← Back to services
Web & Infrastructure
Penetration Testing
Controlled, manual attacks against your applications and networks — with real exploitation, a prioritised report and a free retest. Scope is defined per engagement during scoping; billing is either time-based or success-based per finding.
What's included
- Web applications & APIs (OWASP)
- Internal infrastructure & Active Directory
- External infrastructure & perimeter
Packages
Grey-box · OWASP
Web App & API
- Manual testing combined with tooling
- OWASP Top 10, business logic & authentication/session handling
- API security (OWASP API Top 10: BOLA/IDOR, authorization, data exposure)
- Prioritised report (CVSS) + free retest
Grey-box by default for more depth — black- or white-box on request.
success-based
Findings-based
- Same depth & methodology as fixed price — only billing differs
- Base fee + payout per confirmed finding (CVSS-tiered, no duplicates)
- Fewer findings = cheaper than a fixed-price test
- Prioritised report (CVSS) + free retest
If unexpectedly critical findings pile up, we pause promptly — only in rare cases slightly more than fixed price.
internal & external
Infrastructure
- External perimeter & exposed services
- Internal network & Active Directory attacks
- Lateral movement, privilege escalation & segmentation
- Prioritised report (CVSS) + free retest
Internal, external or combined scope — remote via VPN or on-site.
Pricing depends on scope — you'll get a concrete proposal after a short scoping call.
Ready to know your attack surface?
Tell us briefly about your project — we'll come back with a concrete proposal.
Request a first call