and the fast-track review covers everything in between.

Scope

What's in scope

Browser-facing web applications and the APIs behind them. We confirm which of these apply during scoping.

Web Applications

Authentication bypass, broken access control, XSS, SQL injection, and business logic flaws in browser-facing apps.

REST APIs

Auth bypass, BOLA, BFLA, injection, mass assignment attacks.

GraphQL

Introspection abuse, batching attacks, authorization bypasses, complexity limits.

WebSocket APIs

Message injection, CSRF, authentication persistence, per-message authorization checks.

Microservices

Service-to-service trust, gateway bypass, JWT flaws. On request.

Findings mapped to: OWASP Web Top 10 OWASP API Top 10

Requirements

Access and accounts I need

Required inputs
Application URL and access

For web applications: the URL and one test account per role. A non-production environment is preferred.

OpenAPI / Swagger specification

For APIs: or equivalent REST documentation. If none exists, I treat it as an undocumented API and scope accordingly.

Application logic overview

What does each endpoint do? What business process does it support? What data does it handle?

Role & permission matrix

A simple table of every user role and what each can read, write, and administer. A spreadsheet or text file is fine. See how to scope an API test for a worked example and the full checklist.

Multi-tenancy boundaries (if applicable)

Which data is isolated per organisation or user? What must never cross tenant boundaries?

Preferred (reduces testing time)
  • Dedicated test environment (separate database)
  • One test account per role (pre-created)
  • Dummy data that can be safely manipulated

Why role definitions matter

In my API work, authorization flaws (BOLA, BFLA) are among the most common severe findings. I find them by knowing what each role should access - then proving it can access things it shouldn't.

Without a role matrix, I spend time guessing your access model instead of testing vulnerabilities. That time increases the price.

Documentation quality affects price

A well-structured OpenAPI spec + role matrix = I test vulnerabilities, not map your API. Undocumented or non-standard API = additional discovery work → reflected in the final quote.

Pricing

Indicative pricing

Starting from
€2,900
exact quote after scoping
Always included
Coverage of applicable OWASP Web & API Top 10 categories
Business logic & auth flow testing
BOLA / BFLA / mass assignment checks
Executive summary for management
Technical findings with reproduction steps
One verification round after remediation - included
Debrief call with your dev team
Optional: remediation consulting (retainer)

What affects the final price

Application & API Surface

Number of pages, endpoints, roles, and protocols (web, REST, GraphQL, WebSocket). More surface = more time = higher price.

Documentation

Swagger / OpenAPI spec significantly reduces scoping time. Undocumented APIs require more reconnaissance and are priced higher.

Lead Time saves money

Booking a slot at least 3 weeks in advance allows better planning and is reflected in the quote. Urgent engagements carry a premium.

Process

How We Collaborate

01
Scoping call + documentation review

We review your API docs, role matrix, and architecture. I issue a fixed-price quote. No surprises.

02
Environment setup

You provide non-production access and one test account per role. I confirm scope and rules of engagement.

03
Manual testing

I test your API against the OWASP API Top 10 and custom scenarios derived from your role matrix and business logic.

04
Report delivery

Executive summary for management. Technical findings with reproduction steps and remediation guidance for your dev team.

05
Debrief call + verification round

We walk through findings together. After you remediate, one verification round within 14 days is included; additional rounds, major changes, or late retests are quoted separately.

A one-off assessment answers a single question. A Retained Security Partner retainer schedules these assessments for you at the best time and budget, so testing keeps pace with how your business changes.

2027 waitlist

Scope a test

Start with a free 30-minute scoping call. I'll tell you what I need, what I'll test, and what it will cost - before you commit to anything.
Currently fully booked - onboarding new engagements from early 2027. Join the waitlist and I'll be in touch as slots open.

Have questions? See the FAQ →

Prefer a steady monthly rhythm over one-off invoices? See the Retained Security Partner retainer.